23 March 2016

Failure to configure AD FS | Log on as a service

Recently whilst setting up a new AD FS deployment at a client's office, I ran into some troubles completing the initial AD FS configuration (done as soon as you add the AD FS Role).  After it failed to configure, I went into Event Logs, to see that the error was that the account "NT Service\MSSQL$MICROSOFT##WID" did not have the required user right "Log on as a service".  Generally when setting this up, the service account will automatically be granted the "Log on as a service" right, but in this case, something was blocking it.

When checking the local policy, I noticed that I couldn't configure the users who have been granted that right (it was greyed out).  This means that the setting is controlled by a Group Policy.  After checking GPMC, I found the setting within the Default Domain Policy.  To resolve this issue, I set "NT SERVICE\ALL SERVICES" to be granted that right.

A quick gpupdate /force on the ADFS server then resolved the issue, and allowed me to continue with the ADFS configuration.

1 comment: