ADFS 2016 failing to add secondary members to the farm with missing SPN error

By | June 1, 2019

SPN missing Error when adding second AD FS server using Group Managed Service Account (GMSA), we didn’t see any issues configuring the first node, however, started getting different errors while adding another node to ADFS 2016, it failed on both GUI and PowerShell configuration and getting permission and SPN related errors

Also Read: Active Directory 2016 New Features

Getting Below errors while adding second node to ADFS 2016 farm using GMSA

username or password incorrect

There were no SPNs set on the following service account ‘Domain\Service-ADFS$’. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

Unable to determine the Service SPN. There were no SPNs set on the following service account ‘Domain\Service-ADFS$’. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account

Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory

Check configured SPN status for GMSA account

setspn -L Service-adfs

Check GMSA account permission to retrieve the password for installing the additional node

Get-ADServiceAccount Service-adfs -Properties * | Select-Object Name,PrincipalsAllowedToRetrieveManagedPassword|fl

Should show the first and second ADFS server DN on PrincipalsAllowedToRetrieveManagedPassword attribute

Also Read: Windows Server 2019 Features

You have to add the second ADFS server to fix the permission issue


$adfsgmsaaccount = Get-ADServiceAccount Service-adfs -Properties PrincipalsAllowedToRetrieveManagedPassword

$DNofprincipals = @(
((Get-ADUser MyAdminUser).DistinguishedName),
((Get-ADComputer ADFSserver02).DistinguishedName)
)
$DNofprincipals+=$adfsgmsaaccount.PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount -Identity ‘Service-adfs’ -PrincipalsAllowedToRetrieveManagedPassword $DNofprincipals

Also Read: Active Directory on Cloud

Check again the permission status now (might take some time to replicate)


Get-ADServiceAccount Service-adfs -Properties PrincipalsAllowedToRetrieveManagedPassword

Now this will show the ADFSserver02 DN, this should fix the issue and now you can able to add the second ADFS server without any issues

One thought on “ADFS 2016 failing to add secondary members to the farm with missing SPN error

  1. Ron

    This did not work for me. For those wishing to add a new Computer to the -PrincipalsAllowedToRetrieveManagedPassword property this worked for me:
    $CurrentServers = Get-ADServiceAccount $gMSAName -Properties PrincipalsAllowedToRetrieveManagedPassword | `
    Select-Object -ExpandProperty PrincipalsAllowedToRetrieveManagedPassword
    $List = foreach($DN in $CurrentServers)
    {
    Get-ADComputer $DN -Properties * | Select SamAccountName
    }
    $Principals = $List + $Servers
    Set-ADServiceAccount “$gMSAName” -PrincipalsAllowedToRetrieveManagedPassword $Principals

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *