2

Here's the setup -- 3 servers on Microsoft Azure:

  • Domain Controller (Server 2016)
  • ADFS (using gMSA account) (Server 2016, latest ADFS)
  • ADFS Proxy (Server 2016, latest ADFS Proxy)

I'm able to connect the ADFS proxy no problem to the ADFS server, however, I have an intermittent error (seems to fail every other sync request) between the ADFS Proxy and the ADFS server.

Every few minutes as the ADFS Proxy works to sync it's proxy config data, I get two entries in Applications & Services Logs -- AD FS --> Admin

The failure to sync event:

The federation server proxy configuration could not be updated with the latest configuration on the federation service. 

Additional Data 
Error:  
Retrieval of proxy configuration data from the Federation Server using trust certificate with thumbprint '8D4D65367FC31B61230951832C81E2B0891E3B9F' failed with status code 'InternalServerError'.

The successful sync event:

The federation server proxy successfully retrieved and updated its configuration from the Federation Service 'adfs.testdomain.com'.

I've ran the PowerShell script from this troubleshooting guide and no errors have been detected. None of the other issues mentioned there are applicable either. https://blogs.technet.microsoft.com/applicationproxyblog/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy/

I've initialized and checked device registration as well and that seems to be functional on the ADFS server.

Here's what I can and can't do:

  • On ADFS server, I can load and login to the Web SSO page.
  • On ADFS Proxy, I cannot login to the Web SSO page(https://adfs.testdomain/adfs/ls/idpinitiatedsignon.htm)
  • From roaming PC's, I cannot connect to the ADFS Proxy's Web SSO page, but I can resolve the DNS no problem. Chrome/etc. show a "the page took too long to respond" error.
  • From roaming PC's, I cannot join them to the domain via the ADFS Proxy.

Any ideas? Thank you!

Additional Details I've reinstalled everything. On the ADFS server I get this error when navigating to the SSO login page: enter image description here

Also getting this error message from the ADFS server: enter image description here

From client PC's trying to load the SSO page I get this error when navigating to the SSO login page: enter image description here

Edit: Here's another update with more info (ADFS properties). Still having issues with proxy trust (same success/failure events as above) and still unable to join devices to the domain (likely related).

enter image description here

cvocvo
  • 183
  • 2
  • 3
  • 8

1 Answers1

1

Can you check the below:

  1. From proxy server, when you try to ping your federation service fqdn, e.x. fs.contoso.com are you getting the IP of the AD FS server in the response?

  2. If any firewall settings are blocking traffic between Proxy and AD FS? - Ensure that you HTTPS 443 and HTTP 80 are enabled between AD FS and WAP

  3. On the AD FS server, run netsh http show sslcert and ensure that the CtlStoreName is populated as ADFSTrustedDevice (ref https://blogs.technet.microsoft.com/applicationproxyblog/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy/)
Anand_MSFT
  • 11
  • 2
  • 1. Yes; ping and DNS are setup properly and work. 2. Yep, I allowed those-- no change in behavior. 3. The CtlStoreName is populated properly on everything except "certmgr.adfs.testdomain.com" – cvocvo Apr 27 '17 at 17:37
  • On the URL you posted (https://blogs.technet.microsoft.com/applicationproxyblog/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy/) Is it possible Issue #6 could be an issue because I'm running these servers on Azure? (All of my servers are Server 2016 with ADFS 4.0 on Azure) – cvocvo Apr 27 '17 at 20:13
  • I manually removed and recreated the "certmgr.adfs.testdomain.com" SSL binding so that "CtlStoreName" is set to "AdfsTrustedDevice" and that did not resolve the issues. – cvocvo Apr 27 '17 at 20:31
  • the latest error snapshots seem to be because you have enableidpinitiatedsignon set as false. Check Get-AdfsProperties to confirm it is set as true. – Anand_MSFT Apr 27 '17 at 21:20
  • Ahh yep that was correct; I re-enabled that (turned off as I've uninstalled/reinstalled the features several times trying to fix this). I made another edit above to show the rest of my settings (still having proxy trust issues) and am still unable to join devices (likely because of the proxy trust issues). – cvocvo Apr 27 '17 at 22:01
  • Is the SSL certificate used for your federation service self signed or third party? Do AD FS and Proxy have the issuing authority for the cert in their trusted root cert folder? Also, does the IdpInitiatedSignOn work fine from the WAP machine? – Anand_MSFT Apr 27 '17 at 22:45
  • SSL cert is 3rd party, private keys are also installed. Yes intermediate and root CA's for the issuing authority are installed on the DC, ADFS, and the Proxy. IdpInitiatedSignOn works from the WAP machine but I still get the ADFS trust issues on the WAP/Proxy machine. I was also able to use IdpInitiatedSignOn from a WAN connected test machine after several refreshes (encountered 500 errors and more ADFS errors in event viewer on the WAP/Proxy machine) – cvocvo Apr 28 '17 at 02:35
  • I'm pretty sure this intermittent issue is due to the VM type being load balancing capable. I think something's going on (like issue #6) on this link (https://blogs.technet.microsoft.com/applicationproxyblog/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy/). – cvocvo May 05 '17 at 18:45