Office 365 & ADFS - Error when adding the second Federation server: No Certificate Matching the Federation Service
The symptoms as follow:
- First ADFS server is implemented.
- New Federation service is configured properly.
- ADFS is installed on the second ADFS server.
- When adding the server to the federation farm we receive the following error:
“No certificate matching the Federation Service name were found in the Local Computer certificate store. Install the certificate that represents your Federation Service name in the Local Computer certificate store, and then try again”
The following snapshot represents the error:
Searching ADFS shows some vague words that gave the impression that ADFS requires that the name used for ADFS must be the subject name of the certificate, check the following article as example:
- Review ADFS Requirements: http://technet.microsoft.com/en-us/library/dn151311.aspx
“The Subject name of this SSL certificate is used to determine the Federation Service name for each instance of AD FS that you deploy. For this reason, you may want to consider choosing a Subject name on any new certification authority (CA)-issued certificates that best represents the name of your company or organization to the cloud service and this name must be Internet-routable. For example, in the diagram provided earlier in this article (see “Phase 2”), the subject name of the certificate would be fs.fabrikam.com”
Also when we have configured the first ADFS server and creating the new Federation Farm, you will notice that the wizard shows the certificate subject name as the default until from the drop down you select another name as the following snapshot:
But when adding the second server to the farm it’s not even gave you that option.
So the first thing to think of is that only with the wizard and can be fixed with the command line or not?
Doing a quick search I found this article which is talking about how to create new federation farm using the command fsconfig.exe:
The general syntax of the command:
And as per the article the fsconfig command in this folder:
C:\program files\Active Directory Federation Services 2.0
So all we need to do is to follow the same syntax to join an existing farm and we can use the help to get the exact parameters:
Fsconfig joinfarm /help
The command line should be:
fsconfig.exe joinfarm /primarycomputername <<this is the first ADFS server>> /serviceaccount <<service account used with the first server>> /serviceaccountpassword <<password>> /certthumbprint <<the certificate thumbprint>>
The following snapshot shows the result of executing the command:
As the snapshot the configuration is completed successfully and using the command line solved the problem.