The AD FS Windows service failed to start because the AD FS service account cannot access the private key for the token-signing or token-decrypting certificate that is in the AD FS configuration database.
If the AD FS Windows service is successfully started, the monitor will change to a Green state and the original critical alert will be resolved automatically.
Causes
This condition can occur when the certificate is found in the specified store, but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store that is specified in this event.
The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
The Federation Service identity has not been granted read access to the certificate's private key.
Resolutions
Possible resolutions for this condition include the following:
If the certificate was imported from a source that has no private key, select a certificate that has a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).
If the certificate was imported in a user context, verify that the store that was specified earlier matches the store the certificate was imported into.
If the certificate was generated by a certificate request that did not specify the "Machine Key" option, and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file, and then import it again directly into the store that is specified in the configuration file.
If the key is not marked as exportable, request a new certificate by using the "Machine Key" option.
If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition by using the Certificates snap-in. For more information, see the procedure "Confirm that private keys for certificates are accessible by the AD FS service user account" in section "Things to Check Before Troubleshooting AD FS" in the AD FS troubleshooting guide.
AD FS Windows Service Failed to Start Because of a Private Key
The private key for the certificate that is in the AD FS configuration database could not be accessed by the AD FS service account. Check the Alert Context tab for event details regarding the values of this certificate.
Home
ENU