AD FS Help Diagnostics Analyzer Automated test information
Automated test information
Below is a list of all of the automated tests that are run by the Diagnostics Analyzer.
| Name | Description | Remediation information |
|---|---|---|
| Service - ADFS Service Startup | Verifies that the Active Directory Federation Services service is set to automatically start. Configuring the federation service to automatically start will avoid issues when the server is restarted. | |
| Configuration - Verify User Activity Database | Verifies the User Activity Database is created properly. This database is used by Extranet Smart Lockout (ESL) to protect users against brute force attacks and prevent users from being locked out in Active Directory. |
The ADFS service account has insufficent privileges to create the Account Activity database. Follow step 3 in the remediation link to manually grant the correct permissions.
Learn how to grant the correct permissions
|
| Certificate - Token Decrypting Certificate Availability | Verifies that the certificate is located in the LocalMachine certificate store. AD FS requests will fail if the token-decrypting certificate is not present in the LM store. This requires immediate attention. |
Import the certificate into the local computer's store. If the certificate is no longer available, install a new primary token-decrypting certificate using the information below.
Learn how to add a token-decrypting certificate
|
| Binding - Client TLS Binding Certificate Thumbprint | Verifies that the binding certificate thumbprint is set correctly. This thumbprint is required for the federation service to locate the certificate. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Configuration - Trusted Devices Certificate Store | Verifies that the Trusted Devices certificate store is present on the AD FS server. This certificate store is used by WAP servers and for the collection of device credentials via TLS. If the store is missing, WAP servers may lose their trust and TLS requests may fail. |
Follow the link below to configure device authentication; this will recreate the certificate store. If this does not solve the issue you will have to rebuild the AD FS farm.
Learn how to configure device registration
|
| Configuration - Intranet Authentication Policy | Verifies the intranet authentication policy for the AD FS farm. All requests from the intranet will fail if there are no authentication providers. | |
| Certificate - SSL Certificate Chain Trusted | Verifies that the SSL certificate chain is trusted. If the certificate chain is not trusted, users will see 'SSL certificate not trusted' errors when they attempt to sign in. |
Install a new SSL certificate with a trusted chain.
Learn how to manage SSL certificates
|
| Configuration - Extranet Lockout Master Is Published | Verifies Extranet Smart Lockout is publishing a master node. ESL protects users against brute force attacks and prevents users from being locked out in Active Directory. A "User Activity" master node is required for ESL to function properly. The secondary AD FS servers contact the master node to retrieve and update user activity information. |
Follow the configuration instructions to verify ESL is properly configured.
Learn more about how to configure ESL
|
| Configuration - External Time | Verifies that the local time on the server is synchronized with an external authority. If time is not synchronized and is off by more than 5 minutes, authentication requests to the domain will fail. This can also impact the trust between AD FS and WAP. This requires immediate action. |
Synchronize Windows time for the AD FS and WAP servers with an external time authority. This can be done using the w32tm.exe command line tool. See the link below for more information.
Learn more about Windows time tools and settings
|
| Configuration - Service Name Not Alias | Verifies that the AD FS service name is not an alias. Using an alias for the federation service name can cause Windows Integrated Authentication to fail. | |
| Configuration - Primary Server Fully Qualified | Verifies that the primary AD FS server name in the synchronization properties is fully qualified. Synchronization uses the primary server FQDN. If the primary server sync property is set to a NetBIOS name, synchronization may fail. |
Use Set-AdfsSyncProperties to set the PrimaryComputerName to the fully-qualified server name.
Learn how to use Set-AdfsSyncProperties
|
| Certificate - SSL Certificate Private Key | Verifies that the SSL certificate has a private key. AD FS requests will fail if the SSL certificate private key is missing. This requires immediate attention. |
Import the same certificate that has a private key. If the certificate is no longer available, install a new SSL certificate using the information below.
Learn how to manage SSL certificates
|
| Certificate - Service Communications Certificate Time Validity | Verifies the time validity of the service communications certificate. AD FS token requests will fail if the service communications certificate is time-invalid. |
If this certificate is already expired install a new service communications certificate. If the certificate is about to expire, you will need to roll the certificate before the expiration date.
Learn how to set a service communications certificate
|
| Certificate - SSL Certificate Availability | Verifies that the certificate is located in the LocalMachine certificate store. AD FS requests will fail if the SSL certificate is missing from the LM store. This requires immediate attention. |
Import the certificate into the local computer's store. If the certificate is no longer available, install a new SSL certificate using the information below.
