ADFS and "The SPN required for this Federation Service is already set on another Active Directory account" error

If while installing ADFS you are facing the "The SPN required for this Federation Service is already set on another Active Directory account.  Choose a different Federation Service name and try again." it is probably because you used the "Create Self-Signed Certificate" feature in IIS Manager to create the SSL certificate required by ADFS. The issue that creating the SSL certificate this way causes is that the created certificate has a subject that matches exactly your computer name.

To solve this issue, create a self signed certificate using the makecert.exe tool using a wildcard like so:

  makecert.exe -n "CN=*.contoso.local" -pe -r -sv ADFS.pvk ADFS.cer

This command creates a ADFS.pvk file with your private key and a ADFS.cer file with your public key that are good for any server in the "contoso.local" domain.

The makecert.exe file is part of various Microsoft SDKs and can usually be found under "C:\Program Files (x86)\Microsoft SDKs" or "C:\Program Files (x86)\Windows Kits" on 64-bit machines and under "C:\Program Files\Microsoft SDKs" or "C:\Program Files\Windows Kits" on 32-bit machines.

To merge the private and public keys in a single pfx file, use the pvk2pfx.exe tool, that is again part of Microsoft's SDKs, as follows:

  pvk2pfx.exe -pvk adfsCA.pvk -spc adfsCA.cer -pfx adfsCA.pfx

Comments

  • Anonymous
    February 24, 2017
    The comment has been removed
  • Anonymous
    November 20, 2017
    Look like makecert have been deprecated.