AD FS Web Application Proxy Re-Establish Proxy Trust – 250 Hello (2022)

In the Tailspintoys environment the AD FS Proxy was offline for month. It was unable to contact the AD FS server on the internal network, and this allowed the short lived authentication certificate to expire. At this point the AD FS Proxy was "dead to me" as far as the AD FS server was concerned. The internal AD FS server was OK, the issue was just with the proxy.

Bummer....

How do we fix this? Actually before we dive into that, lets see what was going on first. Please note that this post is for AD FS 2012 R2 onwards. It does not aim to cover AD FS 2.0 or 2.1 at all.

This is an updated post from the original one back in April 2015. The original will remain as it is still relevant, and some folks may have linked or bookmarked it.

Starting Point – What The AD FS Proxy Saw In WAP Remote Management Console

On the WAP server, the Remote Access Management Console was not happy. It was reporting error code 0x8007520C.

On the WAP server, EventID 244 was logged into the AD FS/Admin EventLog stating that it was unable to retrieve proxy configuration data from the Federation Service. The details in the event stated: System.Net.WebException: The remote server returned an error: (401) Unauthorized. This was EventID 422 as noted in the previous post.

There will also be errors present in the Microsoft-Windows-Web Application Proxy/Admin EventLog.

Starting Point – What AD FS Saw

On AD FS we can see what it really though about the AD FS proxy.

(Video) ADFS Proxy - Remote Access Role

Since the federation server proxy could not renew its trust with the Federation Service, the recommended user action was: To ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer. This is detailed in EventID 276, which is again logged on the AD FS server.

The proxy trust certificate specified by thumpbrint has expired. Note that you can also see the calling IP listed at the bottom of the event message.

OK – so we need to re-establish the trust between the AD FS proxy and AD FS server. How do we go about doing that?

Re-Establish AD FS Proxy Trust Using Remote Access Management Console

Interestingly enough there is no option presented initially in the GUI to re-configure the AD FS proxy.

Currently it knows that the wizard was previously executed, and this fact is stored in the registry. As Georg discussed at MEC to allow the Remote Access GUI to re-run the wizard again, we need to edit the registry. The registry value that we need to change is:

HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus

We need to set the ProxyConfigurationStatus REG_DWORD to a value of 1 (meaning “not configured”) instead of 2 (“configured”). Once that change is made, re-open the GUI. No reboot is required.

(Video) Adfs Proxy - Remote Access Role Installation

After changing the ProxyConfigurationStatus to a value of 1, the Remote Access Manager should now allow you to re-run the configuration wizard.

For full details on this process, please see this post. As a brief recap, we need to ensure that the federation service name is the AD FS endpoint that we defined when initially building the environment.

Since there may have been certificate replacement/renewal since the initial server was deployed, be careful to select the correct certificate:

The summary screen indicates the PowerShell code that will be executed. This is also captured later in the post for reference.

And when complete, the trust is now re-established.

Now restart the AD FS service on the Proxy server, and check the AD FS event logs to ensure that they are all green ticky ticky!

(Video) NIC 4th Edition - Troubleshooting ADFS and the Web Application Proxy

Alternatively, this can be done from PowerShell, this is shown below. Typically this is what I normally use as it is faster, and does not require the registry modification.

Re-Establish AD FS Proxy Trust Using PowerShell

EventID 276 shown above, notes that we can run the Install-WebApplicationProxy cmdlet to re-establish trust between the AD FS server and the WAP. Docs discusses this in the Install and Configure the Web Application Proxy Server section. The certificate we want to use is already installed onto the server. In my case it has the thumbprint of D6CF1C7737A207413B5DE6377A34720FB6618777– note that yours *WILL* be different. To obtain your certificate thumbprint you can look at the certificate MMC or alternatively run:

 Get-WebApplicationProxySslCertificate

In this lab, the command executed was:

 Install-WebApplicationProxy –CertificateThumbprint D6CF1C7737A207413B5DE6377A34720FB6618777 -FederationServiceName adfs.tailspintoys.ca

Note that the username and password were not specified, since the cmdlet knows it needs an account that has permission on the AD FS server and it prompts for this required information. This is the Tailspintoys administrator account as shown below:

After providing the credentials, the cmdlet does it’s thang:

Finally finishing up with a Deployment Succeeded message.

(Video) Microsoft ADFS Web Application Proxy Using F5 BIG-IP

Checking For Success

After the restarting the AD FS service on the proxy, success messages were then logged on both the AD FS server and the proxy.

