0

In the case of two ADFS servers using wid (adfs1 and adfs2) load balanced and two ADFS Proxy servers (proxy1 and proxy2) also load balanced. An error message was logged on proxy1 that "the federation proxy server could not renew its trust with the Federation Service" (event id 394).

The fix seems to be to make sure proxy1 is talking to the primary ADFS server adfs1 (instead of the VIP which load balanced adfs1 and adfs2 as adfs.domain.com) and to re-register it. I did this by setting the FQDN adfs.domain.com to point to adfs1 in the hosts file on proxy1. I expect it will keep wanting to renew the trust so I should leave it that way. This would seem to break the full mesh redundancy of having 2x2 since proxy1 will only talk to adfs1. Is there a better way to deal with this issue in this configuration?

I understand moving to SQL server may be an option but is another single point of failure I would like to avoid since this is not a huge deployment. Any other ideas?

Thank you for your help!

Mike

Related:

https://social.msdn.microsoft.com/Forums/en-US/f25e9170-b0ad-4894-8622-c2a0493df5eb/adfs-30-wap-connection-to-primary-adfs-servers-maintaining-the-wap-trust?forum=ADFS

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dirservices/adfs-30-proxy-loses-trust-with-internal-adfs/55aaf56f-f093-4620-ae87-9ad777c3a71d

miked
  • 3
  • 2

1 Answers1

0

You dont need to point a WAP at a specific AD FS (such as the primary you are doing now). You should use the load balanced address to get WAP reach one of the two AD FS.

The difference is when establishing a trust with a WID based (no SQL in use) AD FS, the trust setup will either complete near instantly or within 6 mins based on whether the load balancer picked the primary or not. This is by design as any setup done via the secondary is redirected to the primary and then has to synchronize back to the secondary which happens every 5 mins by default.

Keep your deployment as simple as possible and dont make it more complex than it needs to be. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server explains the WID limits which should influence whether you need SQL.

You should troubleshoot WAP trust issues using guide at https://adfshelp.microsoft.com/TroubleshootingGuides/Workflow/da33a6cd-166b-4fca-863a-73aec904c3fd . If still stuck contact Microsoft support.

maweeras
  • 783
  • 4
  • 12
  • Thank you. Those troubleshooting guides are helpful. I suspect the issue was having an internally generated cert on the adfs servers and a public cert on the wap servers. I switched it to having the public cert on all servers. – miked Jan 21 '21 at 18:02