ADFS Event ID 133

  • 7.5K Views
  • Last Post 2 days ago
kool posted this 07 February 2013

We have ADFS 2.0 federation servers that are all generating 133 events. I am concerned about having these recurring error events despite the fact that the federation service seems to be working properly.

The event details are as follows:
During processing of the Federation Service configuration, the element 'serviceIdentityToken' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate:
Element: serviceIdentityToken
Subject: CN=sts.<domain>, O=University of Washington, STREET=no street, L=Seattle, S=WA, PostalCode=98195, C=US
Thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
storeName: My
storeLocation: 0
Federation Service identity: <domain>\<service-account>
The Federation Service will not be able to start until this configuration element is corrected.

The last statement of the log is false; the service starts without problems and in fact logs an info event announcing its startup. I made sure the certificate private key has the proper permissions and it does. I even exported it (with private key) from the local computer store and imported it (with key) into the service account's My store. Note that this is the HTTPS TLS cert that is used by the ADFS IIS web site, so it isn't clear why the ADFS service (a Windows service running separately from the web application) would even care. Regardless, I don't like seeing unexplained errors. Does anyone have any ideas as to why this event is occurring and how the service can be made happy?

I wasn't sure if ADFS is on-topic for this list; please let me know if there is a more appropriate list.

Thanks,

Eric Kool-Brown (kool@xxxxxxxxxxxxxxxx) , UW-IT Identity and Access Management
206-616-2667

show

Order By: Standard | Newest | Votes
skradel posted this 07 February 2013

ADFS definitely cares about access to the service communications
certificate--for starters, it uses it to sign its metadata document.

Unfortunately these error messages can be very misleading; I once
spent the better part of a day puzzling over a very, very similar
error, where the private key permissions were absolutely correct, and
it turned out that ADFS was unable to use version 3 certificates based
on Windows Server 2008 Enterprise templates. Whether this was due to
incompatible CSPs or something else I was unable to determine.

You don't need to add the cert to the service account's store.

--Steve

show

tgtg posted this 07 February 2013

ADFS service indeed requires access to the private keys of all certificates that are being used (service certificate, encrypting, decrypting). IIRC the service certificate is the same as the one used by the ADFS IIS site. This is a default configuration.

ADFS is very specific about some of the certificate parameters. One I ran into is the KeySpec. ADFS cannot handle the keyspec = 0 (CNG in the GUI) at all. While it cares less whether keyspec is ATSIGNATURE type or ATKEYEXCHANGE type for en/decrypting certificates it wants for the service certificate.

I am not sure if it is your exact issue, but something along those lines can cause the errors that you are seeing.

Thank you.

Tony Gordon
Global Service Manager - Identity Management Services | MCD / IT Foundation
2111 McDonald's Drive | Oak Brook, IL 60523
(o) +1 630.623.2571| (m) +1 847.687.6809
tony.gordon at us.mcd.com

show

kool posted this 07 February 2013

Thanks Tony and Steve, good info. I exported the cert to a pfx file and dumped that using certutil. It does indeed have a KeySpec = 0. Is it possible to fix that on an existing cert or does a new cert need to be created?

Thanks again,

Eric

show

tgtg posted this 07 February 2013

Stop ADFS services
Delete existing certificate
Import new certificate
certutil -importpfx youpfxfilehere ATKeyExchange
Verify in MMC that certificate was imported
Dump certificate to verify change certutil -verifystore my "cert thumbprint here"
Grant service account read rights to the private key
Start the service
Change the certificate in IIS
Review the logs

Tony Gordon
Global Service Manager - Identity Management Services | MCD/IT Foundation
2111 McDonald's Drive | Oak Brook, IL 60523
(o) +1 630.623.2571 | (m) +1 847.687.6809
tony.gordon at us.mcd.com

show

Close