locked
Secondary AD FS Server Not Authenticating (Event 15021) RRS feed

  • Question

  • Problem

    We have a 2-node AD FS 3.0 server farm running on Windows Server 2012 R2 with a WID database (no SQL) on Azure VMs with 2 WAP servers in the DMZ.  Our problem was that when the primary AD FS server would reboot, the secondary AD FS server would not compensate.  The STS endpoint became unavailable and no one in the company was able to authenticate.

    Troubleshooting

    I opened a ticket with Microsoft Premier Support who found the following error in the System event logs:

    ###

    Event 15021 HttpEvent

    An error occurred while using SSL configuration for endpoint sts.domain.com:443.  The error status code is contained within the returned data.

    ###

    After some Network Monitor tracing, the engineer ran the Get-AdfsSslCertificate cmdlets and noticed that the CertificateHash value of the STS HostName for port 443 on the secondary server was not the same as the primary server.

    Solution

    Make the secondary server's STS certificate for port 443 the same as the primary's.

    1. Run Get-AdfsSslCertificate on the primary and secondary AD FS servers and note the CertificateHash values for the STS certificate for port 443.
    2. If the values are different, verify the correct certificate is installed on the secondary server and run the Set-AdfsSslCertificate cmdlet to set the secondary server's CertificateHash to be the same as the primary server's.
    3. Restart the Active Directory Federation Services service on the secondary AD FS server.

    Wednesday, August 31, 2016 1:06 PM

Answers

  • Have you verified that both node have the same SSL certificate?

    When you change the ADFS SSL certificate you have to run:

    # One time
    Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint [thumbprint]

    And

    # On each node
    Set-AdfsSslCertificate -Thumbprint [thumbprint]
    And make sure on each node that the service account has access to the private key of the SSL cert which should be on the local computer certificate store.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 31, 2016 1:23 PM

All replies

  • Have you verified that both node have the same SSL certificate?

    When you change the ADFS SSL certificate you have to run:

    # One time
    Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint [thumbprint]

    And

    # On each node
    Set-AdfsSslCertificate -Thumbprint [thumbprint]
    And make sure on each node that the service account has access to the private key of the SSL cert which should be on the local computer certificate store.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 31, 2016 1:23 PM
  • So any success?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, September 2, 2016 1:32 PM