Thursday, June 28, 2012

Be careful with using SetSPN in conjunction with ADFS

I was recently messing around with ADFS and changing configuration settings and so forth based on this article:  http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-the-federation-service-name.aspx and the corresponding SetSPN article:  http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-configure-the-spn-serviceprincipalname-for-the-service-account.aspx

Of course, when I was making these changes, I was under the impression that the changes would be localized to ADFS--boy was I WRONG!!

After making these changes, silly me, I decided to go and run iisreset.  Suddenly, I could no longer access Central Administration and the Application Pool for Central Admin would not start.  So, SharePoint and Windows being what it is, I decided to re-boot the server to see if that would alleviate the problem.  

Of course, when I tried to log back into the system, I got the following error message: 

"The security database on the server does not have a computer account for this workstation trust relationship"

Unfortunately, since I was running a domain controller and ADFS on the same server, this left me with no ability to get back into the server to fix the issue!!  

Thankfully, the installation was on a VM and I had made a recent backup.  So all I had to do was simply restore the VM from a backup.  

However, when working with ADFS and SetSPN--Be WARNED of the consequences of your actions!!

No comments:

Post a Comment