Recently whilst setting up a new AD FS deployment at a client's office, I ran into some troubles completing the initial AD FS configuration (done as soon as you add the AD FS Role). After it failed to configure, I went into Event Logs, to see that the error was that the account "NT Service\MSSQL$MICROSOFT##WID" did not have the required user right "Log on as a service". Generally when setting this up, the service account will automatically be granted the "Log on as a service" right, but in this case, something was blocking it.
When checking the local policy, I noticed that I couldn't configure the users who have been granted that right (it was greyed out). This means that the setting is controlled by a Group Policy. After checking GPMC, I found the setting within the Default Domain Policy. To resolve this issue, I set "NT SERVICE\ALL SERVICES" to be granted that right.
A quick gpupdate /force on the ADFS server then resolved the issue, and allowed me to continue with the ADFS configuration.
google 1108
ReplyDeletegoogle 1109
google 1110
google 1111
google 1112
google 1113