When creating a new FS farm or joining a new node to an existing farm, i.e. running FSCONFIG.EXE or FSCONFIGWIZARD.EXE, or configuring an FS-P, i.e. running FSPCONFIGWIZARD.EXE, the process might fail with the resultant error being that the service did not respond to the start or control request in a timely fashion.
I have a screenshot from a simple script that is just a wrapper around FSCONFIG. The output is from FSCONFIGs verbose switch.
As you can see everything succeeded except the service didn’t start quickly enough so the overall process fails. If you try to start the the service it will start and all appears to be well.
The first couple of times I saw this issue was on VMs on my laptop. I was writing a deployment guide and simply put it down to my machine being not exactly enterprise production class (five VMs, twenty instances of IE, a bunch of Word and Visio instances, Spotify, OneNote, etc. –you get the picture). However I’ve now hit it in two different customer environments.
Looks like the reason is related to the .NET Authenticode signature verification. I’m not going to pretend I understand what all of this means to the CLR but after reading the remarks in the Publisher class documentation a couple of times the following seems to hold true:
- Default behaviour within the .NET runtime is that code access security (CAS) does not check for Publisher evidence, therefore if you are not using a custom code group based on the PublisherMembershipCondition class, which AD FS binaries do not, disable Authenticode signature verification by configuring the runtime to not provide Publisher evidence for CAS and increase start up time.
How do we disable this? Using the <generatePublisherEvidence> element of the Runtime settings schema (according to the aforementioned MSDN link).
This is actually already documented on the TechNet wiki. Although for whatever reason I never stumbled upon this wiki article when searching for my error, hence this post. I also feel I have a little more info. on the choices available to you –asking around my immediate community of AD FS folk and one or two .NET folk and it seems that the general consensus is that the better of the two options presented (turn off Authenticode signature verification or increase the Service Control Manager (SCM) timeout) is to disable Authenticode signature verification. Obviously with this advice we assume that these are dedicated boxes, i.e. your FS is only an FS and not running a bunch of other managed code that might actually require the Publisher evidence!
And on this same subject a question I’ve fielded from two different customers is whether or not we implement this throughout the farm. Your opinion on this matter might differ to mine but I like things to be consistent. If I’m implementing a 2 x 2 farm (2 FS, 2 FS-P), for example, and I need to enable this setting on one node all nodes get it even if they succeeded. I hate the idea of having multiple nodes in a farm with different configurations in place (other than those mandated on you like FIMs single point of failure -EWS polling- for example).
At this point my post is pretty much complete, however, even though I’ve liked you to the TechNet wiki I might as well define it here for completeness too. To turn off Authenticode signature verification add the generatePublisherEvidence element with a property of enabled = FALSE to the .NET Framework runtime’s machine.config file:
Open \Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config from an elevated NOTEPAD and paste the following:
<configuration> <runtime> <generatepublisherevidence enabled="false" /> </runtime> </configuration>
In both of my cases there was an empty <runtime /> element that needs to be replaced by the above XML. It was half way down underneath </configProtectedData> and above <connectionStrings>.