This is a problem that I’ve seen come up a few times now, with a particularly nasty side effect for sites using SAML claims with ADFS.  Where I first saw this problem was when I created a new farm and I went into add a service account.  I typed in the alias for the account and clicked resolve, which it seemed to do okay.  Then when I tried saving the new managed account, it failed and gave me an error along the lines of key not found in dictionary.  This one drove me nuts for a while before I figured out a solution.  What I needed to do to get past that error was:

  1. Go into Active Directory Users and Computers snap-in
  2. Click View…Advanced Features on the menu
  3. Find my service account in the directory
  4. Right-click on it and select Properties from the menu
  5. Click on the Security tab
  6. Click on Authenticated Users in the top part of the dialog
  7. Check the Read box in the Allow column
  8. Click the OK button to save the changes

After doing that, I could successfully create my new managed account.  There are a couple of other things to note:

  • My current domain functional level is Windows Server 2003
  • The error ONLY occurs when the application server is Windows Server 2008 R2; the original Windows Server 2008 does not have this problem

Okay, so while that is a little unpleasant, I don’t have so many managed accounts that I can’t work around it.  Until, possibly, today.  Here’s where I discovered this little bugger again.  This time, I was trying to log into a claims auth site as some random user.  ADFS v2 is the STS I’m connected to, and it is using Windows auth over there, then grabs some attributes from the user to do some claims processing.  I found when I tried to log in that it failed on the ADFS server, and gave me an error like this:  An error occurred during processing of the request.  MSIS7012: The request failed.  Contact your administrator for details.  Additional data:  some guid.  Hmm…so what was that all about?

Next I looked on the ADFS server and found these two entries in the application event log:

  1. The Federation Service encountered an error while processing the WS-Trust request, then an object reference not set to an instance of an object error further down in the stack (i.e. a NullReferenceException).
  2. An error occurred during federation passive sign-out.

The NullReferenceException for some reason made me think hmm, I wonder if it can’t read the user object from the directory?  So I went in and changed the properties for the user in the AD Users and Computers snap-in as I described above.  After that – boom! – everything works great; the user can now log in.

For now, unfortunately, I can only offer this as a warning.  I don’t completely understand why the error is happening or why it only happens when the application server is Windows Server 2008 R2.  If/when I get more information on it or on possible fixes I’ll try and update this or post something new.