Solved

ADFS web page can't be displayed?!

Posted on 2015-02-09
15
2,557 Views
Last Modified: 2015-03-24
In preparation for Office 365 Single Sign on (SSO) Active Directory Federated Services (ADFS) role was added few days ago on Windows Server 2012 R2. All required configuration ADFS went without any hiccups. As a test, I could access ADFS portal web page internally and externally (trough Web Application Proxy) on the following link:

https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm

Just before I was going to change our Office 365 managed domain to federated so we could start using SSO for our Office 365 clients I have noticed that ADFS portal web page doesn't  work anymore?! Event viewer for ADFS logs is complaining about (not sure if it’s relevant to my problems) about SSL certificate not containing UPN suffix values:

“The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.”

In the Microsoft link above they are talking about “Configuring Device Registration”… Well, we are not planning to setup and use Workplace Join client devices at this stage. Perhaps, we could ignore this error for a moment?!

Strangely enough I can get to the ADFS portal page internally trough this link (with SSL error warning):

https://localhost/adfs/ls/IdpInitiatedSignon.aspx

As I have mentioned before, ADFS portal was working without any problems for the past few days and now, something have changed. Server was restarted few times but I didn't do any re-configuration for ADFS services on it. And, restarting ADFS server again..., doesn't fix the problem ;-(

Please help me sort it out this problem. I’m hoping this can be fix easily enough so we can continue with our project. Well, since we’re not using federated domain in Office 365 I could potentially re-install ADFS services again if needed...

Thanks in advance.
0
Comment
Question by:Olevo
  • 9
  • 4
  • 2
15 Comments
 
LVL 1

Author Comment

by:Olevo
ID: 40600013
Internally I can get to https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm as soon as I add adfs.mycompany.com to the exception list not use proxy server in Internet Explorer.

However, still having page "can't be displayed" externally...

As per Microsoft ADFS deployment recommendations I have put Web Application Proxy (Windows 2012 R2) in front of the ADFS server. WAP is NOT domain joint server! Once again, everything was working perfectly until today.

Digging more trough the ADFS event logs on Web Application Proxy (WAP) and ADFS server I have found lots of event 422  , AD FS on WAP server:
"Unable to retrieve proxy configuration data from the Federation Service."
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 40600181
Seems like a binding issue, as described here: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx

In addition, you seem to also have some firewall/proxy issues, so make sure that you are not blocking anything.

You can ignore the certificate warning.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40601573
Seems to be that WAP can't reach ADFS. Could be firewall or network related. Are all the necessary ports still open between WAP and ADFS? Can you ping the ADFS servers from the WAP servers? Is the certificate on WAP for ADFS good?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Olevo
ID: 40602223
Digging more trough the ADFS event logs on Web Application Proxy (WAP) and ADFS server I have found lots of event 422  , AD FS on WAP server: "Unable to retrieve proxy configuration data from the Federation Service."

After searching around on the internet I couldn't find how to fix this problem. So, I decided to remove Web Application Proxy role from the Windows 2012 R2 server and put it back again so I could run Web Application Configuration Wizard.

Running WAP configuration wizard gives me a message that AD FS proxy could not be configured because time out has expired and the operation has not been completed!

Event logs on WAP server has tons of events 394 (The federation server proxy could not renew its trust with the Federation Service) and events 422 (Unable to retrieve proxy configuration data from the Federation Services).

Looks like I need to “tell” ADFS server to trust WAP server somehow?! User action for the even 394 is telling me that: "If thrust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard".

I'm trying to re-run this wizard on WAP server but I have the same problem: “AD FS proxy could not be configured: Time out has expired and the operation has not been completed”

What else should I try? Please help because we need this SSO for Office 365 to be done like two weeks ago.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40602439
Since I'm having trouble with my WAP server I have decided to create new WAP server (Windows 2012 R2, Not domain joint). After installing SSL certificate (the same as on ADFS server), and after enabling Web Application Proxy role on this Win 2012 R2 server I am running Web Application Configuration Wizard... And exactly the same problem! Wizard couldn't complete its configuration due to time out:
AD FS proxy could not be configured because time out has expired and the operation has not been completed!

