Web application proxy not connecting to ADFS box


So I've got a WAP up and running but when I try and configure it I get the following error.

"An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

I've installed the same cert that is on the ADFS box, it's a cert from godaddy if that make a difference. Not sure where to go from here, anyone have any ideas?
gmanInfrastructure Engineer Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
I would check the following:

1. can you ping back and forwards from both servers? Proxy -> ADFS Server, ADFS Server -> Proxy.
2. try testing with the Windows firewall disabled.
3. verify all components of the Cert are being trusted.

Dan McFaddenSystems EngineerCommented:
gmanInfrastructure Engineer Author Commented:
First two points check out fine.

I'm not 100% on the certs, it talks about creating a template on the CA however why is this necessary? both of the servers are using the same godaddy cert, isnt that whats required or is it something else?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Dan McFaddenSystems EngineerCommented:
There may be intermediate certificates that need to trusted.  Just because an SSL Cert is in place, doesn't mean that a server can use it with out issue.  If any part of the upstream cert path is not trusted, it can break the trust chain.

Often, there are 3 certs to trust, the root CA (often included in the OS if the CA is large enough) an intermediate cert and the SSL Cert.

gmanInfrastructure Engineer Author Commented:
DId all the cert stuff on the MS site, still no joy.

Anyone anymore Ideas?
Dan McFaddenSystems EngineerCommented:
So if you view the certificate, the entire cert chain is valid and reports no errors?

Is the cert a wildcard cert?

gmanInfrastructure Engineer Author Commented:
Yeah All looks good.

One thing to mention my ADFS box is on 2008 where as this proxy is 2012. Would that make a difference?
Dan McFaddenSystems EngineerCommented:
Shouldn't make a difference.

Config review:
1.  You have a wildcard SSL Cert, called *.YourDomain.ext.
2.  You have installed the Cert Chain, top to bottom, on the WAP server, which answers to a hostname in the YourDomain.ext domain.
3.   You have installed the Cert Chain, top to bottom, on the ADFS server, which answers to a hostname in the YourDomain.ext domain.
4.  Your internal (LAN) domain is YourDomain.ext
5.  Your external (publically accessible server) domain is also YourDomain.ext
6.  You are allowing https (443/tcp) from the WAP server to the ADFS server thru your firewall(s)

Also, what kind of client authentication are you using?

gmanInfrastructure Engineer Author Commented:
Thanks Dan,

1 - No, was using a normal cert from go daddy then switched it to a selfsigned on using the template recommended by MS

2 - WAP isnt on the domain, cert seems to be installed fine. Chain is OK

3 - Same as above all fine

4 - Yes, the adfs box is on the domain the WAP isnt as it's in the DMZ

5 - Isn't accessible externally yet. But the WAP will not be on the domain.

6 - Application FW's are off. Network FW's any any for these two boxes. Nothing in the FW logs for something being blocked.

Authentication is local on the WAP and in the wizard I use the domain creds for the ADFS box so domain\username.
Adam BrownSr Solutions ArchitectCommented:
There is occasionally some additional setup that needs to be done on the WAP server to ensure the trust relationship is created properly. http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx has some information on the issue and how to fix it. Basically, you may need to set up a Hostname:Port binding for the httpsys system to use for authenticating the session between WAP and ADFS and clear out an IP:Port binding that is gumming up the works. I've run into this situation myself, and it's usually a result of having a wildcard certificate. Kind of annoying, but clearing the IP:Port binding fixed it for me.
Dan McFaddenSystems EngineerCommented:
gman...  I think I need to clarify a few points.

2. "YourDomain.ext"  refers to the DNS domain, not AD domain.  This is the domain referred to in the SSL Cert.
3. same as above
4 & 5. If your AD domain matches the publically resolvable DNS domain, then you are running in a split brain setup.  (reference:  http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx)
6.  an ANY -> ANY rule is brute force... WAP only needs 443/tcp and prossibly 49443/tcp if you are using client certificate authentication.  (reference:  https://technet.microsoft.com/en-us/library/dn383648.aspx)

The article the acbrown posted is very interesting.  Good tech reference.

gmanInfrastructure Engineer Author Commented:
2012 WAP isnt supported on 2008 ADFS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gmanInfrastructure Engineer Author Commented:
Its the right answer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.