ADFS web page can't be displayed?!

In preparation for Office 365 Single Sign on (SSO) Active Directory Federated Services (ADFS) role was added few days ago on Windows Server 2012 R2. All required configuration ADFS went without any hiccups. As a test, I could access ADFS portal web page internally and externally (trough Web Application Proxy) on the following link:

https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm

Just before I was going to change our Office 365 managed domain to federated so we could start using SSO for our Office 365 clients I have noticed that ADFS portal web page doesn't  work anymore?! Event viewer for ADFS logs is complaining about (not sure if it’s relevant to my problems) about SSL certificate not containing UPN suffix values:

“The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.”

In the Microsoft link above they are talking about “Configuring Device Registration”… Well, we are not planning to setup and use Workplace Join client devices at this stage. Perhaps, we could ignore this error for a moment?!

Strangely enough I can get to the ADFS portal page internally trough this link (with SSL error warning):

https://localhost/adfs/ls/IdpInitiatedSignon.aspx

As I have mentioned before, ADFS portal was working without any problems for the past few days and now, something have changed. Server was restarted few times but I didn't do any re-configuration for ADFS services on it. And, restarting ADFS server again..., doesn't fix the problem ;-(

Please help me sort it out this problem. I’m hoping this can be fix easily enough so we can continue with our project. Well, since we’re not using federated domain in Office 365 I could potentially re-install ADFS services again if needed...

Thanks in advance.
LVL 1
OlevoAsked:
Who is Participating?
 
OlevoConnect With a Mentor Author Commented:
Ended up calling Microsoft to fix it. Our problem was that WAP was unable to retrieve proxy configuration data from the Federation Service. Reason for that was that one of WAP system services was trying to retrieve data from the local Federation Service ADFS through the proxy server! Even though IE was set up not to use proxy, one of the WAP services were “stack” with using proxy anyway?! Basically, instead of retrieving data from ADSF sitting on the same network, WAP was trying to go and find it through the proxy…  Case closed
0
 
OlevoAuthor Commented:
Internally I can get to https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm as soon as I add adfs.mycompany.com to the exception list not use proxy server in Internet Explorer.

However, still having page "can't be displayed" externally...

As per Microsoft ADFS deployment recommendations I have put Web Application Proxy (Windows 2012 R2) in front of the ADFS server. WAP is NOT domain joint server! Once again, everything was working perfectly until today.

Digging more trough the ADFS event logs on Web Application Proxy (WAP) and ADFS server I have found lots of event 422  , AD FS on WAP server:
"Unable to retrieve proxy configuration data from the Federation Service."
0
 
Vasil Michev (MVP)Commented:
Seems like a binding issue, as described here: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx

In addition, you seem to also have some firewall/proxy issues, so make sure that you are not blocking anything.

You can ignore the certificate warning.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Gareth GudgerCommented:
Seems to be that WAP can't reach ADFS. Could be firewall or network related. Are all the necessary ports still open between WAP and ADFS? Can you ping the ADFS servers from the WAP servers? Is the certificate on WAP for ADFS good?
0
 
OlevoAuthor Commented:
Digging more trough the ADFS event logs on Web Application Proxy (WAP) and ADFS server I have found lots of event 422  , AD FS on WAP server: "Unable to retrieve proxy configuration data from the Federation Service."

After searching around on the internet I couldn't find how to fix this problem. So, I decided to remove Web Application Proxy role from the Windows 2012 R2 server and put it back again so I could run Web Application Configuration Wizard.

Running WAP configuration wizard gives me a message that AD FS proxy could not be configured because time out has expired and the operation has not been completed!

Event logs on WAP server has tons of events 394 (The federation server proxy could not renew its trust with the Federation Service) and events 422 (Unable to retrieve proxy configuration data from the Federation Services).

Looks like I need to “tell” ADFS server to trust WAP server somehow?! User action for the even 394 is telling me that: "If thrust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard".

