And yep, there’s more instances of this phenomena! I also came across the following when install an Active Directory Federation Services farm which uses SQL to store its configuration. Whilst there was not noticeable impact (yet), I saw the SQL loggings being filled with the following warnings:
In words: The activated proc '[IdentityServerPolicy].[SqlQueryNotificationStoredProcedure-616f6b36-c503-4503-a6cd-7e067a1b9e43]' running on queue 'AdfsConfiguration.IdentityServerPolicy.SqlQueryNotificationService-616f6b36-c503-4503-a6cd-7e067a1b9e43' output the following: 'Could not obtain information about Windows NT group/user '***\s_****_adfs', error code 0x5.'
And a slightly other one:
In words: An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user '***\s_****_adfs', error code 0x5.
Error: 28005, Severity: 16, State: 2.
The solution: is to give the “Authenticated Users” “Read Permissions” on the ADFS service account. An easy way to test this solution is executing the following query:
The query xp_logininfo ‘Domain\service account’ will return something like this if things go well:
Or like this if the SQL Server service lacks the mentioned permissions:
If you’re interested in a more definite solution which does not involve modifying the security of all your service accounts, make sure to read Service Accounts: Active Directory Permissions Issues: Part #4 Conclusion.