Learn how to manage SSL certificates
|
| Service - WAP Service Running | Verifies that the Web Application Proxy service is running. All AD FS Proxy requests will fail if the WAP service is not running. This requires immediate attention. | |
| Configuration - Extranet Lockout Threshold | Verifies the AD FS extranet lockout threshold is less than the AD lockout threshold. AD FS Extranet Lockout functions independently from the AD lockout policies. We recommend that you set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold, so that AD FS is able to protect accounts from being locked out in Active Directory. |
Reset the ExtranetLockoutThreshold parameter value using the Powershell script in the remediation link.
Learn how to configure Extranet Lockout
|
| Service - AD FS Service Running | Verifies that the Active Directory Federation Services service is running. AD FS requests will fail if the federation service is not running. This requires immediate attention. | |
| Configuration - Extranet Lockout Observation Window | Verifies the AD FS extranet lockout observation window is longer than the AD observation window. AD FS Extranet Lockout observation window should be longer than the AD observation window. If is it not, the ADFS lockout counter will reset faster than AD, resulting in account lockouts. |
Reset the Observation windows using the Powershell script in the Remediation Link.
Learn how to configure Extranet Lockout
|
| Synthetic - Federation Service Reachable from WAP | Verifies that the AD FS federation service is reachable by accessing the federation metadata endpoint. AD FS requests will fail if the federation service cannot be accessed. |
Follow the link below for more information on how to troubleshoot the service issue.
Learn how to troubleshoot the issue
|
| Certificate - Token Decrypting Certificate Private Key | Verifies that the token decrypting certificate has a private key. AD FS requests will fail if the token-decrypting certificate private key is missing. This requires immediate attention. |
Import the same certificate that has a private key. If the certificate is no longer available, install a new primary token-decryption certificate using the information below.
Learn how to add a token-decrypting certificate
|
| Configuration - SSL Certificate Contains Federation Service Name | Verifies that the SSL certificate contains the federation service name. An SSL certificate with the federation service name is required for processing requests from clients and applications. | |
| Synthetic - Federation Metadata Available | Verifies that the federation metadata document is available for download. The federation metadata document contains information about the AD FS farm that is needed by other applications and services. Failure to download it may cause request failures and be a symptom of larger problems such as blocking firewall traffic. This requires immediate attention. | |
| ServiceAccount - Service Account Locked Out | Verifies that the AD FS service account is not locked out in Active Directory. The AD FS farm will stop functioning if the service account is locked out. This requires immediate attention. | |
| Configuration - Synchronization Status | Verifies the synchronization status with the primary AD FS server. Syncronization ensures that the AD FS coniguration is consistent across all servers in the farm. | |
| ServiceAccount - Service Account Password Expired | Verifies that the AD FS service account password has not expired in Active Directory. The AD FS farm will stop functioning if the service account password has expired. This requires immediate attention. | |
| Configuration - Duplicate Service Principal Names | Verifies that there no duplicate service principal names (SPN) for the federation service registered in Active Directory. If there are federation service SPN duplicates in the directory, Windows Integrated Authentication will fail and users will experience NTLM prompts. This is not a critical problem, but it will impact Single Sign-On (SSO) and the overall user experience for applications that use Windows Integrated Authentication. |
Use [SETSPN -L AdfsServiceAccountName] to list the Service Principals for the AD FS service account. Use [SETSPN -X] to check for duplicate Service Principal Names. If the SPN is duplicated for the AD FS service account, remove the SPN from the duplicated account using [SETSPN -d service/namehostname] If the SPN is not set, use [SETSPN -s {Desired-SPN} {domain_name}{service_account}] to set the desired SPN for the AD FS service account. Note: this operation requires Domain Admin permissions.
Learn how to manually configure a service account
|
| Service Account - Service Account Expired | Verifies that the AD FS service account is not expired in Active Directory. The federation service may stop functioning if the service account is misconfigured. This requires immediate attention. | |
| Certificate - Token Signing Certificate Revocation | Verifies that the primary token signing certificate has not been revoked. AD FS requests will fail if the token-signing certificate has been revokend. This requires immediate attention. |
Install a new token-signing certificate using the information below.
