none
ADFS with WAP

    Question

  • Hi Folks,


    I am struggling with my WAP,

    I have created a new ADFS with SSO  which works probably internally to Office 365 services, I would say that I want to allow to external users to perform SSO to Office 365 [ It runs on LAB environment] so have put my WAP server on DMZ and created a new A record which point to WAP server.

    After that, I take the certificate + Pfx of ADFS and put it on WAP server (In personal) then installed the WAP,


    All went well.

    However, my test URL doesn;' work well, I mean before checking Office 365 Single Sign On I would like to check test URL which describes us if SSO works or not,

    Unfortunately, it doesn' work:


    The Url is:

    https://adfs.pelegit.co.il/adfs/ls/IdpInitiatedSignon.aspx


    This is the Event from WAP Event Viewer:

    AD FS proxy service failed to start a listener for the endpoint 'Endpoint details:
    	 Prefix : /.well-known/webfinger
    	 PortType : HttpsDevicePort
    	 ClientCertificateQueryMode : None
    	 CertificateValidation : None
    	 AuthenticationSchemes : Anonymous
    	 ServicePath : /.well-known/webfinger
    	 ServicePortType : HttpsDevicePort
    	 SupportsNtlm : False
    ' 
    Exceptiondetails: 
    System.Net.HttpListenerException (0x80004005): Access is denied
       at System.Net.HttpListener.AddAllPrefixes()
       at System.Net.HttpListener.Start()
       at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
       at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.Start()
       at Microsoft.IdentityServer.ProxyService.EndpointManager.ApplyConfiguration(ProxyEndpointConfiguration proxyEndpointConfiguration) 
    
    User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.


    Web Application Proxy could not bind the SSL server certificate. Error: Cannot create a file when that file already exists.
     (0x800700b7).
    All other configuration settings were applied.
    
    Details:
    Certificate thumbprint: 30DF10AB926099243D7BA6CC8FCD2FF08C2469E4
    Host name: adfs.pelegit.co.il

    What do you think I am not doing well?




    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Thursday, April 20, 2017 8:41 PM

All replies

  • Hi Meir,

    Make sure your certificate is in the Machine personal store (not user personal store) > certlm.msc

    Check to see if there are any existing bindings with the adfs.pelegit.co.il name > netsh http show sslcert

    Good luck!

    Shane

    Friday, April 21, 2017 1:39 AM
    Moderator
  • Hi Meir,

    Make sure your certificate is in the Machine personal store (not user personal store) > certlm.msc

    Check to see if there are any existing bindings with the adfs.pelegit.co.il name > netsh http show sslcert

    Good luck!

    Shane

    Hi,

    The certificate in under Machine so it's OK,

    I don't know why but  I have a hunch that I have a problem with Binding, you say to run this on WAP? (netsh http show sslcert) 


    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Friday, April 21, 2017 1:45 PM
  • BTW this is what I see under WAP logs

    AD FS proxy service failed to start a listener for the endpoint 'Endpoint details:
    	 Prefix : /.well-known/webfinger
    	 PortType : HttpsDevicePort
    	 ClientCertificateQueryMode : None
    	 CertificateValidation : None
    	 AuthenticationSchemes : Anonymous
    	 ServicePath : /.well-known/webfinger
    	 ServicePortType : HttpsDevicePort
    	 SupportsNtlm : False
    ' 
    Exceptiondetails: 
    System.Net.HttpListenerException (0x80004005): Access is denied
       at System.Net.HttpListener.AddAllPrefixes()
       at System.Net.HttpListener.Start()
       at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
       at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.Start()
       at Microsoft.IdentityServer.ProxyService.EndpointManager.ApplyConfiguration(ProxyEndpointConfiguration proxyEndpointConfiguration) 
    
    User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.


    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Friday, April 21, 2017 2:27 PM