Here is the scenario, your ADFS farm is happy, up and running. Because of update management sometimes you server has to restart. And when the server is restarting all hosted services will also restart with it.
Then, maybe you'll be running into this error message when you start your ADFS Server service:
It is weird especially that you haven't done any changes in a while… Let's check what the permission of the service account in the local policy:
We can see two things:
- The AD\srv_adfs account as well as the NT SERVICE\adfssrv have the privilege to Log on as a service (in red in the screenshot).
- There is a group policy that control the privilege Generate security audits (in blue in the screenshot). As you might know, ADFS can generate audit if you configure the service properties adequately. The service requires this privilege.
You can see this requirement in the registry key for the service (value RequiredPrivileges):
Let's use GPRESULT /H to see what is the policy forcing this:
It looks like a group policy called Corp – Security settings is taking out the privilege from our ADFS service. At this point you have several options, remove the setting from the GPO, exclude the ADFS server from the scope of the GPO, create another GPO for ADFS server that guarantee that the service will have the privilege… It's your call. In my case, the setting has been remove from the GPO. So let's check if the privilege and add them back for our ADFS service. Once you are not under the authority of that setting, open GPEDIT.MSC and add the service's privilege back:
Notice that the From the location section should be the local server, add NT SERVICE\adfssrv as well as NT SERVICE\drs (this is the device registrations service, whether you are using it or not, just put it back). This is what the setting looks like at the end:
Now your ADFS service should start. If you have several servers make sure they all got the right privilege to enable your load balancing.
My root cause story…
In this case it was a surprise that the service kind of "suddenly" stop working. What actually happened was:
- The service is happy… The service got the right privilege when you configured the role (a long time ago).
- The security team is changing the GPO to harden the servers under a specific OU (the ADFS server was under that one).
- The new GPO applies on the server but because the service is already started, it is not impacted.
- The server finally restart and this time when the service is starting the privilege is missing is the start is aborted.
Hope this helped…