SOLVED

AD FS Role installs but configuration fails with timeout error

Copper Contributor

I am attempting to install the Active Directory Federation Services role on a Server 2019 VM.

The initial configuration wizard fails when installing ADFS (GUI OR PowerShell - same outcome).

All checks pass, but the ADFS service takes roughly 75 seconds to start, so the wizard times out failed.
The database is built, the service account and certificate are verified, and the service is ACTUALLY STARTED.
Once it fails with "timeout" error, it never builds the APP Pool objects in IIS, and it never builds the objects to populate the AD FS MMC.
I have verified that the certificate is built correctly per multiple articles.

I followed https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/manually-configure-a-serv... to set up the GMSA service account

I have followed the guidance at https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/service-n... to add time for the service to start, but the wizard appears to have its own timeout.

I have installed SQL Service Management Studio 20, and used it verify that the WID database and the permissions/roles for the service account match guidance.

I have verified the SPN and the permissions for the AD FS GUID for the farm.

 

Is there a way to complete the configuration with the long service start?

2 Replies
Increase Service Timeout for AD FS Configuration:
The AD FS configuration wizard might have a hardcoded timeout. However, you can attempt to extend the service start timeout by manually configuring the AD FS service after the initial failure. This involves:

Manually Completing the AD FS Configuration:

After the initial failure, the database is already created, and the service is started. You can manually complete the configuration using PowerShell by running the following command:

Install-AdfsFarm -CertificateThumbprint "<Thumbprint>" -FederationServiceName "<YourFederationServiceName>" -ServiceAccountCredential (Get-Credential)

Verify the Configuration:

After running the above command, verify that the AD FS farm is correctly configured by opening the AD FS Management console.
2. Increase Startup Timeout in the Windows Registry:
You can attempt to increase the service startup timeout value for Windows services in the registry, which may help prevent the timeout issue:
Open Registry Editor and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Create or modify the ServicesPipeTimeout DWORD value.
Set the value to a higher timeout, such as 120000 (120 seconds).
Reboot the server and try running the configuration again.
3. Analyze and Optimize Service Startup:
Since the AD FS service is taking a long time to start, it's essential to analyze why this is happening. Some potential causes include:
Certificate Revocation List (CRL) Checks: Ensure that the server has access to the internet to validate the CRL. If access is restricted, this can significantly delay the service startup.
Dependency Services: Check if any other services on which AD FS depends are also slow to start.
4. Use SQL Server Instead of WID:
If you are using Windows Internal Database (WID) and still face issues, consider using a full SQL Server for the AD FS configuration. SQL Server may handle the configuration more efficiently and avoid some of the limitations or delays associated with WID.
5. Manually Create IIS Application Pools:
If the installation wizard fails to create the necessary IIS application pools, you can manually create them:
Open IIS Manager and create the required application pools manually, ensuring they match the expected configurations for AD FS.
Re-run the AD FS configuration using PowerShell or attempt the GUI wizard again.
By applying these workarounds, you should be able to bypass the timeout issue and successfully configure AD FS on your Server 2019 VM.
best response confirmed by paul1945 (Copper Contributor)
Solution

@kyazaferr Thank you for your suggestions.

 

The problem was caused by Trellix blocking IPV6 for organizational reasons.  That has been corrected, and the service is now starting quickly, as expected.  The installation was able to finish, and we are moving on to the next stage.

1 best response

Accepted Solutions
best response confirmed by paul1945 (Copper Contributor)
Solution

@kyazaferr Thank you for your suggestions.

 

The problem was caused by Trellix blocking IPV6 for organizational reasons.  That has been corrected, and the service is now starting quickly, as expected.  The installation was able to finish, and we are moving on to the next stage.

View solution in original post