0

We have an ADFS 4.0 server with a WAP server set up in the DMZ. Recently, we started getting a HTTP Error 503: Service Unavailable error when accessing endpoints through the WAP. These same endpoints work correctly when accessing them on the network.

I have tried other endpoints and some work and some don't.

I tried going back through the WAP configuration wizard and everything sets up correctly. I'm also not seeing any errors in the event viewer on either the ADFS server or the proxy server. Any ideas?

Update:

I've worked on this some more today. We ran the ADFS diagnostics tool and resolved all issues except for 1 error and 1 warning. I think the warning is just a tooling issue because the proxy server is able to see the federation metadata on the ADFS server. The error however has me stumped. I ran the ADFS Change User Account script and set it back to the gMSA user it's already set to and everything appeared to work correctly. I don't see how a gMSA account could be locked out, password changed or disabled. Everything appears to be set up correctly.

Error
Error

Warning
Warning

Brian Swart
  • 101
  • 1
  • 4

1 Answers1

0

So gMSA accounts don't get disabled or locked out. What does affect them is the PrincipalsAllowedToRetrieveManagedPassword attribute. This attribute controls what principals are able to obtain the password from AD. Make sure all of your ADFS nodes are included in this list. This powershell one liner should show you all objects allowed to retrieve the password, just update ADFSgMSA to the name of the gMSA account you're using. 

Get-ADServiceAccount ADFSgMSA -Properties * | Select-Object Name,PrincipalsAllowedToRetrieveManagedPassword|fl

If you want to add servers to that list, something like this should be sufficient for you. Just modify the array to include any servers you need to add and the ADFSgMSA account is updated to the gMSA account you're using. 

#get existing Principals
$adfsgmsa = Get-ADServiceAccount ADFSgMSA -Properties 
PrincipalsAllowedToRetrieveManagedPassword
#get DNs for other principals we're adding to the gMSA
$principals = @(
  ((Get-ADUser MyAdminUser).DistinguishedName),
  ((Get-ADComputer ADFS02).DistinguishedName)
)
#add new the two arrays
$principals+=$adfsgmsa.PrincipalsAllowedToRetrieveManagedPassword
#set the ad service account to use all principals
Set-ADServiceAccount -Identity 'adfsgmsa' -PrincipalsAllowedToRetrieveManagedPassword 
$principals
#verify the changes (this might take a while to go into effect)
Get-ADServiceAccount ADFSgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword
SteamerJ
  • 403
  • 2
  • 7
  • as an addendum, don't add you WAP nodes to this list as they have no need to access the gMSA credentials. – SteamerJ Dec 10 '18 at 17:02