Active Directory Federation Services 2.x (AD FS 2.x): Change the Service Account

4/2/13 - Version 1.1 - Changelog: Updated to support AD FS 2.1 on Windows Server 2012 3/26/14 - New script published for AD FS in Windows Server 2012 R2Active Directory Federation Services: Change the Service Account

4.6 Star
3,460 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Will this script work for changing from Network service account on standalone server to Domain svc account?
    1 Posts | Last post April 04, 2019
    • I would like to change the service account configured on my existing ADFS 2.0 setup from Network service account to a domain service account.
      The purpose is so I can configure my new 2016 farm with the same service account and then export / import the config from the old to new as the same account is required.
      The current ADFS server is a standalone install and I see someone has successfully performed this on a standalone install. Hoping this script will allow me to change from network service account to AD svc account. Thanks.
  • Server 2016
    1 Posts | Last post December 31, 2018
    • Any chance there is an updated script for Server 2016?
      I'd hate to rebuild my farm because of a service account.
  • Silly question, I'm sure
    3 Posts | Last post December 19, 2014
    • The script says it's only for a server farm and doesn't apply to a standalone server. Is there a different procedure for assigning a new service account on a standalone ADFS server?
    • I went ahead and used the script, selecting my standalone server as the final federation server, and it worked without a problem.
    • Hi John,
      Yes, the script can technically work for Standalone. However, Microsoft Support will not support any customer who has a Standalone server running as an account other than the default. Also, Standalone mode is deprecated in WS2012R2, so we recommend no longer utilizing Standalone mode. If you plan to have a single server deployed, simply deploy a farm that has just 1 server in it. At least that way you will be supported, and you'll allow yourself an upgrade path should you decide to add servers to the farm later.
      Thank you,
      Adam Conkle - MSFT
  • ADFS Stand alone server
    2 Posts | Last post December 19, 2014
    • Hi,
      Today I tried this scrip because we want to migrate from ADFS 2.0 to 3.0 (Server 2012R2. We are using Windows Internal Database foor ADFS.
      After running the script we get to do some post operations:
      1. You must manually set User Rights Assigment for BELLTNL\ADFS
          to allow "Generate Security Audits" and "Log On As a Service".
          Start -> Run -> GPEdit.msc -> Computer Configuration -> Windows Settings ->
          Security Settings -> Local Policies -> User Rights Assignment
      I was unable to do this, the option to add or remove permissions is grayed out
       2. Either the currently logged on user does not have appropriate permissions on the SQL Server,
          or SQLCmd.exe was not found on this system. You must provide your SQL DBA with the SetPermissions.sql
          and UpdateServiceSettings.sql fileslocated in C:\Users\ADMINI~1.BEL\AppData\Local\Temp\2\ADFSSQLScripts. The DBA should execute these
          scripts on the SQL Server where the AD FS Configuration and Artifact databases reside.
      Is this applicable in a WID enviroment?
       3. BELLTNL\ADFS must have the SPN HOST/STS.BELLT.NL registered.
          SPN registration failed during execution and must be handled manually.
      When execute this commandI get the message: Dpulicate SPN Found, aborting operation!
       4. Service start was skipped during execution due to post-sample needs.
      The servie was unable to startup with the credentials..
    • Hi Willem,
      This script sample was last updated to support WS2012 (non R2), and it is not supportable, nor are there any plans to update this script to support AD FS in WS2012R2.
      Thank you,
      Adam Conkle - MSFT
  • Change the Service Account from another AD Domain.
    1 Posts | Last post September 30, 2014
    • First, thanks, your script is working fine for ADFS in standalone and/or farm mode when you are modifying a service account on the same AD Domain.
      But if you want to specify a service Account from another AD Domain, the certificate sharing container will not be good.
      In fact, if my understanding is good, this AD container which stores private keys, is linked to the domain of the service Account. So, when you're changing the domain of the service account, the ADFS product will try to read its private keys on the container (same GUID) but in the new domain(which does not exist). 
      Do you know how to solve it ? Thanks.
  • ADFS 3.0 (Win 2012 R2) with this?
    2 Posts | Last post March 10, 2014
    • Can run this be run on ADFS 3.0 (Win 2012 R2) as is?
    • nope, this script does not support ADFS v3.0 (a.k.a. ADFS 2012 R2)
  • Script with updates
    1 Posts | Last post March 10, 2014
  • Thanks for the script! Worked good for me (so far :) ). Not really a question but notes for others
    1 Posts | Last post June 07, 2013
    • Notes for others that might try this:
      1. Got NTrights.exe using 7zip on the rktools.exe from windows 2003.
      2. For the script to run I needed to change computer name so it didn’t equal my adfs service name.  I picked changing the computer name so cert would continue to work.  
      3.  Need to login as a domain admin to run the powershell script.
      4. After the computer name change I encountered problems being unable to login to the domain because of a duplicate SPN (setspn –X and setspn –D).  This was unrelated to the computer name change.
      5.  Started Powershell, set-executionpolicy remotesigned (answer Y or suspend), then ran script ADFS2.xChangeSvcAcct.ps1, C to continue, 2 - Final Fed Server (I was changing it on an adfs standalone with NETWORK SERVICE and a self signed cert), enter <domain>\<newsvcname> and pwd, ignored NTrights.exe suggestion from powershell at the end :).
      6.  Set Log On As A Service or Generate Security Audits following the script recommendations at the end.
      7.  Rebooted, tested logins to RP/SP’s.  Didn’t appear to require sending new metadata!