locked
ADFS 4.0 and WAP RRS feed

  • Question

    1. I imported the ADFS certificate with private key to the newly built WAP server already.  
    2. When I tried to configure the WAP using the wizard, provided the local admin account with federation service DNS (fs.domain.local e.g.), I kept getting this error (event ID 276 on ADFS server):  "The federation server proxy was not able to authenticate to the Federation Service. "
    3. I wonder if the certificate I use is correct.  It is the same certificate I imported to the exchange server which is the application I put behind the ADFS farm.  Should I use the CommunicationService cert from ADFS Management Console or use the Token-Signing Cert from the ADFS Management Console.  I see the CommunicationService cert is the same that I can export from using MMC.
    4. I can ping the ADFS DNS name of the federation service fine (.e.g fs.domain.local) from the WAP server.  The certificate is self-signed and all the components are internal only.
    5. Do i need to enable DeviceRegistration on ADFS Console in order to have WAP to work with ADFS server?
    6. Also wonder from the ADFS event log, the event ID 276 doesn't show any Certificate details, only the headers, and the values are <null>:

    The federation server proxy was not able to authenticate to the Federation Service. 
    
    User Action 
    Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet. 
    
    Additional Data 
    
    Certificate details: 
    
    Subject Name: 
    <null> 
    
    Thumbprint: 
    <null> 
    
    NotBefore Time: 
    <null> 
    
    NotAfter Time: 
    <null> 
    
    Client endpoint: 
    <wap server IP>


    • Edited by ve con Thursday, February 21, 2019 1:28 AM
    Thursday, February 21, 2019 1:20 AM

Answers

  • I found the issue:

    My self-signed certificate has multiple CNs, apparently the first CN that shows on the certificate is not the one that WAP wizard and ADFS server present.  

    So, I issued this command on ADFS server and look for line "hostname:port" to see the exact fs name to enter on the WAP wizard, apparently it is the 2nd CN name:

    #netsh http show ssl

    Back to the WAP configuration wizard -> enter the 2nd CN name, the wizard completed successfully


    • Marked as answer by ve con Thursday, February 21, 2019 5:15 PM
    • Edited by ve con Thursday, February 21, 2019 7:37 PM
    Thursday, February 21, 2019 5:15 PM

All replies

  • I found the issue:

    My self-signed certificate has multiple CNs, apparently the first CN that shows on the certificate is not the one that WAP wizard and ADFS server present.  

    So, I issued this command on ADFS server and look for line "hostname:port" to see the exact fs name to enter on the WAP wizard, apparently it is the 2nd CN name:

    #netsh http show ssl

    Back to the WAP configuration wizard -> enter the 2nd CN name, the wizard completed successfully


    • Marked as answer by ve con Thursday, February 21, 2019 5:15 PM
    • Edited by ve con Thursday, February 21, 2019 7:37 PM
    Thursday, February 21, 2019 5:15 PM
  • Actually, even though the WAP configuration wizard is successful, but from the ADFS server, I am still seeing this event ID 276
    Thursday, February 21, 2019 5:38 PM