In a recent case, we hit the issue detailed very well in the following blog post.
Error when adding second 2012R2 AD FS server when using gMSA
Essentially, there needs to be a trio of conditions met:
- The AD FS server being set up is not the first AD FS server in the farm.
- The AD FS service is being run under a Group Managed Service Account (gMSA).
- There are no Windows 2012 R2 DCs in the site where the new AD FS server is being set up.
If these conditions are met, you may be presented with the following errors during install.
- There were no SPNs set on the following service account ‘<ServiceAccount>’. Specify the service account used to configure the other Federation servers in the farm, or set host SPN for the farm on the service account.
- The user name or password is incorrect
- Unable to determine the Service SPN. There were no SPNs set on the following service account ‘<ServiceAccount>’. Specify the service account used to configure the other Federation servers in the farm, or set host SPN for the farm on the service account.
- Unable to retrieve configuration from the primary server. The user name or password is incorrect
- One or more prerequisites failed. Please fix these issues and click “Rerun prerequisite check”
In this scenario, there was no possibility of getting a 2012 R2 DC in the new AD FS server’s site. So, we started looking for work arounds.
We set the following registry key to hard code the new AD FS server to a specific site and override automatic site lookup.
Name= SiteName (String)
Value= <Name of the Site where the 2012 R2 DC is located>
After setting this new registry value, we rebooted the server.
We configured the server as a new AD FS server in an existing farm, still using the gMSA account. This time the configuration wizard completed successfully.
We removed the SiteName registry value and rebooted. The AD FS service started just fine.
Shout out to Giles Pauli for all the help on how to manipulate site determination.