none
ADFS, ADFS Proxy and WAP 2012 R2 RRS feed

  • Question

  • I am trying to add a 2012 R2 WAP server to and existing 2012 R2 ADFS cluster. I get the following error - on the ADFS server when trying to join -

    "The Federation server proxy was not able to authenticate to the federation service. "

    I get the following error on the WAP server when trying to run the WAP wizard -

    "unable to retrieve proxy configuration data from the federation server."

    I am able to get to the ADFS XML web page from the WAP server.

    The correct Cert is installed on the WAP server.

    I tried to verify the ADFS proxy configuration via FspConfigWizard.exe and was unable to find this file on either of my servers.

    I fear I missed installing the ADFS proxy service on the ADFS servers in my cluster. Does that sound right?

    Thank you!


    • Edited by RJEH Friday, April 25, 2014 5:36 PM
    Friday, April 25, 2014 5:32 PM

Answers

  • Hi Everyone,

    I called MS for help. They found I have bound the SSL cert to the ADFS clustered IP. We changed this binding from cluster IP to all unassigned. Once this was done all the 422 event IDs on the WAP server and all 276 event IDs on the ADFS server were gone.

    Thank you to all who helped with this error.

    R

    • Marked as answer by RJEH Monday, May 12, 2014 2:43 PM
    Monday, May 12, 2014 2:42 PM

All replies

  • Hi,
    In general, FspConfigWizard.exe is in the folder where AD FS was installed. Please make sure that the Federation Server Proxy option is selected for server role during AD FS 2.0 setup. If the Federation Server option is selected, the federation server proxy configuration will not be available.
    Besides, the event ID 276 is due to the federation server proxy is not trusted by the Federation Service. Please log on to the federation server proxy computer and establish a trust between the proxy and the Federation Service by using the AD FS 2.0 Proxy Configuration Wizard.In addition, the federation server proxy was not able to retrieve configuration data from the Federation Service is usually due to the network connectivity.
    Please refer to the links below:
    Troubleshooting federation server proxy problems with AD FS 2.0
    Things to Check Before Troubleshooting AD FS 2.0
    Configure a New Federation Server Proxy
    Best regards,
    Susie


    Monday, April 28, 2014 8:15 AM
    Moderator
  • @Susie

    This is for ADFS 3.0 not ADFS 2.0. Things have changed a bit between those two versions.

    @RJEH

    From your new WAP server are to able to reach the Metadata xml of your existing cluster? - It might be a mismatch between internal and external DNS resolve.

    WAP is an ADFS proxy. The proxy is not a required ADFS role.

    Monday, April 28, 2014 8:24 AM
  • Both are currently internal on the same net for setup and lab testing. I can ping and resolve names from the server and a workstation.

    I have the server DNS listed in both forward lookup zones .com and .local. When I ping from the workstation the .local address resolves. The cert I have for the machine is for the .com. Could this be the problem?

    Getting event ID 422 on the WAP server and event id 276 on the ADFS server.

    Do I have to setup a trust between the two first? All I have done is export the SSL cert from ADFS then import it into the local computer personal store and the local logged on user personal store .

    Newb to ADFS and WAP.

    Thank you




    • Edited by RJEH Monday, April 28, 2014 6:47 PM
    Monday, April 28, 2014 1:51 PM
  • Hiya,

    Here are a few things that springs to mind:

    1: Depending on which type of authentication you want to perform, your WAP might need to be in the domain.

    2: You need to be sure that the URL your accessing ADFS on has a valid certificate and that all involved servers trust this certificate.

    Saturday, May 3, 2014 10:18 AM
  • 1. At this point we just want to use pass through. Out plan is to use WAP to replace our existing reverse proxy server.

    1. I tried both in and out of the domain.

    2. The cert is from a third party and they are listed in the trusted root cert auth list.

    I have Symantec Endpoint Protection 12.1 on all the servers. I did disable the FW on all the servers to verify that was not the problem.

    Still nothing has resoled it. I will keep TS.

    I found this post -

    http://social.msdn.microsoft.com/Forums/vstudio/en-US/3deed1e2-5c55-4a00-806b-6777b664f777/2012r2-ad-fs-wap-proxy-problem?forum=Geneva

    It helped me with a sign in sign out problem I was having. After clicking sign in on the ADFS page you we redirected to a page cannot be displayed. Once I applied the cert correctly to both ADFS servers in the cluster I no longer received the page cannot be displayed.

    Please send me any other ideas if they come mind

    Thanks for you help!

    Ray


    • Edited by RJEH Monday, May 5, 2014 4:00 PM
    Monday, May 5, 2014 2:01 PM
  • I rebuilt the ADFS /WAP infrastructure.

    2 2012 R2 ADFS servers clustered and operational per the tests.

    2 2012 R2 WAP servers clustered. I was able to install one of the WAP server into ADFS. The other did not work. I keep getting event ID 276.

    Since this is a cluster do I have to do a similar (Like the ADFS cluster) process of exporting the cert from the joined server importing into the secondary server then the cluster should work?

    Ray


    • Edited by RJEH Wednesday, May 7, 2014 2:09 PM
    Wednesday, May 7, 2014 1:20 PM
  • Hi Everyone,

    I called MS for help. They found I have bound the SSL cert to the ADFS clustered IP. We changed this binding from cluster IP to all unassigned. Once this was done all the 422 event IDs on the WAP server and all 276 event IDs on the ADFS server were gone.

    Thank you to all who helped with this error.

    R

    • Marked as answer by RJEH Monday, May 12, 2014 2:43 PM
    Monday, May 12, 2014 2:42 PM
  • Thanks for updating! :)
    Monday, May 12, 2014 7:28 PM
  • I am running on a similar issue. Do you have any details on what was actually done?   Are you using any LB for certs?

    Thanks,

    Monday, August 18, 2014 6:46 PM
  • http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx

    Has very good informationto investigate and resolve this issue.

    Saturday, January 31, 2015 11:46 PM
  • IIS is not even installed with ADFS 3.0, how did you change the binding?
    Thursday, December 17, 2015 10:29 PM