locked
ADFS 2019 - Proxy configuration for CRL checks RRS feed

  • Pergunta

  • Hello, 

    We are migrating from ADFS 2012 to an ADFS server running on 2019. During our testing on ADFS 2019, we notice Certificate Revocation Checks for trust relationships which are using public certificates are failing. We have configured the proxy settings using netsh winhttp import proxy source=ie. Our proxy allows unauthenticated internet traffic and works fine in IE. This same proxy configuration is working correctly on our ADFS 2012 servers in the same farm. 

    When doing network captures, we notice that ADFS on Server 2019 is ingoring entirely the proxy configuration, and is trying to access the CRL directly without proxy (the request times out).

    Is there a different way to configure proxy settings in ADFS on Windows Server 2019, different than in ADFS 2012? 


    Thanks!
    quinta-feira, 16 de janeiro de 2020 16:31

Todas as Respostas

  • Hi! Never run into this situation... Maybe try to set the proxy for the .Net part in  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config (although I am assuming that's CAPI2 in your case anyways...) There is an example here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    segunda-feira, 20 de janeiro de 2020 23:29
  • Hi, did you ever get this figured out?  Running in to the same exact issue.  However, on ADFS 3 to 4 upgrade.
    segunda-feira, 9 de março de 2020 13:58
  • Unfortunately no, we are currently still experiencing this problem. The proxy settings are entirely ignored. We have opened a direct flow as a temporary bypass, but it's not accepted as a permanent solution in our company. 

    Our scenario is exacty alike, we upgraded from ADFS 3 to ADFS on Windows Server 2019, after which we experienced this issue. So we are still looking for how to configure proxy settings for ADFS on Windows Server 2019 so that it can correctly perform the CRL checks. 


    terça-feira, 10 de março de 2020 14:40
  • So we've been working with MS support for a few weeks.  It's still early and I'm still testing but it appears these recommendations below are working for us:

    On each ADFS server: 

    1.  Set the following registry key to 0 (create it if it doesn't exist):

    HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings

    ProxySettingsPerUser, type: REG DWORD,

    2.  From there run Inetcpl.cpl, Navigate to connections, LAN settings and configure your proxy in the "Proxy server" section.

    Hope this helps!

    sábado, 28 de março de 2020 17:50