In event logs for WAP server I can see these events:

1. Information (Event 391, AD FS): The federation server proxy was able to sucsesfully establish a trust with the Federation Service.
2. Information (Event 245, AD FS): The federation server proxy successfully retrieved its configuration from the Federation Service 'adfs.mycompany.com'
3. Error (422, AD FS): Unable to retrieve proxy configuration data from the Federation Service. Additional data: Trust Certificate Thumbprint: CA31.....03AF <--- I have noticed that this cert was automatically created with name something like 'ADFS Proxy Trust - Server24' on Personal Certificate store on WAP server. However this cert has a red cross on it because CA Root for this Certificate is not in the Trusted Root Certification Authorities store.
4. Error (394, AD FS): The federation server proxy could not renew its trust with the Federation Service. Additional data: The operation has timed out

I went through few dozen of "happy" ADFS 3.0 and WAP installation on Windows 2012 R2 web blogs but I cant find anywhere how to fix this "AD FS proxy could not be configured because time out has expired and the operation has not been completed"

I am even thinking of trying to remove ADFS server completely from our domain and re-installed it again...
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40604840
3. Error (422, AD FS): Unable to retrieve proxy configuration data from the Federation Service. Additional data: Trust Certificate Thumbprint: CA31.....03AF <--- I have noticed that this cert was automatically created with name something like 'ADFS Proxy Trust - Server24' on Personal Certificate store on WAP server. However this cert has a red cross on it because CA Root for this Certificate is not in the Trusted Root Certification Authorities store.

This seems to be the root cause. So it has to be certificate related. If it can't follow the trust path then it will fail. Was this a self signed certificate, a domain root CA or a third party CA? My apologies if you've mentioned that elsewhere.
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 40605031
Ahem, look at the article I linked above :)
0
 
LVL 1

Author Comment

by:Olevo
ID: 40618627
Thanks Vasil for the link.
Really good article however I cant find solution to fix my problem there.

After endless trying to run configuration wizard again and again it finally completed successfully on my new (second)  WAP server. WAP server still has lots of error messages regarding “Unable to retrieve proxy configuration data…” So how do you test that WAP works correctly? As I have mentioned few times already I can access ADFS signing page internally
https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm
… but cannot get to it EXTERNALLY through the WAP server.
To me its looks like something else needs to be setup and configure on WAP or ADFS server.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40618650
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 40619107
Check the IE proxy configuration on the AD FS server. Very similar issue was reported on the Yammer network and changing the proxy config in IE seems to have fixed it.
0
 
LVL 1

Author Comment

by:Olevo
ID: 40620508
To Vasil:
Are you talking about Internet Explorer (IE) proxy settings on ADFS server? If yes, i don't understand how IE on ADFS server is relevant to my problem?!

After digging more and more I have found that after you setup and configure WAP role on your server you should run 'Publish New Application Wizard' too. I am not entirely sure if you need to run this wizard or not? Anyway, after manually creating publishing app with 'pass-through' option  (within WAP server) I can, at least, get to the page "Service Unavailable" HTTP Error 503. And, I think this page is generated by WAP server and not ADFS server.
Squan_JRP from following link is suggesting to to revoke all proxies...
http://community.office365.com/en-us/f/613/p/224704/878429.aspx#878429
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 40620563
It should not be relevant, afaik it uses winhttp settings. But as I said a very similar issue has been reported and the solution was IE proxy settings. Doesnt hurt to try.
0
 
LVL 1

Accepted Solution

by:
Olevo earned 0 total points
ID: 40677261
Ended up calling Microsoft to fix it. Our problem was that WAP was unable to retrieve proxy configuration data from the Federation Service. Reason for that was that one of WAP system services was trying to retrieve data from the local Federation Service ADFS through the proxy server! Even though IE was set up not to use proxy, one of the WAP services were “stack” with using proxy anyway?! Basically, instead of retrieving data from ADSF sitting on the same network, WAP was trying to go and find it through the proxy…  Case closed
0
 
LVL 1

Author Comment

by:Olevo
ID: 40677264
Thanks
0
 
LVL 1

Author Closing Comment

by:Olevo
ID: 40684217
Unfortunately none of the experts’ solutions were relevant to fix my problem. Ended up calling Microsoft to fix the problem
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cloud-based technologies and services will continue to grow in popularity in 2017 thanks to the simple, scalable and cost-effective solutions they deliver. Here are three areas where cloud adoption is poised to really take off.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Office 365 is currently available in five editions. Three of them are for business use: Office 365 Business Essentials, Office 365 Business, and Office 365 Business Premium. Two of them are for home/personal use: Office 365 Home and Office 365 Perso…
This Experts Exchange lesson shows how to use VBA to loop through rows in Excel.  In order to sort, filter, and use database features, there needs to be a value in each column for every row. When data arrives with values missing, code to copy values…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question