locked
Install-WebApplicationProxy: Error creating proxy trust RRS feed

  • Question

  • Hi,

    i am trying to re-establish the proxy trust with an ADFS farm (consisting of two servers) while running into the "[Install-WebApplicationProxy], ProxyTrustException" error.

    There is no log on the ADFS server, only two messages in the WAP debug log:

    1. Error Id = 12
      Exception: Fehler beim Erstellen des Proxyvertrauenszertifikats.
      StackTrace:    bei Microsoft.IdentityServer.Management.Proxy.Providers.ProxyTrustProvider.CreateTrustCertificate(StoreLocation location, Boolean setAclsForNetworkService)
         bei Microsoft.IdentityServer.Management.Proxy.Tasks.ConfigureProxyTrustCertificateTask.DoExecution(IDeploymentContext context, IProgressReporter progressReporter)
         bei Microsoft.IdentityServer.Deployment.Core.Tasks.ConfigurationTaskBase.Execute(IDeploymentContext context, IProgressReporter progressReporter)
      Exception: Dem Prozess fehlt die für diesen Vorgang erforderliche "SeSecurityPrivilege"-Berechtigung.
      StackTrace:    bei System.Security.AccessControl.Privilege.ToggleState(Boolean enable)
         bei System.Security.Cryptography.Utils.GetKeySetSecurityInfo(SafeProvHandle hProv, AccessControlSections accessControlSections)
         bei System.Security.Cryptography.CspKeyContainerInfo.get_CryptoKeySecurity()
         bei Microsoft.IdentityServer.Management.Proxy.Providers.ProxyTrustProvider.GrantServiceAccessToPrivateKey(X509Certificate2 trustCertificate)
         bei Microsoft.IdentityServer.Management.Proxy.Providers.ProxyTrustProvider.CreateTrustCertificate(StoreLocation location, Boolean setAclsForNetworkService)
    2. Error Id = 12
      Error: Exception: Fehler beim Erstellen des Proxyvertrauenszertifikats.
      StackTrace:    bei Microsoft.IdentityServer.Management.Proxy.Providers.ProxyTrustProvider.CreateTrustCertificate(StoreLocation location, Boolean setAclsForNetworkService)
         bei Microsoft.IdentityServer.Management.Proxy.Tasks.ConfigureProxyTrustCertificateTask.DoExecution(IDeploymentContext context, IProgressReporter progressReporter)
         bei Microsoft.IdentityServer.Deployment.Core.Tasks.ConfigurationTaskBase.Execute(IDeploymentContext context, IProgressReporter progressReporter)
      Exception: Dem Prozess fehlt die für diesen Vorgang erforderliche "SeSecurityPrivilege"-Berechtigung.
      StackTrace:    bei System.Security.AccessControl.Privilege.ToggleState(Boolean enable)
         bei System.Security.Cryptography.Utils.GetKeySetSecurityInfo(SafeProvHandle hProv, AccessControlSections accessControlSections)
         bei System.Security.Cryptography.CspKeyContainerInfo.get_CryptoKeySecurity()
         bei Microsoft.IdentityServer.Management.Proxy.Providers.ProxyTrustProvider.GrantServiceAccessToPrivateKey(X509Certificate2 trustCertificate)
         bei Microsoft.IdentityServer.Management.Proxy.Providers.ProxyTrustProvider.CreateTrustCertificate(StoreLocation location, Boolean setAclsForNetworkService)

    This does not seem to be the typical network layout or certificate trust problem, as the message does not change even if i setup bogus IP for the ADFS server.

    Final Note: This all worked perfectly before, couple of weeks ago the proxy trust certificates were not properly renewed.

    Best regards,

    Christian


    Monday, January 7, 2019 3:11 PM

Answers

  • Sometimes it is funny how writing a post can bring one down to the root ... As it appears to be solved, following thing had to be done:

    Grand the Admin the Manage auditing and security log privilege.

    Still a bit odd to me, as the organizations admins should be members of the local administrators group on that system and have full access. Plus the fact id did work properly in the first place. Anyway, leaving this here for others to find.

    • Marked as answer by Christian_Pei Monday, January 7, 2019 4:23 PM
    Monday, January 7, 2019 4:22 PM