Learn how to add a token-signing certificate
|
| Binding - HTTPS Binding Certificate Thumbprint | Verifies that the binding certificate thumbprint is set correctly. This thumbprint is required for the federation service to locate the certificate. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Certificate - Service Communications Certificate Availability | Verifies that the certificate is located in the LocalMachine certificate store. AD FS requests will fail if the service communications certificate is missing from the LM store. This requires immediate attention. |
Import the certificate into the local computer's store. If the certificate is no longer available, install a new service communications certificate using the information below.
Learn how to set a service communications certificate
|
| Service - WID Service Startup | Verifies that the Windows Internal Database service is set to automatically start. Configuring the WID service to automatically start will avoid issues when the server is restarted. | |
| Configuration - Domain Time | Verifies that the local time on the server is synchronized with the domain time. If the server and domain time difference is more than 5 minutes, domain authentication requests will fail and the trust between AD FS and WAP servers will be impacted. This requires immediate attention. |
Synchronize Windows time for the AD FS and WAP servers with the time in your Active Directory domain. This can be done using the w32tm.exe command line tool. See the link below for more information.
Learn more about Windows time tools and settings
|
| Certificate - Root Certificate Store | Verifies that there are only self-signed certificates in the root store. Having only self-signed certificates in the root store will prevent certificate based authentication failures. | |
| Binding - HTTPS Port Binding | Verifies that the HTTPS port binding matches the service properties. AD FS requests will fail if there is a mismatch between the binding and the properties. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Configuration - Extranet Lockout Enabled | Verifies that AD FS extranet lockout is enabled. If Extranet Lockout is disabled, users will not be protected against brute force attacks and may be locked out in Active Directory. |
Configure AD FS Extranet Lockout.
Learn how to configure Extranet Lockout
|
| Certificate - Token Decrypting Certificate Revocation | Verifies that the primary token decrypting certificate has not been revoked. AD FS requests will fail if the token-decrypting certificate has been revokend. This requires immediate attention. |
Install a new token-decrypting certificate using the information below.
Learn how to add a token-decrypting certificate
|
| Binding - Client TLS Binding Application ID | Verifies that the binding application ID is set correctly. This ID is required for the federation service to locate the certificate. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Certificate - SSL Certificate Self-Signed | Verifies that the SSL certificate is not self-signed. AD FS requests will fail if the SSL certificate is self-signed. The AD FS certificate must be issued by a trusted Certificate Authority so that sessions can be established securely. This requires immediate attention. |
Install a new SSL certificate from a trusted Certificate Authority using the information below. Do not use a certificate that is self-signed.
Learn how to manage SSL certificates
|
| Service - WID Service Running | Verifies that the Windows Internal Database service is running. WID is the storage backend for AD FS configuration data. All AD FS requests will fail if the WID service is not running. This requires immediate attention. | |
| Certificate - Service Communications Certificate Private Key | Verifies that the service communications certificate has a private key. AD FS requests will fail if the certificate private key is missing. This requires immediate attention. |
Import the same certificate with the private key. If the certificate is no longer available install a new primary service communications certificate.
Learn how to set a service communications certificate
|
| Configuration - Federation Service Name Resolvable | Verifies that the federation service name is resolvable in DNS. DNS name resolution is required for clients and services to locate the federation service. | |
| Configuration - Last Synchronization Time | Verifies the last time the server was synchronized with the primary AD FS server. Regular syncronization keeps the AD FS configuration consistent across all servers in the farm. | |
| Service Account - Protected Users Group | Verifies that the service account is not a member of the Protected Users group in Active Directory. Having the service account in this group may break the S4U extension and cause login failures. |
Follow the link below and remove the AD FS service account from the Protected Users group
Learn how to remove the account from the group
|
| Service - WAP Service Startup | Verifies that the Web Application Proxy service is set to automatically start. Configuring the WAP service to automatically start will avoid issues when the server is restarted. | |
| Certificate - Federation SSL Certificate Trusted | Verifies that the AD FS SSL certificate is trusted by the server. AD FS requests and trust renewals will fail if the SSL certificate is not trusted. |
Install a new SSL certificate that is trusted. Follow the link below.
Learn how to troubleshoot the issue
|
| Certificate - Service Communications Certificate Revocation | Verifies that the service communications certificate has not been revoked. AD FS requests will fail if the service communications certificate has been revoked. This requires immediate attention. |
Install a new service communications certificate using the information below.
Learn how to set a service communications certificate
|
| Certificate - SSL Certificate Time Validity | Verifies the time validity of the SSL certificate. AD FS requests from clients and services will fail if the SSL certificate is time-invalid. |
If this certificate is already expired install a new SSL certificate. If the certificate is about to expire, you will need to roll the certificate before the expiration date.
