Problem:
You getting following error when running Set-MsolADFSContext command for ADFS configuration.
“PS C:\Windows\system32> Set-MsolADFSContext -Computer adfs.cloudexchangers.com
Set-MsolADFSContext : The connection to adfs.publicdomain.com Active Directory
Federation Services 2.0 server failed due to invalid credentials”
You can see following event ID, It clearly tells that the authentication fails because of SPN is different and this has given clue on where the issue is.
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 7/26/2016 8:20:16 AM
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ADFS1.cloudexchangers.local
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adfs1$. The target name used was HTTP/adfs.cloudexchangers.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (CLOUDEXCHANGERS.LOCAL) is different from the client domain (CLOUDEXCHANGERS.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Solution:
- Ensure article is followed
- Logon to ADFS Server
- Do not use A record of ADFS server (In my scenario adfs.cloudexchangers.com is A record points to ADFS server)
- Instead use local server FQDN (Example : cloudexchangers.local)
- Set-MsolADFSContext -Computer adfs1.cloudexchangers.local
- It prompts for credential pass on server credential
- This time it will be configured.
- Proceed with domain federation using Convert–
MsolDomainToFederated - Verify federation using Get-MsolFederationProperty –DomainName domain_name.com
There are chances you may receive following error:
convert-msoldomaintofederated : you cannot convert the specified domain to use identity federation because the account you are currently signed in with is a member of the domain domain.com
To resolve this do not use office365 domain.com admin credential instead use tenant domain credential example instead of [email protected] use [email protected]. Make necessary change in Office365 portal.
Feel free to comment for any suggestions or questions.
This article was spot on for what I experienced. Great post and much thanks!