ADFS refuses to start, error 1297

Here is the scenario, your ADFS farm is happy, up and running. Because of update management sometimes you server has to restart. And when the server is restarting all hosted services will also restart with it.

Then, maybe you'll be running into this error message when you start your ADFS Server service:

It is weird especially that you haven't done any changes in a while... Let's check what the permission of the service account in the local policy:

We can see two things:

  1. The AD\srv_adfs account as well as the NT SERVICE\adfssrv have the privilege to Log on as a service (in red in the screenshot).
  2. There is a group policy that control the privilege Generate security audits (in blue in the screenshot). As you might know, ADFS can generate audit if you configure the service properties adequately. The service requires this privilege.

You can see this requirement in the registry key for the service (value RequiredPrivileges):

Let's use GPRESULT /H to see what is the policy forcing this:

It looks like a group policy called Corp - Security settings is taking out the privilege from our ADFS service. At this point you have several options, remove the setting from the GPO, exclude the ADFS server from the scope of the GPO, create another GPO for ADFS server that guarantee that the service will have the privilege... It's your call. In my case, the setting has been remove from the GPO. So let's check if the privilege and add them back for our ADFS service. Once you are not under the authority of that setting, open GPEDIT.MSC and add the service's privilege back:

Notice that the From the location section should be the local server, add NT SERVICE\adfssrv as well as NT SERVICE\drs (this is the device registrations service, whether you are using it or not, just put it back). This is what the setting looks like at the end:

Now your ADFS service should start. If you have several servers make sure they all got the right privilege to enable your load balancing.

My root cause story...

In this case it was a surprise that the service kind of "suddenly" stop working. What actually happened was:

  1. The service is happy... The service got the right privilege when you configured the role (a long time ago).
  2. The security team is changing the GPO to harden the servers under a specific OU (the ADFS server was under that one).
  3. The new GPO applies on the server but because the service is already started, it is not impacted.
  4. The server finally restart and this time when the service is starting the privilege is missing is the start is aborted.

Hope this helped...

Comments (14)
  1. rb1kenobi says:

    Saved my bacon, thanks dude!

  2. Ron 0825 says:

    Thanx, this helpt me a lot!

  3. Shawn says:


  4. sal says:

    GREAT job. this was very well written and helped out a lot. 2 thumbs up. BTW loved how you laid out the logic, similarly there were no apparent changes on my side but … S#$%& happens.

  5. R says:

    Thx, timesaver 🙂

  6. MarkB-1118 says:

    Awesome, absolutely awesome that you documented and indexed this so it was easy to find. Saved my bacon, eggs, toast, juice, and most important, coffee. Kudos, mad props, and BRAVO ZULU!

  7. Thanks Pierre!

    It helped me yesterday. Running Windows Server 2016 VM at Azure with ADFS installed on a domain controller. I had some issues to replicate my FRS SYSVOL share and caused GPO issues where this right was not included. I am glad I found this as I was looking into another direction.

  8. Shawn says:

    Thank You Pierre! My root cause was nearly identical as yours. I was able to restore my ADFS service in <30 minutes thanks to your thorough instructions.

  9. Mrdoff says:

    Thanks alot! Helped me to solve this issue quick!

  10. Jake says:

    Thank you

  11. Jake says:

    Great find

  12. Thank you from 2019!
    Saved a couple of hours reinstalling ADFS for me and customers.
    To refresh group policies after change run
    gpupdate /force

Comments are closed.

Skip to main content