locked
ADFS Proxy Certificate issues RRS feed

  • Question

  • We use ADFS for office 365 and a few third-party Saas applications. I recently updated the certificate for ADFS. After updating the certificate some external users would receive a connection reset message. While other users were fine. 

    I ran Get-WebApplicationProxySslCertificate on both of our Proxy servers (2012r2). One server would return the expected output, but the other would not return anything. So I ran Set-WebApplicationProxySslCertificate which returned success. But after running Get-WebApplicationProxySslCertificate again it would still return nothing.

    I then ran netsh show ssl and it returned nothing but the header "SSL Certificate Bindings:" Whereas the other proxy returned exactly what I was expecting. 

    I took the problematic proxy offline and suddenly everyone was able to access 365, brought it back online and suddenly the problem returned. I spoke with Microsoft support and after 3 hours of them refusing to address the SSL issue on one proxy, it was obvious that I would not receive much help from the support rep. They kept assuring me that this was not an issue and kept toying with the ADFS trust instead of the proxy. Basically, they left me with the line of "nothing is wrong with adfs, it must be a network issue".

    So, now here I am at the end of my skill level hoping someone can suggest a solution. 


    Thursday, August 2, 2018 6:38 PM

Answers

  • Hiya,

    So to sum up, your not able to write the configuration to and from one proxy server.

    Does the WAP or ADFS server log state anything when restarting the ADFS service on the proxy server? Like unable to reach configuration database or unable to verify trust, or does it indeed run all the checks with succes?

    I know it sounds simple and you should have checked this already if running a incident with Microsoft support, just want to be sure.

    Kind Regards

    Jesper

    I checked the logs before contacting support and did not see any events indicating an issue. The only sign of a problem were the random end users and the missing certificate. The proxy itself seemed to think everything was good. In the end, I just reinstalled the WAP and now all is well. It now shows the certificate using Get-WebApplicationProxySslCertificate and netsh http show ssl. 
    Monday, August 6, 2018 12:55 PM

All replies

  • Hiya,

    So to sum up, your not able to write the configuration to and from one proxy server.

    Does the WAP or ADFS server log state anything when restarting the ADFS service on the proxy server? Like unable to reach configuration database or unable to verify trust, or does it indeed run all the checks with succes?

    I know it sounds simple and you should have checked this already if running a incident with Microsoft support, just want to be sure.

    Kind Regards

    Jesper

    Friday, August 3, 2018 6:07 AM
  • Just remove the WAP from the server, restart the server and then reinstall WAP service.

    Make sure port 443 is open from the WAP to the internal ADFS and also that the credentials you use are local administrators on the ADFS-servers.

    The certificate you updated on the ADFS has nothing to do with the communication between WAP and ADFS.

    Friday, August 3, 2018 8:09 AM
  • Hiya,

    So to sum up, your not able to write the configuration to and from one proxy server.

    Does the WAP or ADFS server log state anything when restarting the ADFS service on the proxy server? Like unable to reach configuration database or unable to verify trust, or does it indeed run all the checks with succes?

    I know it sounds simple and you should have checked this already if running a incident with Microsoft support, just want to be sure.

    Kind Regards

    Jesper

    I checked the logs before contacting support and did not see any events indicating an issue. The only sign of a problem were the random end users and the missing certificate. The proxy itself seemed to think everything was good. In the end, I just reinstalled the WAP and now all is well. It now shows the certificate using Get-WebApplicationProxySslCertificate and netsh http show ssl. 
    Monday, August 6, 2018 12:55 PM