This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 99%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
I'm seeing hundreds of error on a secondary ADFS 3.0 node in the farm that indicate:
An exception occurred while enqueueing a message in the target queue. Error: 15517, State: 1. Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission.
When I check the User Mapping on the domain service account used I see it is dbo on the AdfsArtifactStore and AdsfConfiguration databases.
On the Schema properties permission for the AdfsArtifactStore DB I see db_genevaservice DB Role but there's nothing on the Schema properties permission for the AdfsConfiguration DB.
There's very little information in reference to the Database Role db_genevaservice and asking a SQL DBA they say it must be a custom DB Role. I do find it referenced in articles for migrating from WID to SQL and they indicate that the service account needs to have this DB role on both databases.
Another article indicates that dropping the service account and adding it back as owner...
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e4cfb1e2-34b9-4cbb-815b-058138f5aa54/adfs-sync-server-loaded-with-event-id-28005-mssqlmicrosoftwid?forum=ADFS
My service account is dbo so is the issue related to the Database Role db_genevaservice?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 24%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E9%3C/text%3E%3C/svg%3E)
The error message points to owner problems. Please check who is the owner of both databases.
Execute follow sql command:
select name AS 'Database'
, suser_sname(owner_sid) AS 'Creator'
from sys.databases;
GO
Independently what dou mean with domain service account. Do you use for the ad fs service a simple domain user account or a group managed service account (gMSA)?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 14.000000000000002%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
The service account is a normal domain user, not a managed service account. There were permission issues in WID on the secondary node. After working with Premier Support for a number of days we were able to gain access to the database. This didn't resolve the issues with the WID syncing to the secondary server. In the end I removed the ADFS and WID role from the server and reinstalled ADFS.