locked
Best practice to removing a WAP server from ADFS environment? RRS feed

  • Question

    1. I have so much issues with WAP server after establishing trust with ADFS
    2. So, I want to start over again.  What is the best way to do that beside just uninstall the WAP feature on the WAP server? I want the clean re-rebuild and re-establish trust as possible to the same ADFS server from the same to-be-WAP server
    3. Things want to completely cleaned out as well when I removed the WAP server are those Trust Proxy Certs (so many of them from one WAP server) 

    Thanks!

    Thursday, February 21, 2019 10:50 PM

All replies

  • Hello

    What are the issues you faced with WAP servers. I think if you don't address the issue, removing and adding the WAP might not make a difference. Apart from rebuild the server, the best option is to remove the feature and then reinstall again. 

    My be we can assist, can you look into the event log of the WAP and post the errors


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Friday, February 22, 2019 6:32 AM
  • Hi Issac, 

    Thanks so much for your reply.  Please bare with me on my description of the problems.

    1. At first, when I tried to configure the WAP, it kept failing with event ID 276 "the federation server proxy was not able to authenticate to the federation service".   Every time it failed like that, it created a Proxy Trust certificate in the Certificate/Personal store on WAP server and also on the ADFS server "ADFSTrustedDevices/Certificates".  After so many retries, I figured out how to solve it and successfully completed the WAP configuration wizard.  But there are now so many Proxy Trust certs added into those stores.
    2. I was then able to publish my OWA site with the Remote Access Management Console.  Able to go to my OWA page and login ok.  However, I was still seeing this error event ID 224 on the WAP and I thought that is the Proxy Trust cert that "extra"  (as there are many added):

    The federation server proxy configuration could not be updated with the latest configuration on the federation service. 

    Additional Data 
    Error:  
    Retrieval of proxy configuration data from the Federation Server using trust certificate with thumbprint 'BE7D410336AB9C963B0A11E2400C9941758ECE41' failed with status code 'Unauthorized'. The remote server returned an error: (401) Unauthorized.
    1. I found the Proxy Trust cert with that thumbprint and deleted it off the WAP, then i ran into the issue, the published OWA doesn't show up on the Remote Access Management Console (RAMC) at all with this error in the event log:

    The federation server proxy configuration could not be updated with the latest configuration on the federation service. 

    Additional Data 
    Error:  
    Value cannot be null.
    Parameter name: proxyTrustCertificate

          4.  I changed the registry key "ProxyConfigurationStatus" = 1 so I can get back to the WAP configuration to re-establish the trust with ADFS server.  I was able to complete the wizard successfully last night.  Still seeing my published web application OWA ok.  But this morning, I still see these error events at the same time:

    event ID 224

    The federation server proxy configuration could not be updated with the latest configuration on the federation service. 

    Additional Data 
    Error:  
    Retrieval of proxy configuration data from the Federation Server using trust certificate with thumbprint '59C79844B1B84B7E8BDC7C6A10894A693AA66150' failed with status code 'Unauthorized'. The remote server returned an error: (401) Unauthorized.

    event ID 394

    The federation server proxy could not renew its trust with the Federation Service.  

    Additional Data 
    Exception details: 
    An error occurred when attempting to establish a trust relationship with the federation service. Error: No client certificate associated with the request was found. 

    User Action 
    Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer.

    Friday, February 22, 2019 4:54 PM
  • as of now, i am still seeing this error on my ADFS server:

    The federation server proxy was not able to authenticate to the Federation Service. 
    
    User Action 
    Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet. 
    
    Additional Data 
    
    Certificate details: 
    
    Subject Name: 
    <null> 
    
    Thumbprint: 
    <null> 
    
    NotBefore Time: 
    <null> 
    
    NotAfter Time: 
    <null> 
    
    Client endpoint: 
    IP.216


    Just want to bring this up:  The https://mail.domain.com/owa uses wild card SSL, while the ADFS and WAP servers are using the same self-signed SSL.  Not sure if this may have caused any problem.  I am still able to login to the OWA inbox ok and it is only works and supposed to work internally



    • Edited by ve con Friday, February 22, 2019 5:23 PM
    Friday, February 22, 2019 5:22 PM
  • Hello,

    Try this:

    Open command prompt as admin and run

    notepad c:\Windows\System32\drivers\etc\hosts

    Edit the host file and add 

    PrimaryADFSIP   adfsservicename.domain.com

    and save.

    I think the issue here is that your wap servers are not communicating with adfs servers and this should fix it.

    Hope that helps,


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Friday, February 22, 2019 6:18 PM
  • Hello,

    Try this:

    Open command prompt as admin and run

    notepad c:\Windows\System32\drivers\etc\hosts

    Edit the host file and add 

    PrimaryADFSIP   adfsservicename.domain.com

    and save.

    I think the issue here is that your wap servers are not communicating with adfs servers and this should fix it.

    Hope that helps,


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Hi Issac,

    Thanks for replying.  I did the host entry and it still gives me this error every 1 minute:

    The federation server proxy configuration could not be updated with the latest configuration on the federation service. 
    
    Additional Data 
    Error:  
    Retrieval of proxy configuration data from the Federation Server using trust certificate with thumbprint '59C79844B1B84B7E8BDC7C6A10894A693AA66150' failed with status code 'InternalServerError'. 


    I did google search and found this, followed and disabled the TLS 1.0 + enabled strong authentication for .NET applications.  Rebooted the ADFS machine after making registry changes, still see the same error every minute

    Friday, February 22, 2019 7:28 PM
  • Try this

    Re-enable TLS 1.0 (delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled) on the ADFS + restart 

    Here is a link with similar issue:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/7b125ab0-e08e-4e7a-9248-3fc832c5e92f/adfs-40-and-wap-on-server-2016-wap-not-communicating-cipher-suite-or-protocol-issue?forum=ADFS


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Friday, February 22, 2019 7:36 PM
  • that was the guide I found and followed, since Gelfer's post was not marked as a solution, so I am not sure.

    This is to disable TLS 1.0:

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 

    Gelfer's comment says:

    delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled

    So, i am not sure if he meant just delete the Enable key (first bullet) and leave the rest?

    Also, according to this, if I disable TLS 1.0 for ADFS, i need to add this key to enable strong authentication for .NET applications "SchUseStrongCrypto=dword:0000001"  and I did.  Should I get rid if that too?

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

    Friday, February 22, 2019 8:47 PM
  • Let's start by backing up your registry, then delete the above registry entry and see if that helps

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Saturday, February 23, 2019 8:31 PM