The AD FS Windows service failed to start because the AD FS service account cannot access the private key for the token-signing or token-decrypting certificate that is in the AD FS configuration database.
If the AD FS Windows service is successfully started, the monitor will change to a Green state and the original critical alert will be resolved automatically.
This condition can occur when the certificate is found in the specified store, but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store that is specified in this event.
The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
The Federation Service identity has not been granted read access to the certificate's private key.
Possible resolutions for this condition include the following:
If the certificate was imported from a source that has no private key, select a certificate that has a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).
If the certificate was imported in a user context, verify that the store that was specified earlier matches the store the certificate was imported into.
If the certificate was generated by a certificate request that did not specify the "Machine Key" option, and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file, and then import it again directly into the store that is specified in the configuration file.
If the key is not marked as exportable, request a new certificate by using the "Machine Key" option.
If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition by using the Certificates snap-in. For more information, see the procedure "Confirm that private keys for certificates are accessible by the AD FS service user account" in section "Things to Check Before Troubleshooting AD FS" in the AD FS troubleshooting guide.
Target | Microsoft.ActiveDirectoryFederationServices.2016.FederationServer | ||
Parent Monitor | System.Health.AvailabilityState | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.2SingleEventLog2StateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerBadConfigurationIdentityCertificateHasNoPrivateKeyMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer" ParentMonitorID="Health!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerBadConfigurationIdentityCertificateHasNoPrivateKeyMonitor_AlertMessageResourceID">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="FirstEventRaised" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>
<OperationalState ID="SecondEventRaised" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>$Target/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">133</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>$Target/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">100</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>