This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
I'm running Windows Server 2016 (1) Active/ (3) Passive ADFS servers, the below issue is happening on the passive node.
AD domain is single AD domain: domain.com
The same Wildcard SSL certificate *.domain.com has been imported successfully to the other ADFS 2016 servers with no issue.
When I upload the ADFS Server 2016 logs into https://adfshelp.microsoft.com/DiagnosticsAnalyzer/Analyze
I got the error like in the screenshot below:
The description of the error is:
The diagnostic threw an unhandled exception.
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
at System.Collections.Generic.List`1.get_Item(Int32 index)
at Microsoft.Identity.Federation.AdfsToolbox.Core.Framework.PowerShell.PowerShellProvider.GetAdfsSslCertificate()
at Microsoft.Identity.Federation.AdfsToolbox.Core.Framework.PowerShell.PowerShellProvider.GetFederationCertificate(FederationCertificateType type)
at Microsoft.Identity.Federation.AdfsToolbox.Core.Diagnostics.Modules.CertificateValidity.SslValidity.GetCertificate()
at Microsoft.Identity.Federation.AdfsToolbox.Core.Diagnostics.Modules.CertificateValidity.ValidityBase.RunDiagnostic()
at Microsoft.Identity.Federation.AdfsToolbox.Core.Diagnostics.Modules.DiagnosticModuleBase.Execute()
How to fix the issue as above?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Could you please check if you have imported the certificate with the Private key on the servers. And the ADFS service account have been given read rights on the private key of the certificate ? In order to check that please use Start > run > certlm.msc > Right click the certificate > All tasks > Manage Private Keys.
Once the Manage Private keys option opens it will give you option to add your ADFS service account and provide read access to it . Once you have done the same and if you still see the above errors ,please let us know and we will continue to help you further.
@ShashiShailaj-MSFT , thank you for the assistance in this matter.
Somehow the issue still persists, even after explicitly adding the service account into the private key permission.
This is what I have got initially:
There is no error on the Certification Path tab.
@ShashiShailaj-MSFT, Can you also please share the steps to install the SSL certificate Wildcard *.domain.com into ADFS 2016?
After remote desktop into PRDADFS2-VM (secondary server)
I have already manually imported the *.domain.com SSL certificate.PFX file.
Add-AdfsFarmNode -ServiceAccountCredential (Get-Credential) -PrimaryComputerName PRDADFS1-VM.domain.com -CertificateThumbprint CFHH542125AE8C06F4968AF2468E62699124AF53 -OverwriteConfiguration
The result is:
WARNING: The SSL certificate subject alternative names do not support hostname 'certauth.ADFS.domain.com'. Configuring certificate authentication binding on port '49443' and hostname ' ADFS.domain.com'.
WARNING: Failed to register SSL bindings for Device Registration Service: An item with the same key has already been added.
Still the same issue, even after reinstalling the server.
See the screenshot: https://i.imgur.com/oiyLsC1.png
I have also executed the steps described in https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-support-for-alternate-hostname-binding-for-certificate-authentication
This is the error message:
Set-AdfsAlternateTlsClientBinding :
PS0317: One or more of AD FS servers returned errors during execution of command 'Set-AdfsAlternateTlsClientBinding'.
Error information:
PS0316: AD FS Server: 'localhost', Error: 'The specified SSL certificate with thumbprint 'B6DA73B83A759D' does not meet the requirements for configuring alternate Tls Client binding.
PS0316: AD FS Server: 'ADFS02-VM.DOMAIN.com', Error: 'The specified SSL certificate with thumbprint 'B6DA73B83A759DEE37F9' does not meet the requirements for configuring alternate Tls Client binding.