locked
Web Application Proxy could not connect to the ADFS configuration storage...... RRS feed

  • Question

  • Hi All

    Please if you could help

    Currently setting up a Web Application proxy to publish our CRM externally. The WAP is non domain server in our DMZ and we have only allowed Port 80 and 443 inbound/outbound from the WAP to the internal ADFS 3.0 server which is a domain joined server and a member of our AD domain.

    Had to create a local DNS entry on our WAP server using the hosts file to our ADFS server (sts1.orgname.com) and was able to configure successfully the WAP role and publish applications.

    I get the event ID 245 to prove this is the case:

    "The federation server proxy successfully retrieved its configuration from the Federation Service 'sts1.orgname.com'.

    However to publish CRM successfully externally some additional steps need to be completed regarding disabling URL translation and to perform this piece I need to open up powershell and run the Get-WebApplicationProxyApplication cmdlet. I run the same command as shown in this document

    Get-WebApplicationProxyApplication Name* | Format-List replacing Name* with our own organization published apps name.

    https://blogs.technet.microsoft.com/dynamicspts/2014/10/01/using-web-application-proxy-to-publish-dynamics-crm-2013-to-the-internet/

    However for some reason in Powershell it doesn't recognize that command at all and I get the following error message:

    Get-WebApplicationProxyApplication : Web Application Proxy could not connect to the AD FS configuration storage and
    could not load the configuration. Make sure that the Web Application Proxy server can connect to the AD FS server, and
    if not, run the Install-WebApplicationProxy command.
    (0x80075213)

    Now when I configured the WAP role I created a local user on the internal ADFS server and put this user in the 'administrators' group of the server and used this account to perform the initial authentication when configuring the WAP server under the WAP configuration wizard when it asks to enter the credentials of a local administrator account on the federation server.

    Would this account be sufficient or would I need to create a domain account in our AD and add this user in the local administrators group on the ADFS server and then use this account to configure WAP?

    Any help on this would be most appreciated

    Wednesday, February 24, 2016 9:03 AM

Answers

  • So to run the following command:

    Install-WebApplicationProxy 
     

    You need to specify an account which is a member of the local administrators group of your primary ADFS server. Why? Because we need to modify the configuration to add the proxy.

    Yes could can use different certificates, it works. From: https://technet.microsoft.com/en-US/library/dn554247.aspx#BKMK_1

    It is strongly recommended to use the same SSL certificate for the Web Application Proxy. This is however required to be the same when supporting Windows Integrated Authentication endpoints through the Web Application Proxy and when Extended Protection Authentication is turned on (default setting).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 8, 2016 10:02 PM

All replies

  • To add to this. We originally have setup the internal ADFS server using a san certificate which has a Subject alternative name of sts1.orgname.com. however on the Web application proxy we are using a wildcard certificate for our *.orgname.com

    Originally I used a San cert on this server but then realized we would have to create many more subject alternative names on the SAN cert, so to avoid this we used the wildcard.

    Is this configuration supported? Can I use a san cert and wildcard on the two different ADFS servers?

    Wednesday, February 24, 2016 10:34 AM
  • I ran into this same issue last week as I tried to implement WAP for our CRM. Exact same error message. I resolved it by using an "ENTERPRISE ADMINS" account. I was doing the same thing you were, using the local Administrator account from the AD FS machine because almost all of the guides out there say that's what you're suppose to use. Well, it doesn't work. After making sure my admin account was in the 'ENTERPRISE Admins' group of the target domain I reconfigured the WAP role with my credentials and this error, as well as an SSL error about binding, went away. 

    Also, we are using a wildcard cert like you want to, and it seems to work just fine, so I wouldn't think you would have a problem. 

    Make sure you set this wildcard cert as the 'Service communications' cert from the AD FS console on the AD FS server before you try and establish the trust between the AD FS server and the proxy. 

    What no one tells you about doing this, however, is that not only do you need to set it in the console but you have to run this powershell command: Set-AdfsSslCertificate –Thumbprint 00112233445566778899aabbccddeeff00112233 obviously 'Thumbprint' is the thumbprint for your wildcard cert, which you can find by looking at the properties of the installed cert.

    AND! you have to restart the AD FS server or at least the service before it will work!

    I hope this helps you, I spent all last week slowly putting these pieces together.

    • Proposed as answer by Securus777 Tuesday, March 8, 2016 9:15 PM
    Monday, March 7, 2016 7:32 PM
  • So to run the following command:

    Install-WebApplicationProxy 
     

    You need to specify an account which is a member of the local administrators group of your primary ADFS server. Why? Because we need to modify the configuration to add the proxy.

    Yes could can use different certificates, it works. From: https://technet.microsoft.com/en-US/library/dn554247.aspx#BKMK_1

    It is strongly recommended to use the same SSL certificate for the Web Application Proxy. This is however required to be the same when supporting Windows Integrated Authentication endpoints through the Web Application Proxy and when Extended Protection Authentication is turned on (default setting).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 8, 2016 10:02 PM