locked
ADFS 3.0 WAP connection to Primary ADFS servers - Maintaining the WAP Trust RRS feed

  • Question

  • I am upgrading the current ADFS 2.0 environment to ADFS 3.0.
    I have exported the old config (adfs.domain.com) and setup the new environment with same farm name, as recommended.
    All seems to be working with SSO fine, it's when I get the load balancer (A10) in place that things start to go wrong.
    I have setup the VIPs for both the DMZ and internal. External requests go to the DMZ WAPs fine via the external VIP and also the Internal VIP. So it does authenticate without issues.
    The problem, however seems to be with the Trust and the Primary ADFS servers.
    When the Trust Certificate for the WAPs it unable to get a new one - ie. breaks the trust relationship.

    After some troubleshooting I have found this is only the case when the WAPs go through the VIP. when going directly (configuring the hosts file directly to the Primary ADFS Servers) I can only restore the trust this way....although this works it is not ideal as it defeats the point of HA in the ADFS environment.

    SSL forward proxying is configured through the INTERNAL VIP (which works fine) and also from the WAPs to the INTERNAL VIP. Not sure if this is the issue, but assuming it may be something to do with SSL.
    The authentication process seems fine, but the issue is maintaing the trust.

    I have researched and have found that KB2962409 is installed, so this doesnt seem to be THIS issue.

    Tests i have tried is when tyring to restart the 'Web Application Proxy Service'. When it can communicate with the Primary ADFS servers (ie. ADFS ip in hosts file), this service can be restarted fine. When configured via the Internal VIP (ie. updated hosts file to VIP),  i get  an 'error 0x80072f78 - Cannot start the WAP service on the Local Computer'.

    Maybe i'm missing something, but wanted to ensure i have tried everything before escalating incase it may be an issue with the load balancer?


    Thursday, November 10, 2016 9:48 AM

Answers

  • The WAP servers authenticate against the ADFS servers using TLS authentication. Make sure the load balancer does not end the TLS tunnel (no SSL inspection or offloading) between the WAP and the ADFS servers as it will break the TLS authentication.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 11, 2016 3:39 PM

All replies

  • The WAP servers authenticate against the ADFS servers using TLS authentication. Make sure the load balancer does not end the TLS tunnel (no SSL inspection or offloading) between the WAP and the ADFS servers as it will break the TLS authentication.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 11, 2016 3:39 PM
  • Update?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, November 15, 2016 1:26 PM