0

I have a working ADFS 3.0 (2012 R2) server running. It successfully operates to log me on to Office365 both on and off premises.

I am trying to install the Web Application Proxy role on a second machine in order to proxy Sharepoint 2013. I am getting stuck with an error message:

An error occurred when attempting to create the proxy trust certificate.

My ADFS server is a one-server farm. The host name of the server is adfs-host.domain.local, and the ADFS name is adfs.domain.org.

    PS C:\Windows\system32> Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'
cmdlet Install-WebApplicationProxy at command pipeline position 1
Supply values for the following parameters:
FederationServiceTrustCredential
Install-WebApplicationProxy : An error occurred when attempting to create the proxy trust certificate.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint 'xxxxxxxxxxxxxxxxxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand


Message                                 Context                                                                  Status
-------                                 -------                                                                  ------
An error occurred while attempting t... DeploymentTask                                                            Error

I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.

The name of my Web Application Proxy server is wap-host.domain.local. I copied the GoDaddy Certificate onto both machines with the private key, and installed it into the local machine personal certificate store. It is set as the Service Communications Certificate. I installed the full certificate chain on to both machines. It is a UCC certificate with 5 subject alternate names--the main one is not adfs.domain.org, but it does work for ADFS.

I tried with the firewall on and off, and I ran wireshark--it looks like it is failing at an earlier step since I didn't see any traffic attempted to the IP of my ADFS server.

The credentials I tried supplying--both a local account that has administrative access on the ADFS server, and a domain admin account.

Quinten
  • 1,076
  • 1
  • 11
  • 25

4 Answers4

1

I'm not really sure what the exact trigger was, but I installed the latest round of updates on my ADFS server and on my WAP server. Then it started working.

I am thinking that maybe the Windows 2012 R2 Update 1 broke something, and a more recent update fixed it.

Quinten
  • 1,076
  • 1
  • 11
  • 25
0

I am having exactly the same issue with one of our WAP servers, but I am using a WAP cluster and updates are not solving the problem.

Any other hint?

I have basically followed any advice I have found online. The only thing left is completely deleting the server and creating a new one...

Bruno Martins
  • 1
  • 1
0

I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.

Your DNS A record should point adfs.domain.org to the WAP IP (wap-host.domain.local). This web page explains pretty much everything about WAP certificates:

Client machines on the internet (or outside of your internal LAN) resolve the name adfsresource.treyresearch.net to the IP address of adfsproxy.treyresearch.net. It is important to remember that you won’t specify the name adfsproxy.treyresearch.net anywhere in your setup. The website on this server should have a certificate issued to the name adfsresource.treyresearch.net.

Finally, your proxy should resolve adfs.domain.org to the adfs-host.domain.local machine, but only your proxy must have knowledge about this DNS record.

Michael
  • 129
  • 5
  • Thanks User1721192. I am willing to try changing the DNS, but it doesn't seem like this is where the problem is originating. I am trying to set up the first WAP. Right now the adfs is working fine pointing directly to the ADFS server. If I change the DNS, it will stop working until the WAP is set up. In other words, it will break the working setup. – Quinten Jun 30 '14 at 15:12
  • Yes you will need a working WAP of course. I have also set it up, and it is working smoothly. Important thing is that all clients should resolve the domainnames of all relying parties to the WAP, and that the WAP knows the 'real IP' of the relying parties (e.g. configured in the hosts file of the WAP). Let me know if this still gives issues. By the way, the windows event viewer has helped me a lot. – Michael Jun 30 '14 at 16:28
  • It is failing well before anything with DNS names come up, the error is with generating some certificate. Unfortunately the event log just offers the same error message about creating the proxy trust certificate. I am going to try a rebuild and report back. – Quinten Jul 01 '14 at 18:08
  • Just tried building a new WAP server, no change, same error message about creating the proxy trust certificate. I saw one other reference to similar error with someone who wasn't running ADFS 3.0 on both ends of the equation, but in my case it is 2012 R2 for both the ADFS and WAP servers. ADFS is working. I am following this guide: http://goodworkaround.com/node/53 – Quinten Jul 01 '14 at 21:06
  • Okay I see. Does the user you specified (local administrator account) have permissions to read the private key? (please refer to http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-things-to-check(v=ws.10).aspx section "To confirm that private keys for certificates are accessible by the AD FS 2.0 service user account". – Michael Jul 02 '14 at 06:26
  • It does not matter what credentials I use--it fails prior to testing the credentials. However, I tried using a domain administrator account and an account that I explicitly assigned permissions to read the private key with. – Quinten Jul 02 '14 at 12:35
  • Could you tell me during which step it is failing exactly then? – Michael Jul 03 '14 at 12:18
0

My microsoft.identityServer.proxyservice.exe.config file was blank.

I was unable to resolve this issue without rolling back the web server to an earlier checkpoint, where the connection was working. Once I did so I backed up a copy of the c:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config file and then applied updates to the server and restarted it. At this point the server would report and error and not start the web proxy. Then the following command worked (previously they would give the error above):

Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'

With just the blank microsoft.identityServer.proxyservice.exe.config file, I wasn't able to get the Install-WebApplicationProxy command to work.

John H
  • 21
  • 6