I'm trying to re-run this wizard on WAP server but I have the same problem: “AD FS proxy could not be configured: Time out has expired and the operation has not been completed”

What else should I try? Please help because we need this SSO for Office 365 to be done like two weeks ago.
0
 
OlevoAuthor Commented:
Since I'm having trouble with my WAP server I have decided to create new WAP server (Windows 2012 R2, Not domain joint). After installing SSL certificate (the same as on ADFS server), and after enabling Web Application Proxy role on this Win 2012 R2 server I am running Web Application Configuration Wizard... And exactly the same problem! Wizard couldn't complete its configuration due to time out:
AD FS proxy could not be configured because time out has expired and the operation has not been completed!

In event logs for WAP server I can see these events:

1. Information (Event 391, AD FS): The federation server proxy was able to sucsesfully establish a trust with the Federation Service.
2. Information (Event 245, AD FS): The federation server proxy successfully retrieved its configuration from the Federation Service 'adfs.mycompany.com'
3. Error (422, AD FS): Unable to retrieve proxy configuration data from the Federation Service. Additional data: Trust Certificate Thumbprint: CA31.....03AF <--- I have noticed that this cert was automatically created with name something like 'ADFS Proxy Trust - Server24' on Personal Certificate store on WAP server. However this cert has a red cross on it because CA Root for this Certificate is not in the Trusted Root Certification Authorities store.
4. Error (394, AD FS): The federation server proxy could not renew its trust with the Federation Service. Additional data: The operation has timed out

I went through few dozen of "happy" ADFS 3.0 and WAP installation on Windows 2012 R2 web blogs but I cant find anywhere how to fix this "AD FS proxy could not be configured because time out has expired and the operation has not been completed"

I am even thinking of trying to remove ADFS server completely from our domain and re-installed it again...
0
 
Gareth GudgerCommented:
3. Error (422, AD FS): Unable to retrieve proxy configuration data from the Federation Service. Additional data: Trust Certificate Thumbprint: CA31.....03AF <--- I have noticed that this cert was automatically created with name something like 'ADFS Proxy Trust - Server24' on Personal Certificate store on WAP server. However this cert has a red cross on it because CA Root for this Certificate is not in the Trusted Root Certification Authorities store.

This seems to be the root cause. So it has to be certificate related. If it can't follow the trust path then it will fail. Was this a self signed certificate, a domain root CA or a third party CA? My apologies if you've mentioned that elsewhere.
0
 
Vasil Michev (MVP)Commented:
Ahem, look at the article I linked above :)
0
 
OlevoAuthor Commented:
Thanks Vasil for the link.
Really good article however I cant find solution to fix my problem there.

After endless trying to run configuration wizard again and again it finally completed successfully on my new (second)  WAP server. WAP server still has lots of error messages regarding “Unable to retrieve proxy configuration data…” So how do you test that WAP works correctly? As I have mentioned few times already I can access ADFS signing page internally
https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm
… but cannot get to it EXTERNALLY through the WAP server.
To me its looks like something else needs to be setup and configure on WAP or ADFS server.
0
 
OlevoAuthor Commented:
0
 
Vasil Michev (MVP)Commented:
Check the IE proxy configuration on the AD FS server. Very similar issue was reported on the Yammer network and changing the proxy config in IE seems to have fixed it.
0
 
OlevoAuthor Commented:
To Vasil:
Are you talking about Internet Explorer (IE) proxy settings on ADFS server? If yes, i don't understand how IE on ADFS server is relevant to my problem?!

After digging more and more I have found that after you setup and configure WAP role on your server you should run 'Publish New Application Wizard' too. I am not entirely sure if you need to run this wizard or not? Anyway, after manually creating publishing app with 'pass-through' option  (within WAP server) I can, at least, get to the page "Service Unavailable" HTTP Error 503. And, I think this page is generated by WAP server and not ADFS server.
Squan_JRP from following link is suggesting to to revoke all proxies...
http://community.office365.com/en-us/f/613/p/224704/878429.aspx#878429
0
 
Vasil Michev (MVP)Commented:
It should not be relevant, afaik it uses winhttp settings. But as I said a very similar issue has been reported and the solution was IE proxy settings. Doesnt hurt to try.
0
 
OlevoAuthor Commented:
Thanks
0
 
OlevoAuthor Commented:
Unfortunately none of the experts’ solutions were relevant to fix my problem. Ended up calling Microsoft to fix the problem
0
All Courses

From novice to tech pro — start learning today.