locked
Service not available when trusting WAP with AD FS farm RRS feed

  • Question

  • Hello,

    Within our organization we have 3 ad fs environments, prod, acceptance and test. All ad fs environment where running each 2 2012R2 servers and only prod was connected with 2 2012r2 WAPs. We have migrated A and T to 2016 AD FS by adding 2 2016 servers to each farm, removing the old 2012R2 servers and raising the FBL to 2016 level.

    On prod we have added 2 2016 servers, removed the 2 2012 servers and than our step was to add the new 2016 WAPs to the AD FS farm. Howerver, when adding the 2016 WAP server we're getting the following error:

    Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation service. Error: Service Unavailable

    As a test, we removed 1 of the 2012R2 waps to test if 2012R2 can be added to the AD FS prod farm and also the 2012R2 WAP is giving error service unavailable. We have no problems trusting the same 2016 WAPs with AD FS A and T. We did not yet raised the FBL to 3 on prod since we're afraid that our last working 2012R2 WAP will no longer work if the FBL is raised to 3. 

    Do you guys know if raising the FBL to 3 2012R2 waps will continue to work? Is the service not found related to the fact that our FBL is still at 1?

    Best,

    Steven

    Saturday, February 10, 2018 1:31 PM

Answers

  • Hi,

    The issue has been resolved. In our case, the proxy establish trust endpoint was set on disabled in the ad fs configuration. Since we're currently busy migration to AD FS 2016, our main focus was not on the ad fs config itself.

    It would be really helpfull if the WAP would show more details of what's actually going wrong when a trust cannot be established, for instance via a log file or detailed information in the event viewer.

    Best,

    Steven

    • Marked as answer by Steven_1990 Tuesday, February 13, 2018 8:23 PM
    Tuesday, February 13, 2018 8:23 PM

All replies

  • Howdie!

    I've seen this error in a couple of scenarios, if memory serves me right. "Service Unavailable" eludes to a problem with either firewall or Load Balancing configuration where, when new nodes are introduced to the ADFS farm, the Load Balancer and/or firewall don't allow traffic to these nodes.

    Also, I've seen this with a customer who had the farm name (e.g. sts.contoso.com) hard coded to the load balancer's IP in HOSTS and the Load Balancer was network-wise not accessible from the DMZ where the WAP stood. They put the WAPs in a new DMZ zone - again, a firewall issue.

    From that problematic WAP -- can you open the browser and get to https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx ? Of course, replace sts.contoso.com with your farm name.

    Raising the Farm Level to 2016 will not work with 2012R2 WAPs around.

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Monday, February 12, 2018 10:25 AM
  • Hi Florian,

    When browsing to idpinitiatedsignon from the WAP, the ad fs page is being displayed. The LB is configured with both ad fs servers in the farm. We checked logs of both the firewall and LB but don't see any errors.

    Is it required that the Farm Level is being raised to 2016 prior adding 2016 WAPs?

    Best,

    Steven

    Monday, February 12, 2018 11:48 AM
  • Hi,

    The issue has been resolved. In our case, the proxy establish trust endpoint was set on disabled in the ad fs configuration. Since we're currently busy migration to AD FS 2016, our main focus was not on the ad fs config itself.

    It would be really helpfull if the WAP would show more details of what's actually going wrong when a trust cannot be established, for instance via a log file or detailed information in the event viewer.

    Best,

    Steven

    • Marked as answer by Steven_1990 Tuesday, February 13, 2018 8:23 PM
    Tuesday, February 13, 2018 8:23 PM
  • In our case issue was related with Proxy configuration on IE side on the WAP servers, we just unchecked proxy in IE and service became available
    Tuesday, January 15, 2019 6:15 PM