Troubleshooting an ADFS authentication issue on two Windows 2012 R2 servers, I was unable to logon anymore to built-in ADFS sign-on page. During that process, I had reviewed the ADFS logs to discover the following event entry.
Log Name: AD FS/Admin
Source: AD FS
Date: 9/15/2014 10:04:00 AM
Event ID: 217
Task Category: None
Level: Error
Keywords: AD FS
User: garzafx.com\adfs.svc
Computer: ADFS1.garzafx.com
Description:
A WS-Trust endpoint that was configured could not be opened.
Additional Data
Address: https://adfs1.garzafx.com/adfs/services/trust/2005/windowstransport
Mode: WindowsTransport
Error:
MSIS0006: A Service Principal Name is not registered for the AD FS service account.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”AD FS” Guid=”{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}” />
<EventID>217</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime=”2014-09-15T14:04:00.540427700Z” />
<EventRecordID>398</EventRecordID>
<Correlation />
<Execution ProcessID=”1392″ ThreadID=”3856″ />
<Channel>AD FS/Admin</Channel>
<Computer>ADFS1.garzafx.com</Computer>
<Security UserID=”S-1-5-21-3053864960-3437635937-1717024966-1106″ />
</System>
<UserData>
<Event xmlns=”http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events”>
<EventData>
<Data>https://login.garzafx.com/adfs/services/trust/2005/windowstransport</Data>
<Data>WindowsTransport</Data>
<Data>MSIS0006: A Service Principal Name is not registered for the AD FS service account.</Data>
</EventData>
</Event>
</UserData>
</Event>
After switching to a specific Active Directory account, I had realized that certain portions of the previous install required additionally clean-up.
1. I had to remove the auto-generated AD objects in Managed Service Accounts OU.
2. Had to register the Service Principal Name (SPN) of the newly selected service account.
To fix this error you run the following command:
setspn -a host/<server name> <service account>
Example:
setspn -a host/fs.garzafx.com adfs.svc
After making this modification, I was able to successfully log back into the ADFS 3.0 self-service portal with domain accounts.
Read More:
Manually Configure a Service Account for a Federation Server Farm (Microsoft Technet)
garzafx 
i try to create the spn i am getting duplicate SPN found aborting operation. this server was upgraded to 2012 from 2008 i had to recreate ADFS the old server is still up because i kept a copy before upgrade.
LikeLiked by 1 person
Sounds like you have to review spns via cli
LikeLike
I uninstalled the adfs role, and reinstalled it. After the wizard it says that I have to manually setup the spn account.
If I run the command setspn (with the new account – domain\adfs in my case), it says that there is a duplicated SPN. Why?
LikeLike
Sounds like you need to view all active spns in AD via command line. You should be able to update what you have.
LikeLike
I don’t understand a thing, where I can set the service account? In my case i don’t have any account in SPN because I used the domain administrator account for the adfs.
LikeLike
I’d recommend a separate account, understand your logic trying to make things work.
LikeLike
Change to service account
LikeLike