Changing ADFS Proxy App Pool Account

A few days ago I was working on finishing up an ADFS implementation and I had customized quite a bit of the built-in ADFS website pages. I needed to use Windows authentication to access a database, and I realized that the ADFS Proxy website app pool by default runs under Network Service. This was troubling because I did not want to grant permissions to Network Service in the database so I needed to modify this account.

I went through the standard stuff to modify the app pool identity and got this error:

Encountered error during federation passive request.

Additional Data

Exception details:

System.IO.FileNotFoundException: Error reading the C:\Program Files\Active Directory Federation Services 2.0\PT directory.

at System.IO.FileSystemWatcher.StartRaisingEvents()

at Microsoft.IdentityServer.ProxyTrust.ProxyTrustManager.StartTokenWatch()

at Microsoft.IdentityServer.ProxyTrust.ProxyTrustManager.get_Current()

at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetServiceChannel()

at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)

at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetServiceSettingsData()

at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveConfiguration()

at Microsoft.IdentityServer.Web.PassivePolicyManager.GetPassiveEndpointAbsolutePath()

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

So I opened the path at “C:\Program Files\Active Directory Federation Services 2.0\PT” which is the folder for the stored proxy token and granted full control to my domain account user. The file written to this directory is constantly updated, so the account does need to be able to remove the file. By default the Network Service account has full control, most likely because the ADFS proxy Windows service also runs under Network Service.

Then I just restarted IIS and this worked.



  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: