locked
ADFS/WAP with RDGW. Error with working ADFS.. RRS feed

  • Question

  • Trying to figure out ADFS/WAP with RDGW/RDWeb. It just wont work! 

    The PKI works fine. ADFS have a cert for adfs.lab.no that also wap.lab.no using. I have wildcard cert: *.lab.no. No PKI issues. In this lab I have no external access.. When trying to connect to the rdgw.lab.no that points to wap.lab.no (correct?) I am getting to the adfs auth page, with error, and the event log says the following. Se below..

    The ADFS is working fine.. It seems when visiting: 

    https://adfs.lab.no/adfs/ls/IdpInitiatedSignon.aspx

    server 2016 fully patched.

    DC01.lab.no 172.16.0.10 (Also runs ADCS)

    ADFS01.lab.no 172.16.0.20 (a record: adfs.lab.no)

    WAP01 .lab.no 172.16.0.30

    RDGW01.lab.no 172.16.0.40 (a record: rdgw.lab.no)

    CL01.lab.no 172.16.0.100

    Errors on ADFS:

    Exception details: 
    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Error 2:

    The incoming sign-in request is not allowed due to an invalid Federation Service configuration.  

    Request url: 
     /adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=32d71a5e-41b9-e711-be57-00155d0a621e&returnUrl=https'%'3A'%'2F'%'2Frdgw.jo.se'%'2Frdweb&client-request-id=EFE819F4-4D31-0000-5FDB-E8EF314DD301 

    User Action:
     Examine the Federation Service configuration and take the following actions: 
      Verify that the sign-in request has all the required parameters and is formatted correctly. 
      Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. 
      Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters

    any idea?

    Wednesday, October 25, 2017 7:59 PM