How to connect to Windows Internal Database (WID) with SQL Server Management Studio

The Windows Internal Database (WID) is used by the following Windows server components:

  • Windows Server Update Services (WSUS)
  • Active Directory Federation Services (AD FS)
  • Active Directory Rights Management Services (AD RMS)
  • Windows System Resource Manager (WSRM)

For Windows Server 2008 R2 and Windows Server 2008, you can use the following named pipes (NP) string:


On Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 you must use a different np connection string:


ADFS 4.0 idpinitiatedsignon Error

Hi all,

The other day I was creating an ADFS lab in order to test some features and configurations, as you will probably know, a quick way to test an ADFS deployment is to access the idpinitiatedsignon sign page.

After I deployed my ADFS farm, I tried to access and I received the following error message: “The resource you are trying to access is not available. Contact your administrator for more information.”

At the beginning it was annoying, because I was thinking that I did someone incorrectly, so I spend some time thinking about what I did wrong, I checked the event log and I saw the following:

Encountered error during federation passive request.

Additional Data

Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, indeed what it is saying is that the idpinitiatedsignon property is disabled. So, to check if it is this, you can execute the following PS command in the ADFS farm:

Get-AdfsProperties | fl *idpinitiatedsignon*


As you can see in the picture, it was disabled, so in order to solve this problem, just run the following command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

After that, all my problems were solved 😊

ADFS: Configure your password change

Users are always allowed or forced to change their passwords, and sometimes this actions increment the amount of work to IT. However, in ADFS 3.0 include a feature that enable a self-service portal password change available for your end-users.

So this post tries to follow the steps to configure it:

  • First, enable the Password Change Portal:Open your AD FS Management tool on the primary server, navigate to the EndPoints under Services\Endpoints. At the bottom you will see the /ADFS/portal/updatepassword/ endpoint, right click it and choose enable. Right click again and choose enable on proxy.
  • Test change password portal: browse to you will similar to the adfs login page where you can update your password
  • Enable password expiry notification: You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by ADFS. To do this it is necessary to configure a Claim Rule:

c1:[Type == “”%5D => issue(store = “_PasswordExpiryStore”, types = (“”, “”, “”), query = “{0};”, param = c1.Value);

  • Finally: you can tweak your ADFS login page to show a link to the change password portal

That’s all!



Enable ADFS automatic certificate rollover


After the summer holidays, I realised that the token decripting and token signing certificates from the ADFS, were about to expire. I tried to execute the following command to update immediately the certificates:

Update-ADFSCertificate -Urgent

but I received the following message error:


To disable the ADFS automatic certificate rollover, use the below Powershell script command, this will help if you want to add a token signing certificate when the automatic certificate rollover is enabled.

Set-ADFSProperties -Autocertificaterollover $true

After doing that, I was able to update the ADFS certificates from the certificate store.

Hope it helps!

Backup rules in ADFS

If you need to back up the rules of claim provider trusts and relying-party trusts in ADFS to store version control or to migrate rules to a new federation server, this is your post.

And here is the code I used:

# Guidance for this was found here:
#  If you want the files saved somewhere other than C:Temp, you need to change the "$RulePath" lines below.

Import-Module ADFS

# Export the Acceptance Transform Rules for each Claim Provider Trust (except the AD one)
$claimTrusts = Get-AdfsClaimsProviderTrust | ?{$_.Name -ne "Active Directory"}
foreach ($CT in $claimTrusts) {
    $RulePath = "C:Temp" + $CT.Name.Replace(" ","") + "-AcceptanceRules.txt"
    (Get-AdfsClaimsProviderTrust -Name $CT.Name).AcceptanceTransformRules | Out-File $RulePath
    $RulePath = $null

# Export all three types of rules for each Relying-Party Trust
$RPTrusts = Get-AdfsRelyingPartyTrust
foreach ($RP in $RPTrusts) {
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceTransformRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceTransformRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceAuthorizationRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-DelegationAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).DelegationAuthorizationRules | Out-File $RulePath

Hope it helps!

Windows Internal Database not starting


Today I received a weird problem from my ADFS test environment, when I tried to navigate to the main SharePoint page it throws an error from the ADFS, so I decided to check the ADFS server to see what was the problem. To my surprise the ADFS service was stopped and when I tried to start the service it won’t fire up, things starting weird…

So after checking some things, I remember that this installation was made with the Windows Internal Database, so I decided to check the service, but it was also stopped, and when I tried to start it again it throws the following error message:


This service account does not have the required user right “Log on as a service.”

I don’t know if anyone of my company changed the policies or included the server in the policies overwritting all the policies previously configured by myself, but I had to solve this issue, otherwise I cannot continue with my tasks in the project.

To solve this thing, it was needed to change the Group Policy Management in the local computer, so enter to the local policy and navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments.  Edit Log on as a service and add the following groups:


After this groups were added, run gpupdate/force on the server and then try to start the WID, in my case it was succesful so I was able to start again the adfs service and continue with my tests.

Hope it helps!