Unable to configure WAP for ADFS: event ID 395 (Trust Established) followed by 276 (Unable to Authenticate) RRS feed

  • Question

  • Hi,

    I have setup a new ADFS Farm (server 2019) which works perfectly but i am unable to configure a Web Application Server in front of it. Already spend tons of hours on forums and even recreated WAP and ADFS server but issue remains. The WAP server hangs with the following message:

    Performing configuration...

    Waiting for proxy trust relationship to be synchronized across farm.........................................

    ...and after several minutes it fails with the error below:



    An error occurred while attempting to retrieve configuration data from the Federation Server. Unable to retrieve proxy configuration data from the Federation Server.

    Strange thing is when i look at the ADFS server i see first an event ID of 365 (succesfully established trusted) followed by an event id 276 after around 10 seconds. I am at a loss what causes the 276 error after the initial trust establishment 10 seconds earlier.

    EVENT ID: 395...

    The trust between the federation server proxy and the Federation Service was established successfully using the account 'mvwlab\svc-adfs'.

    Proxy trust certificate subject: CN=ADFS ProxyTrust - WAP01.

    Proxy trust certificate thumbprint: E1EE1E2081FA1AF20EB890CCF2CCD397D439342F.

    EVENT ID: 276...

    The federation server proxy was not able to authenticate to the Federation Service.

    User Action

    Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet.

    Additional Data

    Certificate details:

    Subject Name:




    NotBefore Time:


    NotAfter Time:


    Client endpoint:

    I already verified that the same certificate (thumbprint) is used on both servers and that the service account is correct.

    Any ideas how to get this resolved?

    Thanks in advance for your support!

    Friday, January 3, 2020 12:46 PM

All replies

  • If the WAP trust relationship was never working, you can look at usual suspects:

    - Use the

    - Is there a device doing TLS inspection in between the WAP and the ADFS server? If so, that has to be turned off.

    - Is the DNS resolution on the WAP working fine? Since WAP are often in DMZ, they often use a public DNS server. And if they use the FQDN of the farm, they will actually resolved it to itself. In that case a HOSTS entry can be created (or an NRPT entry).

    If that's none of these two, a network trace might help.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 6, 2020 3:13 PM