locked
Cannot configure WAP server - suspect cert on load balancer RRS feed

  • Question

  • I am trying to connect a WAP server to ADFS. I have 2 ADFS servers load balanced by a Citrix NetScaler.

    We are using a wildcard certificate.  The federation service DNS name points to the VIP address on the load balancer.

    The configuration wizard is failing with Event 276 "The Federation Server Proxy was not able to Authenticate the Federation Service"

    While troubleshooting I noticed that the certificate on the xml page was issued by GoDaddy.  The cert I installed in ADFS was issued by DigiCert.  

    Sorry to ask the obvious, but this certificate mismatch has to be why it is failing. Correct? I will need to have the loadbalancer cert replaced?

    Wednesday, September 14, 2016 2:34 AM

Answers

All replies

  • If the extended protection is enabled on ADFS, the cert used on the WAP has to be the same as the cert on the ADFS server. Is that the case? Also, you cannot do any SSL inspection or offloading between the WAP server and the ADFS server.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, September 14, 2016 6:58 PM
  • ExtendedProtectionTokenCheck  is set to 'Allow'.

    The cert on the WAP and ADFS servers is the same.  The load balancer however, has a different cert. So when I go to https://adfs.my.domain/federationmetadata/2007-06/federationmetadata.xml  the cert presented is what is on the load balancer and not the ADFS servers.   

    So my guess is that I need to update the cert on the load balancer because that is why the WAP doesn't trust the ADFS servers. Right?

    Wednesday, September 14, 2016 7:23 PM
  • There is no need to use a certificate on your load balancer since you shouldn't do SSL offload between the WAP and the ADFS server. See here: https://blogs.technet.microsoft.com/applicationproxyblog/2014/07/04/ssl-termination-with-web-application-proxy-and-ad-fs-2012-r2/

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, September 15, 2016 3:44 PM
  • I asked to have SSL Offloading turned off on the VIP on the load balancer. Theconfiguration wizard then finished successful. Thanks for the info and link.
    Thursday, September 15, 2016 8:02 PM