ADFS and "The SPN required for this Federation Service is already set on another Active Directory account" error


If while installing ADFS you are facing the "The SPN required for this Federation Service is already set on another Active Directory account.  Choose a different Federation Service name and try again." it is probably because you used the "Create Self-Signed Certificate" feature in IIS Manager to create the SSL certificate required by ADFS. The issue that creating the SSL certificate this way causes is that the created certificate has a subject that matches exactly your computer name.

To solve this issue, create a self signed certificate using the makecert.exe tool using a wildcard like so:

  makecert.exe -n "CN=*.contoso.local" -pe -r -sv ADFS.pvk ADFS.cer

This command creates a ADFS.pvk file with your private key and a ADFS.cer file with your public key that are good for any server in the "contoso.local" domain.

The makecert.exe file is part of various Microsoft SDKs and can usually be found under "C:\Program Files (x86)\Microsoft SDKs" or "C:\Program Files (x86)\Windows Kits" on 64-bit machines and under "C:\Program Files\Microsoft SDKs" or "C:\Program Files\Windows Kits" on 32-bit machines.

To merge the private and public keys in a single pfx file, use the pvk2pfx.exe tool, that is again part of Microsoft's SDKs, as follows:

  pvk2pfx.exe -pvk adfsCA.pvk -spc adfsCA.cer -pfx adfsCA.pfx

 


Comments (1)

  1. Sir Poon says:

    This is almost helpful...until the punch to the stomach at the end. Do I NEED to merge the private and public keys or was that just thrown in to obliterate all of the advice that came before it?

Skip to main content