I ran into an issue recently that, although was a quick fix, there was not much information posted about it. The problem came during the configuration of AD FS for single sign-on with Office 365, when AD FS looks for the Program Data container to add the specific application and certificate information within Active Directory.
“You do not have sufficient privileges to create a container in Active Directory at location CN=f2e868b0-f4f5-4648-8dda-5a031d478753,CN=ADFS,CN=Microsoft,CN=Program Data,DC=rblab,DC=com for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.”
Chances are that if you receive this error, either you are not signed with the correct account and/or permissions were not granted properly to the account OR the Program Data container has been deleted within your Active Directory environment. If you are certain your account is in good standing, then check to see of the Program Data container is there. The Program Data is a default empty container within Active Directory that stores application specific data in the domain directory partition. This container can only be viewed when turning on Advanced Features within ADUC or through ADSI Edit.
The resolution is to simply re-create the container structure.
Within ADSI Edit, perform the following tasks to create the missing container structure:
- Open ADSI Edit as shown below
- Select Domain directory
- Right click and select New > Object
- Select Container
- Type the Value – Program Data. Click Finish
- Click on the new container, Program Data, right click and select New > Object
- Type the Value – Microsoft. Click Finish
** Default permissions are automatically granted during the creation of the containers.
You can now continue with the configuration of AD FS.