Learn how to manage SSL certificates
|
| Binding - Custom Binding Certificate Thumbprint | Verifies that the certificate thumbprint for custom bindings is set correctly. This thumbprint is required for the federation service to locate the certificate. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Certificate - SSL Certificate Revocation | Verifies that the SSL certificate has not been revoked. AD FS requests will fail if the SSL certificate has been revoked. This requires immediate attention. |
Install a new SSL certificate using the information below.
Learn how to manage SSL certificates
|
| Binding - HTTPS Binding Application ID | Verifies that the binding application ID is set correctly. This ID is required for the federation service to locate the certificate. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Configuration - SSL Certificate Contains Alternate Client TLS Name | Verifies that the SSL certificate contains the alternate client TLS name. The alternate TLS name is required for certificate authentication of clients and applications. |
Follow the link below to assign the correct subject alternate name.
Learn how to set alternate client TLS name
|
| ServiceAccount - Service Account Enabled | Verifies that the AD FS service account is enabled in Active Directory. The AD FS farm will stop functioning if the service account is misconfigured. This requires immediate attention. | |
| Certificate - Intermediate CA Certificate Store | Verifies that there are no self-signed certificates in the intermediate CA store. Having self-signed certificates in the intermediate CA store could break certificate-based authentication on the AD FS server. On WAP servers this can break WAP trust creation. | |
| Synthetic - Token Request | Performs a synthetic transaction against the AD FS server to make sure that it is properly issuing tokens. If this transaction fails, it is possible that all AD FS requests are failing. This requires immediate attention. | |
| Certificate - Token Decrypting Certificate Time Validity | Verifies the time validity of the primary token decrypting certificate. All token-decrypting requests will fail if the token-decrypting certificate is time-invalid. |
If this certificate is already expired install a new token-decrypting certificate. If the certificate is about to expire, you will need to roll the certificate before the expiration date.
Learn how to add a token-decrypting certificate
|
| Configuration - Extranet Authentication Policy | Verifies the extranet authentication policy for the AD FS farm. All requests from the extranet will fail if there are no authentication providers. | |
| Certificate - Token Signing Certificate Availability | Verifies that the certificate is located in the LocalMachine certificate store. AD FS requests will fail if the token-signing certificate is not present in the LM store. This requires immediate attention. |
Import the certificate into the local computer's store. If the certificate is no longer available, install a new primary token-signing certificate using the information below.
Learn how to add a token-signing certificate
|
| Binding - Client TLS Port Binding | Verifies that the client TLS port binding is correct. This binding is required for certificate authentication to work correctly. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Certificate - Token Signing Certificate Time Validity | Verifies the time validity of the primary token signing certificate. All token-signing requests will fail if the token-signing certificate is time-invalid. |
If this certificate is already expired install a new token-signing certificate. If the certificate is about to expire, you will need to roll the certificate before the expiration date.
Learn how to add a token-signing certificate
|
| Certificate - Token Signing Certificate Private Key | Verifies that the token signing certificate has a private key. AD FS requests will fail if the token-signing certificate private key is missing. This requires immediate attention. |
Import the same certificate that has a private key. If the certificate is no longer available, install a new primary token-signing certificate using the information below.
Learn how to add a token-signing certificate
|
| Configuration - Primary Server Reachable | Verifies that the primary AD FS server is reachable. Primary server access is required to synchronize the secondary nodes. | |
| Binding - HTTPS Binding CTL Store | Verifies that the binding CTL store is set correctly. This store is required to maintain the proxy trust with the federation service. |
Follow the link below for more information on managing SSL bindings for your AD FS and WAP servers.
Learn how to troubleshoot the issue
|
| Configuration - Service Name Not Computer Name | Verifies that the AD FS service name does not match the computer name. The federation service name should be a virtual name that is registered in DNS as an A record. If the federation service name is a computer name, you need to rebuild the AD FS farm and specify a valid name. | |
| Configuration - Automatic Certificate Rollover | Verifies that automatic certificate rollover is enabled if AD FS is using self-signed certificates. This is recommended when using self signed certificates. | |
| Configuration - Service Account Service Principal Name | Verifies that the AD FS service account has the service name registered as a service principal name (SPN) in Active Directory. The service account SPN is required for Windows Integrated Authentication. |
See the link for more details on how to resolve this issue.
Learn how to manually configure a service account
|