Thursday, December 15, 2011

An HTTP 503 Service Unavailable response was received while trying to validate ADFS metadata

Today I went to connect to Office 365 with single sign-on only to notice that it is no longer working. When using the Exchange Remote Connectivity Analyzer (ExRCA) using the Office 365 Microsoft Single Sign-on (BETA) tool I received the following error:

Validating ADFS metadata for the on-premises ADFS server.
There was a problem validating the ADFS metadata.
Test Steps
Retrieving ADFS metadata information from metadata exchange URL https://fs.4logic.com.au/adfs/services/trust/mex.
ExRCA failed to retrieve ADFS metadata.
Tell me more about this issue and how to resolve it
Additional Details
An HTTP 503 Service Unavailable response was received while trying to validate ADFS metadata.




On my internal network when I tested https://fs.4logic.com.au/adfs/fs/federationserverservice.asmx from Internet Explorer I received

Service Unavailable
HTTP Error 503. The service is unavailable.




After further investigation we noticed the AD FS 2.0 Windows Service was not running on my AD FS 2.0 servers.



After starting this service the issue was resolved. If we navigate to https://fs.4logic.com.au/adfs/fs/federationserverservice.asmx to test we can verify that our AD FS servers are giving us XML.



Please note that you cannot use https://fs.4logic.com.au/adfs/fs/federationserverservice.asmx to test your Federation Proxy servers. This test can only be used against AD FS 2.0 servers, not the AD FS 2.0 Proxy servers. When passing this address through your federation proxy you will ALWAYS receive:

Service Unavailable
HTTP Error 503. The service is unavailable.


Why was the service not running?

I looked into why the service was not running and in the event log I noticed the service crashed during startup. The following error was generated in the SYSTEM event log:

Log Name: System
Source: Service Control Manager
Date: 15/12/2011 3:22:43 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: qv1-dc2.4logic.lan
Description:
The AD FS 2.0 Windows Service service terminated with the following error:
An exception occurred in the service when handling the control request.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7023</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2011-12-14T19:22:43.912273400Z" />
<EventRecordID>4333</EventRecordID>
<Correlation />
<Execution ProcessID="456" ThreadID="1504" />
<Channel>System</Channel>
<Computer>qv1-dc2.4logic.lan</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">AD FS 2.0 Windows Service</Data>
<Data Name="param2">%%1064</Data>
</EventData>
</Event>



Looking at the service we can already see it is configured with a delay start.



Interestingly I noticed on the recovery tab of the service by default it is configured to Restart the Service on the First and Second failure. This hints to me that the product team is already aware of this issue with the service crashing on startup. This is most likely due a dependency not starting in time. My AD FS 2.0 servers are also domain controllers which is recommended for small organisations. Being domain controllers means the startup time for these servers is even longer then normal. What I did was in the "Restart service after" box I entered in 2 minutes to ensure the delay was longer. This resolved the problem.

2 comments:

  1. Awesome! Thanks!

    ReplyDelete
  2. When passing this address through your federation proxy you will ALWAYS receive:

    Service Unavailable
    HTTP Error 503. The service is unavailable.

    why is this? do you know

    ReplyDelete