Federation Utility : Metadata Access - The underlying connection was closed RRS feed

  • Question

  • Hello guys,

    I am trying to set up the WindowsIdentityFoundation-SDK-4.0 to perform some tests with our ADFS but I face an issue when I run the Federation Utility. First of all, here are the machines involved :

    ADFS Server : Single node on Windows 2012 R2, ADFS 3.0, Certificates from our internal PKI

    Web server : Windows 2008R2, IIS 6.1 SP1

    When I run the Federation Utility on the web server, I provide the web.config path and the URI on the first page, then on the next page I am invited to chose a STS, I select the radio button "Use an existing STS" and provide the path https://adfs.xxx.yy and hit "Test location", I end up with a message which says that the connection was closed and an event is created in the event viewer (see screenshot here and event below).

    When I try to access the URL https://adfs.xxx.yy/FederationMetadata/2007-06/FederationMetadata.xml with IE everything is fine, the XML displays and I have no complains regarding the certificates and the CRL is accessible.

    When I run a Wireshark, I can see a connection reset on both ADFS and Web server.

    I already searched a bit but did not find anything special, does someone have an idea ?

    Thanks a lot !

    Event created from eventvwr :

    An exception occurred in the Federation Utility.


    System.InvalidOperationException: ID1089: Error reading the WS-Federation metadata document.

    Address https://adfs.xxx.yy generated error The underlying connection was closed: An unexpected error occurred on a send..

    Address https://adfs.xxx.yy/FederationMetadata/2007-06/FederationMetadata.xml generated error The underlying connection was closed: An unexpected error occurred on a send..


    Stack trace:

       at Microsoft.IdentityModel.Tools.FedUtil.DiagnosticUtil.ExceptionUtil.ThrowHelper(Exception exception, TraceEventType eventType)

       at Microsoft.IdentityModel.Tools.FedUtil.DiagnosticUtil.ExceptionUtil.ThrowHelperInvalidOperation(String message)

       at Microsoft.IdentityModel.Tools.FedUtil.FederationUtilityForm.ValidateAndUpdateMetadataLocation(String metadataUriString)

       at Microsoft.IdentityModel.Tools.FedUtil.StsConfigurationControl.TestStsUrlButton_Click(Object sender, EventArgs e)

       at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)

       at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)

       at System.Windows.Forms.Control.WndProc(Message& m)

       at System.Windows.Forms.ButtonBase.WndProc(Message& m)

       at System.Windows.Forms.Button.WndProc(Message& m)

       at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

       at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)

       at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)

       at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)

       at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)

       at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)

       at FedUtil.Program.Main(String[] args)


    Monday, March 27, 2017 8:30 AM


  • It turns out the Federation Utility tool performs a "Client Hello" over TLS 1.0  and the ADFS server was configured to only accept TLS 1.2.

    Hope this help other people :)

    • Marked as answer by -Jordan- Monday, March 27, 2017 1:41 PM
    Monday, March 27, 2017 1:41 PM