FSConfig errors RRS feed

  • Question

  • I am using FSConfig to setup a federation farm using SQL Server. I am getting the error

    The following error occurred: The Federation Service name that was determined from the Subject field of the specified certificate is not a valid DNS name. Specify a certificate with a valid Subject name for the Federation Service DNS name,
    and then try again.

    I have traced this error to the certificates I am trying to use for signing and decryption, if i change these to use the same certificate as the CertThumbprint then it works. I can manually change the signing and decryption certificates after using the GUI and this doesnt complain about using these certs. The certs in question have a subject of "ADFS Signing Token" and "ADFS Encryption", these are obviously not DNS but then why should they be?

    Is there a bug in the FSConfig?

    Friday, September 17, 2010 1:01 PM

All replies

  • Hi there,

    Can you paste in your command line syntax?

    This error should only occur with respect to the SSL certificate bound to the Default Web Site. This is where the need for a DNS name comes into play. During FSConfig.exe execution, if you do not specify a certificate thumbprint, it will try to use the one that is currently bound to the Default Web Site. There are times when FSConfig.exe has trouble determining the Federation Service Name from the subject of the SSL certificate. Your best approach would be to NOT specify a certificate thumbprint and make sure your SSL binding is there (with a valid DNS name as subject or SAN), and then also use the FederationServiceName parameter with FSConfig.exe to manually specify the Federation Service Name.

    All of the above has nothing to do with either the token-signing or token-decrypting certificates. Also, for ease of management, we recommend utilzing AutoCertificateRollover anywhere you can.


    Thank you,

    Adam Conkle

    Friday, September 17, 2010 10:20 PM
  • Hi

    We used

    FSConfig.exe CreateSQLFarm /ServiceAccount **** /ServiceAccountPassword **** /SQLConnectionString "database=AdfsConfiguration;server=;integrated security=SSPI" /SigningCertThumbprint "0a 11 20 98 e1 e8 c3 d4 92 f0 35 27 af 26 ec d3 4e 9c 69 eb" /DecryptCertThumbprint "0a 11 20 98 e1 e8 c3 d4 92 f0 35 27 af 26 ec d3 4e 9c 69 eb" /CleanConfig

    This was the one that worked, its using the same certificate as the ssl website it runs under. When we changed either /Signing or decrypt thumbprint then it failed complaining about the DNS thingy as above. We want to use our own certs because we want full control over when the certs are changed so that we can ensure all our partners whether they use auto update or not have the right certs in time.

    So basically it still stands as to why FSConfig was complaining about the certs?


    Tuesday, September 21, 2010 11:09 AM
  • Sorry for upping this old thread, but I think I came accross he same issue. No answer just yet though...

    See: http://setspn.blogspot.com/2012/04/configuring-adfs-with-custom-token.html


    Tuesday, April 10, 2012 7:49 PM
  • We never solved it via the fsconfig command. But manually changing the the signing and decrypt certificates in the ADFS manager has worked fine. We are 2 years into running this solution and have not had a problem with the certs.
    Wednesday, April 11, 2012 10:12 AM