ADFS: Don’t Use Same Server Name as Service FQDN
Active Directory Federation Service is one of the best innovation Microsoft did which allows to connect 2 forests without any Active Directory Trust.
In the Hybrid series blog 2, I had explained how to configure ADFS here.
While planning for the ADFS server, we need to plan for a different server name vs ADFS URL. Let us see the reason why it is important.
So recently I was creating ADFS for one of my customer where customer decided to stay simple and easy. So they selected adfs.domain.com as their ADFS external url. Now their Active Directory forest is also same domain.com and they named server ADFS.
Normally we get different Active Directory domain than external url. But it was not the same here so while ending the ADFS wizard to finish creating the ADFS configuration, we got the following SPN conflict error.
ADFS SPN Error
An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.
Resolution:
- Uninstalled ADFS
- Restarted the server
- Changed the server name
- Restarted the server
- Re-run the ADFS wizard.
This time ADFS wizard completed without any issue.
Microsoft MVP | CTO @ Golden Five
Team@MSExchangeGuru
Don’t forget to register.
October 25th, 2016 at 11:08 am
[…] · ADFS: Don’t Use Same Server Name as Service FQDN […]
September 22nd, 2017 at 11:47 am
Hi,
Can we install adfs in domain controller?
Can we keep cname for Federation Service Name?
Can we rename Federation Service Name after installation with federation properties edit option?
Thanks
Vish
September 29th, 2017 at 9:20 pm
I would not recommend installing ADFS on ADDC. I would recommend hostname. Yes we can rename it.