Because the application pool identity for the AD FS 2.0 AppPool is running as a domain user/service account, you must configure the Service Principal Name (SPN) for that account in the domain with the Setspn.exe command-line tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the following command on a computer that is joined to the same domain where the user/service account resides:
setspn -a host/<server name> <service account>
For example, in a scenario in which all federation servers are clustered under the Domain Name System (DNS) host name fs.fabrikam.com and the service account name that is assigned to the AD FS 2.0 AppPool is named adfs2farm, type the command as follows, and then press ENTER:
setspn -a host/fs.fabrikam.com adfs2farm
It is necessary to complete this task only once for this account.
-
After the AD FS 2.0 AppPool identity is changed to the service account, set the access control lists (ACLs) on the SQL Server database to allow Read access to this new account so that the AD FS 2.0 AppPool can read the policy data.
http://technet.microsoft.com/en-us/library/dd807078(WS.10).aspx