How to fix an error when configuring Active Directory Federation Services

While recently working to deploy an Active Directory Federation Services (ADFS) instance on a Server 2012 system, I ran into an issue. When I tried to do the initial configuration of the ADFS service from the ADFS console, there was an error that said the Windows Internal Database (WID) could not be started. This WID service is required for the ADFS service to function. I have included the text from the error below, which is very simple to fix once you know the root cause.

Below is the error that is seen in the event log when the service does not start:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICEMSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICEMSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

User Action

Assign “Log on as a service” to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.

If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

The root cause of the issue was that the service in question (NT SERVICEMSSQL$MICROSOFT##WID) needed to have ‘Log on as a Service’ right in the local security policy. Normally that service is already granted or the installer has permissions to add the appropriate group. This machine, however, was part of a domain policy (GPO) that locked down the ‘Log on as a Service’ policy and would not allow the account to be added to it. You can change the service account for the WID service to a domain service account, and it will start and work normally, but the WID service will be removed once the server is restarted.

The fix was to remove the machine from the GPO controlling the ‘Log on as a Service’ policy and added the ‘NT SERVICEALL SERVICES’ to the security policy on that machine. Microsoft has a Knowledge Base (KB) detailing this fix: http://support.microsoft.com/kb/2832204

As always, if you run into this or any other issue installing an ILINX product, you can submit a support ticket at: http://imagesourceinc.com/Support/Index.htm

Mike Peterson
Support Engineer
ImageSource, Inc.