locked
HTTP 400 on secondary ADFS server in a ADFS 2019 Farm. RRS feed

  • Question

  • Hello all,

    First some info about the setup:

    2 ADFS (Windows Server 2019) servers belonging to the same farm
    1 Web Application Proxy (Windows Server 2019) servers acting as a federation proxy for this farm

    I'm currently trying to upgrade our ADFS infrastructure from 2012 R2 to 2019, but while testing out the new Windows Server 2019 ADFS and Web Application Proxy I ran into the following problem.

    The secondary ADFS server is unable to get information from the primary ADFS server, targeting the endpoints of the primary ADFS server.

    To give an example in practice, when I try to run Get-WebApplicationProxyConfiguration on the WAP server, I get the following error, whenever the secondary ADFS server is targeted:

    Get-WebApplicationProxyApplication : Web Application Proxy could not connect to the AD FS configuration storage and cou
    ld not load the configuration. Make sure that the Web Application Proxy server can connect to the AD FS server, and if
    not, run the Install-WebApplicationProxy command.
    (0x80075213)

    Whenever the primary ADFS server is targeted, the command runs fine and returns the configuration info.

    Eventually I traced this back to web request failing between the secondary ADFS server and the primary ADFS server.
    In Windows Server 2019 we get a HTTP 400 Bad Request on the following HTTP call:
    GET /adfs/Proxy/PrimaryWriter/webapplicationproxy/store%3Fapi-version=1&client-request-id=9174220b-4462-48f0-5500-0080002000fb

    or when initially trying to establish the Web Application Proxy trust:
    POST /adfs/Proxy/PrimaryWriter/EstablishTrust%3Fclient-request-id=e278186b-553a-4547-0c00-0080030000fb

    In Windows Server 2012 R2 we get the expected HTTP 200 OK.

    I've already tested this in two cases, once in our test environment and once in a completely new out of the box lab setup, both having the same problem.

    Additional info:

    ADFS is installed using a valid trusted certificate, gMSA, WID.
    Synchronization of the configuration data from the primary federation server is successful, no issues there.
    Web Application Proxy Trust Certificates are also fine, trusted on both servers, there is no issues between the WAP and secondary ADFS server. (Although the Remote Access Management Console, and PowerShell, error saying there is, but that's because of the unsuccessful retrieval of data between secondary and primary ADFS server.)

    Is this a known issue or am I missing something here?

    Thanks in advance!

    Friday, January 10, 2020 1:59 PM

Answers

  • Update on the issue,

    Found the answer on a German blog for anyone interested to read it:
    <will update with link once account is verified, can't post any links yet>
    Credit to Uwe Grohne.

    So it came down to the PrimaryComputerName parameter of the Add-AdfsFarmNode needing the FQDN of the primary ADFS server and not just the hostname like the Microsoft Docs suggests.
    (This is also applicable to the GUI installation when it asks for the primary federation server.)

    Hopefully, this helps some people along in the future!

    • Marked as answer by Man of PoSh Tuesday, January 14, 2020 2:20 PM
    • Edited by Man of PoSh Tuesday, January 14, 2020 2:26 PM Typo
    Tuesday, January 14, 2020 2:20 PM

All replies

  • Update on the issue,

    Found the answer on a German blog for anyone interested to read it:
    <will update with link once account is verified, can't post any links yet>
    Credit to Uwe Grohne.

    So it came down to the PrimaryComputerName parameter of the Add-AdfsFarmNode needing the FQDN of the primary ADFS server and not just the hostname like the Microsoft Docs suggests.
    (This is also applicable to the GUI installation when it asks for the primary federation server.)

    Hopefully, this helps some people along in the future!

    • Marked as answer by Man of PoSh Tuesday, January 14, 2020 2:20 PM
    • Edited by Man of PoSh Tuesday, January 14, 2020 2:26 PM Typo
    Tuesday, January 14, 2020 2:20 PM
  • https://docs.microsoft.com/en-us/powershell/module/adfs/add-adfsfarmnode?view=win10-ps

    States the following:

    -PrimaryComputerName 
    Specifies the name of the primary federation server in a federation server farm. The cmdlet adds the computer to the federation server farm that has the primary federation server that you specify.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 14, 2020 5:43 PM