On the AD FS proxy EventID 245 noted that the proxy was able to successfully retrieve its configuration:

And on the AD FS server EventID 396 was logged stating that the trust between the proxy and AD FS server was renewed.

Clients were now able to successfully authenticate through the AD FS proxy from the Internet.

Good job. Time to go home for tea and medals!

Cheers,

Rhoderick

FAQs

How do I test ADFS Web application proxy? ›

To verify that a federation server proxy is operational

On the Start screen, typeEvent Viewer, and then press ENTER. In the details pane, double-click Applications and Services Logs, double-click AD FS Eventing, and then click Admin. In the Event ID column, look for event ID 198.

How do I renew my ADFS proxy trust certificate? ›

Renewal Steps Service Communication certificate
  1. Generate CSR from primary ADFs server. ...
  2. Once the certificate is issued, add new certificate in Certificate store.
  3. Verify Private Key on the certificate. ...
  4. Assign Permissions to the Private Key for ADFS service account.

Do you need a Web application proxy for ADFS? ›

AD FS 2016 requires Web Application Proxy servers on Windows Server 2016. A downlevel proxy cannot be configured for an AD FS 2016 farm running at the 2016 farm behavior level. A federation server and the Web Application Proxy role service cannot be installed on the same computer.

How do I setup ADFS web proxy? ›

On the Web Application Proxy server, open the Remote Access Management console and select Web Application Proxy in the Navigation pane. In the Tasks pane, select Publish. On the Welcome page, select Next. On the Preauthentication page, select Active Directory Federation Services (AD FS), then select Next.

What is ADFS Web application proxy? ›

This Quick Start deploys Web Application Proxy and Active Directory Federation Services (AD FS) on the AWS Cloud. AD FS is a Windows Server role that authenticates users and provides security tokens to applications or federated partner applications that trust AD FS.

What is ADFS proxy trust certificate? ›

The proxy trust certificate is a rolling certificate valid for 2 weeks and periodically updated. This is stored in an internal, protected store so you won't see it in any of the usual certificate stores.

How do I create ADFS proxy certificate? ›

Request and enroll a new SSL certificate for AD FS
  1. Open the MMC window and add the Certificates snap-in for the local Computer account.
  2. Right-click the Personal node and choose All Tasks -> Request New Certificate.
  3. Click Next twice to get to the Request certificates page. ...
  4. Click the More information is required...
Aug 31, 2016

How do I install ADFS certificate? ›

Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant full control. Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate. Select the correct (new) certificate > OK.

How do I install ADFS SSL certificate? ›

Microsoft AD FS: How to Install Your SSL Certificate
  1. Use IIS to install the certificate on your Winodws Server 2012 AD FS server. ...
  2. Use Microsoft Management Console (MMC) to export the certificate as a . ...
  3. Use the MMC to import the SSL Certificate . ...
  4. Use the AD FS Console to assign the SSL Certificate to the AD FS service.

What is AD FS and AD FS proxy? ›

The purpose of the ADFS proxy server is to receive and forward requests to ADFS servers that are not accessible from the internet. ADFS proxy is a reverse proxy and typically resides in your organization's perimeter network (DMZ). The ADFS proxy plays a critical role in remote user connectivity and application access.

How can you install and configure a web application proxy? ›

To install the Web Application Proxy role service

On the Select server roles dialog, select Remote Access, and then click Next. Click Next twice. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next. On the Confirm installation selections dialog, click Install.

How do I find AD FS URL? ›

Use the following procedure:
  1. On a Windows 10 client, click start and type internet options and select internet options.
  2. Click the security tab, click on local intranet, and click the sites button.
  3. Click Advanced.
  4. Enter your url and click Add. Click close.
  5. Click Ok. Click Ok. ...
  6. Click the sign in button.
Sep 20, 2021

Videos

1. IFD Deployments of Dynamics
(XrmVirtual)
2. Set up Azure AD Application Proxy
(Concepts Work)
3. Install and Configure Azure AD Application Proxy Connector Service and Publish On-Premise Apps
(Praveen Balan)
4. ADFS Proxy on F5 BIG-IP
(F5 DevCentral)
5. Web Application Proxy (WAP) and Application Request Routing (ARR)
(Office)
6. ADFS Series Video 3 - Storage Infrastructure
(Azure Hour - Microsoft US Education Team)

Top Articles

You might also like

Latest Posts

Article information

Author: Tuan Roob DDS

Last Updated: 10/19/2022

Views: 5873

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.