<div>
I would check the following:<br />
<br />
1. can you ping back and forwards from both servers? Proxy -&gt; ADFS Server, ADFS Server -&gt; Proxy.<br />
2. try testing with the Windows firewall disabled.<br />
3. verify all components of the Cert are being trusted.<br />
<br />
Dan
</div>


<div>
How to article from TechNet:<br />
<br />
<a href="https://technet.microsoft.com/en-us/library/dn383662.aspx" rel="ugc">https://technet.microsoft.com/en-us/library/dn383662.aspx</a><br />
<br />
Dan
</div>


<div>
First two points check out fine.<br />
<br />
I'm not 100% on the certs, it talks about creating a template on the CA however why is this necessary? both of the servers are using the same godaddy cert, isnt that whats required or is it something else?
</div>


<div>
There may be intermediate certificates that need to trusted. &nbsp;Just because an SSL Cert is in place, doesn't mean that a server can use it with out issue. &nbsp;If any part of the upstream cert path is not trusted, it can break the trust chain.<br />
<br />
Often, there are 3 certs to trust, the root CA (often included in the OS if the CA is large enough) an intermediate cert and the SSL Cert.<br />
<br />
Dan
</div>


<div>
DId all the cert stuff on the MS site, still no joy.<br />
<br />
Anyone anymore Ideas?
</div>


<div>
So if you view the certificate, the entire cert chain is valid and reports no errors?<br />
<br />
Is the cert a wildcard cert?<br />
<br />
Dan
</div>


<div>
Yeah All looks good.<br />
<br />
One thing to mention my ADFS box is on 2008 where as this proxy is 2012. Would that make a difference?
</div>


<div>
Shouldn't make a difference.<br />
<br />
Config review:<br />
1. &nbsp;You have a wildcard SSL Cert, called *.YourDomain.ext.<br />
2. &nbsp;You have installed the Cert Chain, top to bottom, on the WAP server, which answers to a hostname in the YourDomain.ext domain.<br />
3. &nbsp; You have installed the Cert Chain, top to bottom, on the ADFS server, which answers to a hostname in the YourDomain.ext domain.<br />
4. &nbsp;Your internal (LAN) domain is YourDomain.ext<br />
5. &nbsp;Your external (publically accessible server) domain is also YourDomain.ext<br />
6. &nbsp;You are allowing https (443/tcp) from the WAP server to the ADFS server thru your firewall(s)<br />
<br />
Also, what kind of client authentication are you using?<br />
<br />
Dan
</div>


<div>
Thanks Dan,<br />
<br />
1 - No, was using a normal cert from go daddy then switched it to a selfsigned on using the template recommended by MS<br />
<br />
2 - WAP isnt on the domain, cert seems to be installed fine. Chain is OK<br />
<br />
3 - Same as above all fine<br />
<br />
4 - Yes, the adfs box is on the domain the WAP isnt as it's in the DMZ<br />
<br />
5 - Isn't accessible externally yet. But the WAP will not be on the domain.<br />
<br />
6 - Application FW's are off. Network FW's any any for these two boxes. Nothing in the FW logs for something being blocked.<br />
<br />
Authentication is local on the WAP and in the wizard I use the domain creds for the ADFS box so domain\username.
</div>


<div>
There is occasionally some additional setup that needs to be done on the WAP server to ensure the trust relationship is created properly. <a href="http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx" rel="ugc">http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx</a>&nbsp;has some information on the issue and how to fix it. Basically, you may need to set up a Hostname:Port binding for the httpsys system to use for authenticating the session between WAP and ADFS and clear out an IP:Port binding that is gumming up the works. I've run into this situation myself, and it's usually a result of having a wildcard certificate. Kind of annoying, but clearing the IP:Port binding fixed it for me.
</div>


<div>
gman... &nbsp;I think I need to clarify a few points.<br />
<br />
2. &quot;YourDomain.ext&quot; &nbsp;refers to the DNS domain, not AD domain. &nbsp;This is the domain referred to in the SSL Cert.<br />
3. same as above<br />
4 &amp;&nbsp;5. If your AD domain matches the publically resolvable DNS domain, then you are running in a split brain setup. &nbsp;(reference: &nbsp;<a href="http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx" rel="ugc">http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx</a>)<br />
6. &nbsp;an ANY -&gt; ANY rule is brute force... WAP only needs 443/tcp and prossibly 49443/tcp if you are using client certificate authentication. &nbsp;(reference: &nbsp;<a href="https://technet.microsoft.com/en-us/library/dn383648.aspx" rel="ugc">https://technet.microsoft.com/en-us/library/dn383648.aspx</a>)<br />
<br />
The article the acbrown posted is very interesting. &nbsp;Good tech reference.<br />
<br />
Dan
</div>


<div>
<div class="content wysiwyg-content">
Hello,<br />
<br />
So I've got a WAP up and running but when I try and configure it I get the following error.<br />
<br />
&quot;An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.&quot;<br />
<br />
I've installed the same cert that is on the ADFS box, it's a cert from godaddy if that make a difference. Not sure where to go from here, anyone have any ideas?
</div>
</div>


Hello,

So I've got a WAP up and running but when I try and configure it I get the following error.

"An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

I've installed the same cert that is on the ADFS box, it's a cert from godaddy if that make a difference. Not sure where to go from here, anyone have any ideas?

Web application proxy not connecting to ADFS box

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.

Microsoft Server OS

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

Networking

The Windows operating systems have distinct methodologies for designing and implementing networks, and have specific systems to accomplish various networking processes, such as Exchange for email, Sharepoint for shared files and programs, and IIS for delivery of web pages. Microsoft also produces server technologies for networked database use, security and virtualization.