Welcome to Management Pack Wiki! Your documentation pro for SCOM Management Packs
0 comment(s) Post a comment

AD FS Windows Service Failed to Start Because of a Private Key Monitor

  • ID:  Microsoft.ActiveDirectoryFederationServices.10.0.FederationServerBadConfigurationIdentityCertificateHasNoPrivateKeyMonitor
  • Description:  AD FS Windows Service Failed to Start Because of a Private Key
  • Target:  Federation Server
  • Enabled:  Yes

Operational States

Name State Description
FirstEventRaised Error  
SecondEventRaised Success  

Alert Details

Monitor State Message Priority Severity Auto Resolution
FirstEventRaised (Error) AD FS Windows Service Failed to Start Because of a Private Key Medium Critical Yes

Run As Profiles

Name
Default

Monitor Knowledgebase

Summary

The AD FS Windows service failed to start because the AD FS service account cannot access the private key for the token-signing or token-decrypting certificate that is in the AD FS configuration database.

If the AD FS Windows service is successfully started, the monitor will change to a Green state and the original critical alert will be resolved automatically.

Causes

This condition can occur when the certificate is found in the specified store, but there is a problem accessing the certificate's private key. Common causes for this condition include the following:

  • The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.

  • The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store that is specified in this event.

  • The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.

  • The Federation Service identity has not been granted read access to the certificate's private key.

Resolutions

Possible resolutions for this condition include the following:

  • If the certificate was imported from a source that has no private key, select a certificate that has a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).

  • If the certificate was imported in a user context, verify that the store that was specified earlier matches the store the certificate was imported into.

  • If the certificate was generated by a certificate request that did not specify the "Machine Key" option, and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file, and then import it again directly into the store that is specified in the configuration file.

  • If the key is not marked as exportable, request a new certificate by using the "Machine Key" option.

  • If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition by using the Certificates snap-in. For more information, see the procedure "Confirm that private keys for certificates are accessible by the AD FS service user account" in section "Things to Check Before Troubleshooting AD FS" in the AD FS troubleshooting guide.

External References
This monitor does not contain any external references.

See Also for Active Directory Federation Services Management Pack


Downloads for Active Directory Federation Services Management Pack

Post a comment