Error when adding second 2012R2 AD FS server when using gMSA
Ran into an set of errors when adding a second 2012R2 ADFS server where the service was being run under a Group Managed Service Account.
- There were no SPNs set on the following service account ‘DOMAIN\gMSAname$’. Specify the service account used to configured the other FederationServers in the farm, or set the host SPN for the farm on the service account.
- The user name of password is incorrect
- Unable to determine the Service SPN. There were no SPNs set on the following service account ‘DOMAIN\gMSAname$’. Specify the service account user to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.
- Unable to retrieve configuration from the primary server. The username or password is incorrect
- Prerequisites Check Completed
- One or more prerequisites failed. Please fix these issues and click “Rerun prerequisites check”
I had previously set up ADFS 3.1 with standard service accounts with no issues in the same layout as the new servers so the only immediate difference to me was the gMSA. The errors as listed appeared incorrect, as I could verify the SPN for the ADFS farm on the gMSA, and more importantly, the first server was working fine. The error about the password being incorrect seemed erroneous as one of the features of using the gMSA was specifically that it handled passwords automatically.
Finally got a hint to a solution when I came across this post https://secureidentity.se/mystery-with-adfs-and-gmsa/
The issue appears to be related to the location/availability of the 2012R2 Domain Controller, in relation to the new ADFS servers. In order to deploy gMSAs, at least 1 2012R2 Domain Controller in the domain is necessary. I had added only 1, so as to satisfy this requirement. Since I’m deploying ADFS across sites, the result was that I had one ADFS server in a site with a 2012R2 DC, and the other was in a site with only 2008R2 DCs.
It appears that when your initial ADFS server using gMSA is installed, it matters for future servers whether or not they can communicate with a DC of the same version (or higher?) as the original ADFS server does when installing. When I had done the first ADFS install, it was in the site with the 2012R2 DC, but the second install was in a site where there was no 2012r2 DC. After reading the above post, I tried some of the steps related to changing the logonserver, but realized in my situation that since the two servers were in different sites, it might not be possible to cause them to use the same DC, without altering the sites anyway. Instead, I removed the ADFS install on the first server and did the new first install on the server in the 2008R2 site. Now, the second install in the 2012R2 site runs smoothly and ADFS works great.