Microsoft ADFS – Event ID 381

Jeffrey Bostoen — Fri, 21 Apr 2023 11:44:42 +0000

When the Active Directory Federation Services service fails to start because certificates were revoked or have been expired: in best case it’s expired. All internet solutions suggest to run cmdlets. This fails, because the service isn’t started.

The error message points to Could not connect to net.tcp://localhost:1500/policy . The supposed solution? Making sure the ADFS service is running. See the irony here?

What worked in my case: changing the time of the virtual machine to be in the past. Since it was an Azure machine, I had to disable two services: win32time and Hyper-V Time Synchronization. Then, I could change the date to something in the past and I finally managed to get ADFS running. On Google Cloud, I recently encountered the same issue. I also disabled win32time, all Google-related services (bit of an overkill), quickly changed time and managed to get ADFS running.

You could perhaps obtain more info from the SQL or WID database > ADFS > ServiceSettings, which contained the thumbprints in my case.

Hint: you can open the WID database with SQL Server Management Studio (SSMS).
Connection string:
np:\.\pipe\MICROSOFT##WID\tsql\query
You should be able to authenticate using the machine’s local admin account.

Then I changed the date/time to the real world time again and ran Update-ADFSCertificate -urgent with success.

Set-ADFSSSLCertificate: Certificate does not have a subject name that matches the specified Federation Service name: foo.bar.com

Jeffrey Bostoen — Wed, 05 Jan 2022 12:47:37 +0000

One of the main causes is that the subject name does match, but it should also be present in alternative subject names (DNS).

Microsoft ADFS – Jeffrey Bostoen

Microsoft ADFS – Event ID 381

Set-ADFSSSLCertificate: Certificate does not have a subject name that matches the specified Federation Service name: foo.bar.com