none
ADFS with WAP

    Question

  • Hi Folks,


    I am struggling with my WAP,

    I have created a new ADFS with SSO  which works probably internally to Office 365 services, I would say that I want to allow to external users to perform SSO to Office 365 [ It runs on LAB environment] so have put my WAP server on DMZ and created a new A record which point to WAP server.

    After that, I take the certificate + Pfx of ADFS and put it on WAP server (In personal) then installed the WAP,


    All went well.

    However, my test URL doesn;' work well, I mean before checking Office 365 Single Sign On I would like to check test URL which describes us if SSO works or not,

    Unfortunately, it doesn' work:


    The Url is:

    https://adfs.pelegit.co.il/adfs/ls/IdpInitiatedSignon.aspx


    This is the Event from WAP Event Viewer:

    AD FS proxy service failed to start a listener for the endpoint 'Endpoint details:
    	 Prefix : /.well-known/webfinger
    	 PortType : HttpsDevicePort
    	 ClientCertificateQueryMode : None
    	 CertificateValidation : None
    	 AuthenticationSchemes : Anonymous
    	 ServicePath : /.well-known/webfinger
    	 ServicePortType : HttpsDevicePort
    	 SupportsNtlm : False
    ' 
    Exceptiondetails: 
    System.Net.HttpListenerException (0x80004005): Access is denied
       at System.Net.HttpListener.AddAllPrefixes()
       at System.Net.HttpListener.Start()
       at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
       at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.Start()
       at Microsoft.IdentityServer.ProxyService.EndpointManager.ApplyConfiguration(ProxyEndpointConfiguration proxyEndpointConfiguration) 
    
    User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.


    Web Application Proxy could not bind the SSL server certificate. Error: Cannot create a file when that file already exists.
     (0x800700b7).
    All other configuration settings were applied.
    
    Details:
    Certificate thumbprint: 30DF10AB926099243D7BA6CC8FCD2FF08C2469E4
    Host name: adfs.pelegit.co.il

    What do you think I am not doing well?




    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Thursday, April 20, 2017 8:41 PM

All replies

  • Hi Meir,

    Make sure your certificate is in the Machine personal store (not user personal store) > certlm.msc

    Check to see if there are any existing bindings with the adfs.pelegit.co.il name > netsh http show sslcert

    Good luck!

    Shane

    Friday, April 21, 2017 1:39 AM
    Moderator
  • Hi Meir,

    Make sure your certificate is in the Machine personal store (not user personal store) > certlm.msc

    Check to see if there are any existing bindings with the adfs.pelegit.co.il name > netsh http show sslcert

    Good luck!

    Shane

    Hi,

    The certificate in under Machine so it's OK,

    I don't know why but  I have a hunch that I have a problem with Binding, you say to run this on WAP? (netsh http show sslcert) 


    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Friday, April 21, 2017 1:45 PM
  • BTW this is what I see under WAP logs

    AD FS proxy service failed to start a listener for the endpoint 'Endpoint details:
    	 Prefix : /.well-known/webfinger
    	 PortType : HttpsDevicePort
    	 ClientCertificateQueryMode : None
    	 CertificateValidation : None
    	 AuthenticationSchemes : Anonymous
    	 ServicePath : /.well-known/webfinger
    	 ServicePortType : HttpsDevicePort
    	 SupportsNtlm : False
    ' 
    Exceptiondetails: 
    System.Net.HttpListenerException (0x80004005): Access is denied
       at System.Net.HttpListener.AddAllPrefixes()
       at System.Net.HttpListener.Start()
       at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
       at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.Start()
       at Microsoft.IdentityServer.ProxyService.EndpointManager.ApplyConfiguration(ProxyEndpointConfiguration proxyEndpointConfiguration) 
    
    User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.


    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Friday, April 21, 2017 2:27 PM
  • Hiya,

    I would go through the certificates using:

    Get-ADFSProperties, Get-WebApplicationProxySslCertificate, Get-ADFSCertificate, GET-ADFSSSLCertificate - Make sure they all match. Also if it's a self signed certificate, make sure the certificate is located in all servers and clients involved.

    And of course, make sure that service account has access to private key of certificate :)

    Monday, April 24, 2017 9:07 PM
  • Hi,

    The root cause is the https or SSL based communication between your WAP and ADFS is not working. You need to run Azure AD Connect and go for the option to redeploy WAP...Do not redeploys just confirm the SSL based communication.

    Wednesday, January 10, 2018 6:35 PM