Error while Installing Azure AD Connect Health for AD FS Agent RRS feed

  • Question

  • Running AD FS 3.0 (2012 R2) on 2 Azure VMs and receiving the following error when trying to install the health agent on my secondary AD FS server.  Installation on my primary server was successful.  Am able to successfully ping the primary server and browse the "/adfs/services/trust/mex" endpoint from the secondary server.  Any help would be greatly appreciated.

    Getting these messages in the error log:

    2016-08-23 16:35:32.489 Detecting AdFederationService roles...
    2016-08-23 16:35:32.505 AD FS 3 registry key exists.
    2016-08-23 16:35:32.505 FSConfigurationStatus = 2
    2016-08-23 16:35:32.505 ProxyConfigurationStatus = -1
    2016-08-23 16:35:38.005 In adfs Secondary server adfs properties can't be set
    2016-08-23 16:35:38.021 Detected audit inclusion setting: POLICY_AUDIT_EVENT_SUCCESS, POLICY_AUDIT_EVENT_FAILURE
    2016-08-23 16:35:38.021 AD FS 3 registry key exists.
    2016-08-23 16:35:38.021 FSConfigurationStatus = 2
    2016-08-23 16:35:38.021 ProxyConfigurationStatus = -1
    2016-08-23 16:35:38.146 System.InvalidOperationException: Could not query the MEX on http ports: 443 in hosts: localhost
       at Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.AdfsServiceExaminer.GetAdfsFarmNameFromSts()
       at Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.AdfsServiceExaminer.ComputeServiceSignature()
       at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.ProcessRecord()

    Tuesday, August 23, 2016 4:56 PM


All replies

  • With help from Microsoft Premier Support, this issue was resolved by updating the STS certificate for port 443 on the secondary AD FS server to be the same as the primary using the Get-AdfsSslCertificate and Set-AdfsSslCertificate cmdlets as documented here:


    • Marked as answer by Chad Pearson Wednesday, August 31, 2016 1:28 PM
    Wednesday, August 31, 2016 1:28 PM
  • Thanks for sharing!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 31, 2016 1:30 PM
  • Question if I may, how are you able to run Set-AdfsSslCertificate cmdlet on the <g class="gr_ gr_35 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="35" id="35">scondary</g> nodes as it states can only be run on the primary?  I have <g class="gr_ gr_90 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="90" id="90">same</g> issue.  Thanks
    <svg class="SnapLinksHighlighter" xmlns="http://www.w3.org/2000/svg"><rect height="0" width="0"></rect> </svg>
    Monday, November 5, 2018 8:10 PM