Our vendor is installing ADFS on our on premise system and when we try to start the "Active Directory Federation Services", we get this error:
"Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration."
We gave the service account the temporary privilege "Generate security audits" and the service account was able to start the "Active Directory Federation Services".
Our Corporate Security Team is requesting us to back off this privilege once configured. We unchecked all the events on the Federation Service Properties screen, removed the privilege "Generate security audits" for the service account, rebooted the server, and tried to start the "Active Directory Federation Services" and it gave us the error 1297 again.
Why would ADFS require the privilege "Generate security audits" when the auditing events are all turned off?
Is there away to start this service without having the privilege "Generate security audits"?
