4 comments

UAG: Failed to run FedUtil when activating configuration

Published on Monday, October 22, 2012 in

I’ve been testing an UAG setup where the trunk is either authenticated using Active Directory or Active Directory Federation Services. For this particular setup I had both configured some months ago. Now I wanted to reconfigure my trunk from AD to ADFS again. When I tried to activate the configuration  I was greeted with the following error:

image

In words: Failed to run FedUtil from location C:\Program Files\Microsoft Forefront Unified Access Gateway\Utils\ConfigMgr\Fedutil.exe with parameters /u "C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\secure\web.config".

image

In the event log I saw the above error. Now I started trying the most obvious things like a reboot, but all in vain. I also tried creating a completely new trunk, but that didn’t work out either. Finally I started thinking that some patch was being uncool. I verified the updates and I saw a patch round had occurred a few days ago. I uninstalled all patch from that day, and after a reboot I was able to activate the configuration again! Now you’re probably hoping for me to tell which specific patch is being the culprit? Well for now I don’t know that yet… But here’s the list of patched I uninstalled:

There are a lot…. Good luck! I still might have hit something else, but I sure did try a few reboots before actually going the uninstall-patches route… And that one definitely did it for me.

Related Posts

Posted by Thomas at 6:50 PM
Labels:

4 Response to UAG: Failed to run FedUtil when activating configuration

Anonymous
10 December, 2012 13:58

Hello Thomas,

facing the same issue, did you ever find out which one was the problem maker?

Andreas

Thomas
10 December, 2012 14:35

Nope, just uninstalled the patches and moved on. Besides that, I'm no longer using claims authN for the trunks so I shouldn't have this anyhow...

Marc
30 January, 2013 17:52

Hi All,

I ran into the same issue, after loads of troubleshooting, and rolling back some KB-articles, still no succes.

After i finally compared Route tables (route print) between a working and the not working machine a difference was found in the routing to the proxy server for Internet access.

This Internet Access is used for CRL checking, and retrieving FederationMetadata from the STS.

After correcting the route table on the affected UAG, I ran the Admin -> Network Interface wizard from the UAG Managment. Also here were differences in the "Internal Network IP Address Range". I corrected the configuration here as well.

Result was that the ADFS Authentication provider in UAG no longer complained that the tokensign certificate could not be verfied (CRL checking) and the FederationMetaData of the ADFS 2.0 server could be retrieved using the URL.

So in the end I suspect the wrongly configured Network configuration on the UAG and with that the Internal Network IP Addresses.

Hope it helps people.

Thanks

Thomas
30 January, 2013 17:59

Marc,

Thanks for sharing this info. It really scares me how much I run into the CRL related issues lately. I think a lot of server environments don't have direct access to the internet, and this causing all those CRL retrievals to timeout. Here's some "workarounds" for ADFS and SharePoint related issues:

http://joelblogs.co.uk/2011/09/20/certificate-revocation-list-check-and-sharepoint-2010-without-an-internet-connection/

http://blog.msresource.net/2012/09/20/the-service-did-not-respond-to-the-start-or-control-request-in-a-timely-fashion/

Regards,
Thomas

Add Your Comment

Subscribe to: Post Comments (Atom)