Solved

ADFS web page can't be displayed?!

Posted on 2015-02-09
15
1,671 Views
Last Modified: 2015-03-24
In preparation for Office 365 Single Sign on (SSO) Active Directory Federated Services (ADFS) role was added few days ago on Windows Server 2012 R2. All required configuration ADFS went without any hiccups. As a test, I could access ADFS portal web page internally and externally (trough Web Application Proxy) on the following link:

https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm

Just before I was going to change our Office 365 managed domain to federated so we could start using SSO for our Office 365 clients I have noticed that ADFS portal web page doesn't  work anymore?! Event viewer for ADFS logs is complaining about (not sure if it’s relevant to my problems) about SSL certificate not containing UPN suffix values:

“The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.

In the Microsoft link above they are talking about “Configuring Device Registration”… Well, we are not planning to setup and use Workplace Join client devices at this stage. Perhaps, we could ignore this error for a moment?!

Strangely enough I can get to the ADFS portal page internally trough this link (with SSL error warning):

https://localhost/adfs/ls/IdpInitiatedSignon.aspx

As I have mentioned before, ADFS portal was working without any problems for the past few days and now, something have changed. Server was restarted few times but I didn't do any re-configuration for ADFS services on it. And, restarting ADFS server again..., doesn't fix the problem ;-(

Please help me sort it out this problem. I’m hoping this can be fix easily enough so we can continue with our project. Well, since we’re not using federated domain in Office 365 I could potentially re-install ADFS services again if needed...

Thanks in advance.
0
Comment
Question by:Olevo
  • 9
  • 4
  • 2
15 Comments
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Internally I can get to https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm as soon as I add adfs.mycompany.com to the exception list not use proxy server in Internet Explorer.

However, still having page "can't be displayed" externally...

As per Microsoft ADFS deployment recommendations I have put Web Application Proxy (Windows 2012 R2) in front of the ADFS server. WAP is NOT domain joint server! Once again, everything was working perfectly until today.

Digging more trough the ADFS event logs on Web Application Proxy (WAP) and ADFS server I have found lots of event 422  , AD FS on WAP server:
"Unable to retrieve proxy configuration data from the Federation Service."
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Seems like a binding issue, as described here: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx

In addition, you seem to also have some firewall/proxy issues, so make sure that you are not blocking anything.

You can ignore the certificate warning.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Seems to be that WAP can't reach ADFS. Could be firewall or network related. Are all the necessary ports still open between WAP and ADFS? Can you ping the ADFS servers from the WAP servers? Is the certificate on WAP for ADFS good?
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Digging more trough the ADFS event logs on Web Application Proxy (WAP) and ADFS server I have found lots of event 422  , AD FS on WAP server: "Unable to retrieve proxy configuration data from the Federation Service."

After searching around on the internet I couldn't find how to fix this problem. So, I decided to remove Web Application Proxy role from the Windows 2012 R2 server and put it back again so I could run Web Application Configuration Wizard.

Running WAP configuration wizard gives me a message that AD FS proxy could not be configured because time out has expired and the operation has not been completed!

Event logs on WAP server has tons of events 394 (The federation server proxy could not renew its trust with the Federation Service) and events 422 (Unable to retrieve proxy configuration data from the Federation Services).

Looks like I need to “tell” ADFS server to trust WAP server somehow?! User action for the even 394 is telling me that: "If thrust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard".

I'm trying to re-run this wizard on WAP server but I have the same problem: “AD FS proxy could not be configured: Time out has expired and the operation has not been completed”

What else should I try? Please help because we need this SSO for Office 365 to be done like two weeks ago.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Since I'm having trouble with my WAP server I have decided to create new WAP server (Windows 2012 R2, Not domain joint). After installing SSL certificate (the same as on ADFS server), and after enabling Web Application Proxy role on this Win 2012 R2 server I am running Web Application Configuration Wizard... And exactly the same problem! Wizard couldn't complete its configuration due to time out:
AD FS proxy could not be configured because time out has expired and the operation has not been completed!

