While doing the configuration of the first federation server for ADFS at a customer site, we encountered the error message below.
After spending quite a while fruitlessly testing permissions, looking at NTDS diagnostic logs, and verifying the server’s trust relationship with the AD was correct, we noticed that in the AD, the “Program Data” container was actually an OU and not a container.
My theory is that sometime in the past someone deleted the Program Data container (accidentally?) and recreated it as an OU. After deleting the (empty) impostor OU and creating a replacement container properly, all was well.
Another person who had a similar issue blogged about it here, which includes instructions on how to properly create the Program Data container.
What I’m taking away from this is an understanding that this error message appears to be thrown any time there is an exception during this step of the configuration process so you can’t take the error text at face value. :-)