Encountered an error with AD FS 2.0 installed on Windows 2008 R2, after creating a new certificate and importing this.
The key was set to exportable, the service account had correct permissions, but still these errors appeared in the Event Log when restarting the AD FS service:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)
at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate)
at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml)
at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)
at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)
During processing of the Federation Service configuration, the element ‘signingToken’ was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate:
Turns out AD FS 2.0 on Windows Server 2008 R2 doesnt’ warn you when using certificate with CNG private key like AD FS 3.0 on Windows Server 2012 R2 does (TechNet Article).
I re-enrolled for a certificate with CAPI1 private key, restartet the service, and voila! The service started successfully.
Microsoft could have provided us with a better error message there…
One Reply to “There was an error in enabling endpoints of Federation Service”
I had the same issue when I had to replace ADFS 2016 service account for a customer.
I had to set read and write permissions on the Certificate Sharing Container CN=xxxxxxxxxxxxxxxxxxxxxxxxx,CN=ADFS,CN=Microsoft,CN=Program Data,DC=master,DC=local and all its child objects for the new service account and it worked.