Web application proxy not connecting to ADFS box

gman
gman used Ask the Experts™
on
Hello,

So I've got a WAP up and running but when I try and configure it I get the following error.

"An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

I've installed the same cert that is on the ADFS box, it's a cert from godaddy if that make a difference. Not sure where to go from here, anyone have any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Commented:
I would check the following:

1. can you ping back and forwards from both servers? Proxy -> ADFS Server, ADFS Server -> Proxy.
2. try testing with the Windows firewall disabled.
3. verify all components of the Cert are being trusted.

Dan
Dan McFaddenSystems Engineer

Commented:
gmanInfrastructure Engineer

Author

Commented:
First two points check out fine.

I'm not 100% on the certs, it talks about creating a template on the CA however why is this necessary? both of the servers are using the same godaddy cert, isnt that whats required or is it something else?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Dan McFaddenSystems Engineer

Commented:
There may be intermediate certificates that need to trusted.  Just because an SSL Cert is in place, doesn't mean that a server can use it with out issue.  If any part of the upstream cert path is not trusted, it can break the trust chain.

Often, there are 3 certs to trust, the root CA (often included in the OS if the CA is large enough) an intermediate cert and the SSL Cert.

Dan
gmanInfrastructure Engineer

Author

Commented:
DId all the cert stuff on the MS site, still no joy.

Anyone anymore Ideas?
Dan McFaddenSystems Engineer

Commented:
So if you view the certificate, the entire cert chain is valid and reports no errors?

Is the cert a wildcard cert?

Dan
gmanInfrastructure Engineer

Author

Commented:
Yeah All looks good.

One thing to mention my ADFS box is on 2008 where as this proxy is 2012. Would that make a difference?
Dan McFaddenSystems Engineer

Commented:
Shouldn't make a difference.

Config review:
1.  You have a wildcard SSL Cert, called *.YourDomain.ext.
2.  You have installed the Cert Chain, top to bottom, on the WAP server, which answers to a hostname in the YourDomain.ext domain.
3.   You have installed the Cert Chain, top to bottom, on the ADFS server, which answers to a hostname in the YourDomain.ext domain.
4.  Your internal (LAN) domain is YourDomain.ext
5.  Your external (publically accessible server) domain is also YourDomain.ext
6.  You are allowing https (443/tcp) from the WAP server to the ADFS server thru your firewall(s)

Also, what kind of client authentication are you using?

Dan
gmanInfrastructure Engineer

Author

Commented:
Thanks Dan,

1 - No, was using a normal cert from go daddy then switched it to a selfsigned on using the template recommended by MS

2 - WAP isnt on the domain, cert seems to be installed fine. Chain is OK

3 - Same as above all fine

4 - Yes, the adfs box is on the domain the WAP isnt as it's in the DMZ

5 - Isn't accessible externally yet. But the WAP will not be on the domain.

6 - Application FW's are off. Network FW's any any for these two boxes. Nothing in the FW logs for something being blocked.

Authentication is local on the WAP and in the wizard I use the domain creds for the ADFS box so domain\username.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
There is occasionally some additional setup that needs to be done on the WAP server to ensure the trust relationship is created properly. http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx has some information on the issue and how to fix it. Basically, you may need to set up a Hostname:Port binding for the httpsys system to use for authenticating the session between WAP and ADFS and clear out an IP:Port binding that is gumming up the works. I've run into this situation myself, and it's usually a result of having a wildcard certificate. Kind of annoying, but clearing the IP:Port binding fixed it for me.
Dan McFaddenSystems Engineer

Commented:
gman...  I think I need to clarify a few points.

2. "YourDomain.ext"  refers to the DNS domain, not AD domain.  This is the domain referred to in the SSL Cert.
3. same as above
4 & 5. If your AD domain matches the publically resolvable DNS domain, then you are running in a split brain setup.  (reference:  http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx)
6.  an ANY -> ANY rule is brute force... WAP only needs 443/tcp and prossibly 49443/tcp if you are using client certificate authentication.  (reference:  https://technet.microsoft.com/en-us/library/dn383648.aspx)

The article the acbrown posted is very interesting.  Good tech reference.

Dan
Infrastructure Engineer
Commented:
2012 WAP isnt supported on 2008 ADFS.
gmanInfrastructure Engineer

Author

Commented:
Its the right answer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial