locked
Failed to start endpoint https://+:49443/adfs/portal/ RRS feed

  • Question

  • Hi Alle

    I'm experiencing some issues with a ADFS enviroment where i just changed the certificate.

    The configuration is as follows.
    2 x ADFS server
    2 x WAP servers

    To load balance the connections a KEMP LB is placed. 

    I have changed the certificate, and running using the application for AD FS, and changed the certificates using the set-adfssslcertificate command. And this one worked aswell.

    certauth.fs.Customername.dk                 443      B972C6381EEBE9ASDAWRFSADA789929393C00D0d
    localhost                                   443      B972C6381EEBE9ASDAWRFSADA789929393C00D32
    fs. Customername.dk                         443      B972C6381EEBE9ASDAWRFSADA789929393C00D32
    fs. Customername.dk                       49443      B972C6381EEBE9ASDAWRFSADA789929393C00D32
    

    The certificate on all values has changed. So far so good, I have then moved to the WAP servers, and added the certificate aswell, using the "Set-WebApplicationProxysslcertificate" value. which success, i have then installed the certificate and made it active on the WAP servers aswell.

    Set-WebApplicationProxySslCertificate -Thumbprint B972C6381EEBE9ASDAWRFSADA789929393C00D32
    Set-WebApplicationProxyApplication -ExternalCertificateThumbprint B972C6381EEBE9ASDAWRFSADA789929393C00D32
    

    Which all so far works like it should. I can take a random PC, and logon using SSO. However, when i try to login using a client that is not in the domain and thus not using SSO, this is what i meet.


    The login prompt works, so, no issues in the ADFS itself. But what happended to the portal? 

    If i dig down in the event viewer, i get a some errors that i suspect are some of the reason behind this error, but i haven't been able to find a solution for it, which is where i hope someone smarter than me can figure it out.

    the events are as follows.

    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. 
    
    Additional Data 
    Exception details: 
    System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> 

    And this one

    Description:
    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. 
    
    Additional Data 
    Exception details: 
    Failed to start endpoint:
    https://+:49443/adfs/portal/
    https://+:443/adfs/portal/
    System.Net.HttpListenerException (0x80004005): Access is denied
    

    Has anyone seen this before, and have an idea what to do? 

    I would really appreciate all the help i can get in this case, since all my own troubleshooting so far has been in vain.

    Thursday, November 21, 2019 1:24 PM

Answers

  • For anyone else getting this error.

    Adding the service user for ADFS as local administrator on the server solves the issue. So this has been done as a temp. solution while the case is escalated to Microsoft. 

    I'm suspecting this to be a bug in ADFS in Server 2019.
    Tuesday, November 26, 2019 9:52 AM

All replies

  • For anyone else getting this error.

    Adding the service user for ADFS as local administrator on the server solves the issue. So this has been done as a temp. solution while the case is escalated to Microsoft. 

    I'm suspecting this to be a bug in ADFS in Server 2019.
    Tuesday, November 26, 2019 9:52 AM
  • The error says access denied, this indicates, that the urlacl are not set according to the used service user for adfs.

    Check which user is running the service "Active Directory Federation Services" alias "adfssrv".

    Compare it to the delegated users for the corresponding urls like (https://+:443/adfs/... or https://+:49443/adfs/...)

    in the list you get with

    netsh http show urlacl

    If the users are not the same

    use

    netsh http del urlacl "url"

    to delete the reservation and use

    netsh http add urlacl "url" user="domain\user" delegate=yes

    to add the correct reservation, where "url" and "domain\user" needs to be corrected to your environment.

    This should fix the access denied error for the corresponding urls.

    Saturday, January 18, 2020 4:06 PM
  • Hello Martin,

    Thanks for this information, we encountered the same problem. You workaround works!!!!
    This bug exist in ADFS and server 2016 also.

    Marc van Zutphen

    Friday, March 20, 2020 11:07 PM
  • The error says access denied, this indicates, that the urlacl are not set according to the used service user for adfs.

    Check which user is running the service "Active Directory Federation Services" alias "adfssrv".

    Compare it to the delegated users for the corresponding urls like (https://+:443/adfs/... or https://+:49443/adfs/...)

    in the list you get with

    netsh http show urlacl

    If the users are not the same

    use

    netsh http del urlacl "url"

    to delete the reservation and use

    netsh http add urlacl "url" user="domain\user" delegate=yes

    to add the correct reservation, where "url" and "domain\user" needs to be corrected to your environment.

    This should fix the access denied error for the corresponding urls.

    Already tried this before i posted (although i realise i forgot to write it in my first post), the urlacl is set according to the used service user, even had a collegue verify the configuration. 

    So unfortunately, this is not the solution.
    Tuesday, March 24, 2020 8:46 PM