In event logs for WAP server I can see these events:

1. Information (Event 391, AD FS): The federation server proxy was able to sucsesfully establish a trust with the Federation Service.
2. Information (Event 245, AD FS): The federation server proxy successfully retrieved its configuration from the Federation Service 'adfs.mycompany.com'
3. Error (422, AD FS): Unable to retrieve proxy configuration data from the Federation Service. Additional data: Trust Certificate Thumbprint: CA31.....03AF <--- I have noticed that this cert was automatically created with name something like 'ADFS Proxy Trust - Server24' on Personal Certificate store on WAP server. However this cert has a red cross on it because CA Root for this Certificate is not in the Trusted Root Certification Authorities store.
4. Error (394, AD FS): The federation server proxy could not renew its trust with the Federation Service. Additional data: The operation has timed out

I went through few dozen of "happy" ADFS 3.0 and WAP installation on Windows 2012 R2 web blogs but I cant find anywhere how to fix this "AD FS proxy could not be configured because time out has expired and the operation has not been completed"

I am even thinking of trying to remove ADFS server completely from our domain and re-installed it again...
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
3. Error (422, AD FS): Unable to retrieve proxy configuration data from the Federation Service. Additional data: Trust Certificate Thumbprint: CA31.....03AF <--- I have noticed that this cert was automatically created with name something like 'ADFS Proxy Trust - Server24' on Personal Certificate store on WAP server. However this cert has a red cross on it because CA Root for this Certificate is not in the Trusted Root Certification Authorities store.

This seems to be the root cause. So it has to be certificate related. If it can't follow the trust path then it will fail. Was this a self signed certificate, a domain root CA or a third party CA? My apologies if you've mentioned that elsewhere.
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Ahem, look at the article I linked above :)
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks Vasil for the link.
Really good article however I cant find solution to fix my problem there.

After endless trying to run configuration wizard again and again it finally completed successfully on my new (second)  WAP server. WAP server still has lots of error messages regarding “Unable to retrieve proxy configuration data…” So how do you test that WAP works correctly? As I have mentioned few times already I can access ADFS signing page internally
https://adfs.mycompany.com/adfs/ls/idpinitiatedsignon.htm
… but cannot get to it EXTERNALLY through the WAP server.
To me its looks like something else needs to be setup and configure on WAP or ADFS server.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Check the IE proxy configuration on the AD FS server. Very similar issue was reported on the Yammer network and changing the proxy config in IE seems to have fixed it.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
To Vasil:
Are you talking about Internet Explorer (IE) proxy settings on ADFS server? If yes, i don't understand how IE on ADFS server is relevant to my problem?!

After digging more and more I have found that after you setup and configure WAP role on your server you should run 'Publish New Application Wizard' too. I am not entirely sure if you need to run this wizard or not? Anyway, after manually creating publishing app with 'pass-through' option  (within WAP server) I can, at least, get to the page "Service Unavailable" HTTP Error 503. And, I think this page is generated by WAP server and not ADFS server.
Squan_JRP from following link is suggesting to to revoke all proxies...
http://community.office365.com/en-us/f/613/p/224704/878429.aspx#878429
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
It should not be relevant, afaik it uses winhttp settings. But as I said a very similar issue has been reported and the solution was IE proxy settings. Doesnt hurt to try.
0
 
LVL 1

Accepted Solution

by:
Olevo earned 0 total points
Comment Utility
Ended up calling Microsoft to fix it. Our problem was that WAP was unable to retrieve proxy configuration data from the Federation Service. Reason for that was that one of WAP system services was trying to retrieve data from the local Federation Service ADFS through the proxy server! Even though IE was set up not to use proxy, one of the WAP services were “stack” with using proxy anyway?! Basically, instead of retrieving data from ADSF sitting on the same network, WAP was trying to go and find it through the proxy…  Case closed
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Thanks
0
 
LVL 1

Author Closing Comment

by:Olevo
Comment Utility
Unfortunately none of the experts’ solutions were relevant to fix my problem. Ended up calling Microsoft to fix the problem
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now