locked
Set-WebApplicationProxySSLCertificate Value can not be null RRS feed

  • Question

  • Hey there,

    So I created a post about the WAP role erroring out due to my certs, I finally got my cert design figured out, however I started to wonder how I could change the cert I used during the WAP deployment wizard.

    I read this

    and then attempted to run the Set-WebApplictionproxysslcert command, but no matter what thumbprint I put in it spits out saying "set-webapplicationsslcertificate value can not be null"

    Uhhhh... I even attempted pasting the same thumbprint its already using and it replied the same thing? 

    What did I do wrong this time?

    The full error is:

    Set-WebApplicationProxySslCertificate : value cannot be null
    Parameter name: proxyTrustCertitifcate

    Message
    ---------
    An error occurred while attempting to retrieve configuration data from the federation server value cannot be null.

    • Edited by Zewwy Friday, June 10, 2016 6:30 PM
    Friday, June 10, 2016 4:31 PM

Answers

All replies

  • I didn't want to dig around trying to figure what failed, as its not my job!

    I removed the role, and re-added the role to re-run the wizard.

    Just a FYI to whoever is listening to these issues, there should be a way to re-run the WAP wizard after it has already been run to make changes as required in the WAP deployment. Including but not limited to certificate changes.

    Friday, June 10, 2016 6:46 PM
  • The cmdLet Install-WebApplicationProxy https://technet.microsoft.com/en-us/library/dn283414(v=wps.630).aspx enables this. You always have to provide the thumbprint of the SSL cert.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 13, 2016 1:20 PM
  • Is that not the same thing the wizard does?
    Thursday, June 16, 2016 3:06 PM
  • To the remark:

    "Just a FYI to whoever is listening to these issues, there should be a way to re-run the WAP wizard after it has already been run to make changes as required in the WAP deployment. Including but not limited to certificate changes."

    I just bring awareness that there is indeed a way to do it, using the cmdLet I aforementioned.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 16, 2016 4:17 PM
  • Do you need more information?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 20, 2016 2:20 PM
  • If its the same thing as the wizard, then why was it complaining my value could not be null?

    That's teh base of this question. I already ran the wizard, which means I simply wanted to change the cert using the ps command I mentioned in the base of this question.

    If I have to run the wizard again to change the cert why does that cmdlet exist?

    Thanks for the help, but we seem to be getting confused in cause and affect here.

    Tuesday, June 21, 2016 3:53 PM
  • Oh I see.

    Well on my 3 different labs, the command works just fine:

    Set-WebApplicationProxySslCertificate -Thumbprint 6F8FA58E8C22275B71A12B1B9729C53F249E468E
    
    Message                                 Context                                                                  Status
    -------                                 -------                                                                  ------
    The configuration completed successf... DeploymentSucceeded                                                     Success

    Works for both same cert or a new cert present in the local store.

    The error message you get seem to suggest an issue with the ProxyTrust cert that the WAP server got at the original install and that gets renewed every 30 days. If that trust is broken, then you need to re-run the wizard. Now we can try to determine why the trust actually broke. This is a good start: https://blogs.technet.microsoft.com/applicationproxyblog/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy/#pi148362=1


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 23, 2016 8:14 PM
  • Thanks I have not actually tested the cmdlet since I removed and re-added the role.

    so I have not been able to verify if it is indeed still broken or not. When I need to change the cert in my test enviro I'll report back my findings.

    I have currently taking a little step back from this project as AD FS and becoming claims aware is a bigger task than I had first thought... it's pretty daunting when you've never setup or worked with AD FS before.

    Thursday, June 23, 2016 8:59 PM