Home
  •  

AD FS Windows Service Failed to Start Because of Configuration Load Error

Microsoft.ActiveDirectoryFederationServices.2016.FederationServerServiceConfigurationInitializationErrorMonitor (UnitMonitor)

Knowledge Base article:

Summary

The AD FS Windows service failed to start because the AD FS configuration database could not be loaded correctly.

If the AD FS Windows service is started successfully, the monitor will change to a Green state and the original critical alert will be resolved automatically.

Causes

The following are possible causes for this event:

Cause

Resolution

The remote computer that is hosting the SQL Server database is not reachable.

Use Ping.exe to verify that the remote computer can be reached from the federation server.

The computer that is running SQL Server and that is configured for storing AD FS configuration data is not started.

Start the SQL Server instance that hosts the AdfsConfiguration database.

Verify that the service is running the "sc query mssqlserver" on the computer that hosts SQL Server, and ensure that STATE = RUNNING. This assumes that the default instance of SQL Server is being used. Each SQL Server database instance has its own services, and you can check their names by looking at the Services node in Server Manager. When you locate the corresponding named instance, start the service by using "net start mssqlserver" on the remote computer that is running SQL Server.

The Windows Internal Database (WID) that is configured for storing AD FS configuration data is not started.

Start the WID instance that hosts the AdfsConfiguration database.

Verify that the service is running the sc query mssql$microsoft##ssee on the computer that hosts the Federation Service, and ensure that STATE = RUNNING. Note that this is the name of the default WID instance that is being used. Start the service by using net start mssql$microsoft##ssee on the federation server computer.

The AD FS Windows service identity cannot log on to SQL Server.

Ensure that SQL Server is running under a built-in account, such as NetworkService or LocalSystem. If SQL Server is running under a domain account, verify that the service principal name (SPN) for that account has been registered correctly.

To verify the SPN, use the following syntax with the SetSpn.exe command:

SetSpn -L <serviceaccount>

The output of this command should have MSSQLSvc/<SQL server name>.

Another possible resolution for this error includes connecting to SQL Server using SQL Management Studio, and verifying the following settings:

  • Confirm that the AD FS Windows service identity is present under the Security->Logins node in the SQL console.

  • Confirm that the AD FS Windows service identity is present under Databases->AdfsConfiguration->Security->Users, and that it owns the IdentityServerPolicy schema.

The AD FS Windows service identity can log on to SQL Server, but it does not have access to the AdfsConfiguration database.

Using SQL Server Management Studio, make the AD FS Windows service identity the owner of the IdentityServerPolicy schema (see the previous resolution).

SQL Server is timing out.

The following are possible resolutions for this error:

  • Determine the query load on the SQL Server installation by looking at other databases that are hosted on the computer.

  • Consider hosting AdfsConfiguration on a dedicated server.

  • Restart SQL Server.

AD FS endpoints do not have ACL permissions set correctly.

Run the AD FS Federation Server Configuration Wizard again to repair ACL permissions for the specified endpoints.

Resolutions

See above.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices.2016.FederationServer
Parent MonitorSystem.Health.AvailabilityState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.2SingleEventLog2StateMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
AD FS Windows Service Failed to Start Because of Configuration Load Error
The AD FS configuration database could not be loaded correctly. The AD FS Windows Service failed to start.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerServiceConfigurationInitializationErrorMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer" ParentMonitorID="Health!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerServiceConfigurationInitializationErrorMonitor_AlertMessageResourceID">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="FirstEventRaised" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>

    <OperationalState ID="SecondEventRaised" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>$Target/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">220</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <RegExExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>MatchesMOM2005RegularExpression</Operator>

            <Pattern>(^AD FS$)</Pattern>

          </RegExExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>$Target/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">100</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <RegExExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>MatchesMOM2005RegularExpression</Operator>

            <Pattern>(^AD FS$)</Pattern>

          </RegExExpression>

        </Expression>

      </And>

    </SecondExpression>

  </Configuration>

</UnitMonitor>