This is not a critical issue by any means as I doubt this will occur in a real production environment; however I feel the need to alert everyone to a possible issue that will render their DC unusable. I’ve been playing around with ADFS v2 and SharePoint 2010 for a customer issue. Until recently I’ve always used the non-farm install of ADFS for my testing, but this time I was referencing a blog that I found specifically because it’s the User Profile portion of SharePoint that I’m interested in this time. The blog I was referencing appears complete:
Marc, does a good job of walking us through the configuration necessary for getting this setup, but he uses the farm setup of ADFS. For a test scenario I’m not sure it matters much, but one thing the farm setup does that I hadn’t considered before is that it creates an SPN (Server Principal Name) for ADFS service account in the form of host/<FQDN for adfs>.
After configuring ADFS, I had to manually configure the SPN for this account – this should have been my first clue that something was amiss. I still had some issues with the site I was attempting to access so as with any good trouble-shooting I rebooted the ADFS server for good measure. When it came back up and I tried to login I received the following error:
“The security database on the server does not have a computer account for this workstation trust relationship.”
Now… I haven’t been deeply involved in domain support for several years, but even I can realize that this is not a good sign. I performed a few cursory searches on Bing and found a few places that were mostly discussing the trust relationship between a workstation that had been joined to the domain. I then came across another blog that made a reference to a host SPN and the above error. (My apologies to the blog author as I don’t have that link handy and I cannot again locate it. )
So I started thinking that maybe I had inadvertently knee-capped my own DC. After a bit of distress and receiving responses to the tune of “you’re toast”, the resolution actually turned out to be relatively easy. I already had a Windows 7 client as a member of the domain. I logged into the Win7 client as the domain admin and installed the Windows Server 2003 Support Tools. I then used Setspn.exe to delete the SPN that I had manually added and now my DC was accessible again!
Why did I use the W2k3 Support Tools?
What is the recommended method of using ADFS in this scenario?