ADFS/WAP with RDGW. Error with working ADFS.. RRS feed

  • Question

  • Trying to figure out ADFS/WAP with RDGW/RDWeb. It just wont work! 

    The PKI works fine. ADFS have a cert for adfs.lab.no that also wap.lab.no using. I have wildcard cert: *.lab.no. No PKI issues. In this lab I have no external access.. When trying to connect to the rdgw.lab.no that points to wap.lab.no (correct?) I am getting to the adfs auth page, with error, and the event log says the following. Se below..

    The ADFS is working fine.. It seems when visiting: 


    server 2016 fully patched.

    DC01.lab.no (Also runs ADCS)

    ADFS01.lab.no (a record: adfs.lab.no)

    WAP01 .lab.no

    RDGW01.lab.no (a record: rdgw.lab.no)


    Errors on ADFS:

    Exception details: 
    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Error 2:

    The incoming sign-in request is not allowed due to an invalid Federation Service configuration.  

    Request url: 

    User Action:
     Examine the Federation Service configuration and take the following actions: 
      Verify that the sign-in request has all the required parameters and is formatted correctly. 
      Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. 
      Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters

    any idea?

    Wednesday, October 25, 2017 7:59 PM