locked
Unable to install ADFS 3 Proxy - Unable to retrieve proxy configuration data from Federation Server RRS feed

  • Question

  • Hi!

    I'm setting up a ADFS 3.0 enviroment on Windows 2012R2.

    I've installed the ADFS 3.0 on server adfs.domain.local which has the ip 10.0.0.5, created a serviceaccount with SPN host/adfs.domain.com which i used during the install, and a wildcard certificate *.domain.com.

    I've installed RemoteAccess on adfsproxy.domain.local which has the internal ip 10.0.0.6 + an external ip.

    I've set up split dns so an external lookup of adfs.domain.com gets external ip-address of the proxy, and internal machines gets the internal ip-address.

    Pinging adfs.domain.com from the adfsproxy.domain.local gives the internal ip of the adfs-server. They are on the same subnet.

    When I try to configure the proxy in the "Web Application Proxy Configuration Wizard" I use the adfs.domain.com as FS-name, and a domain admin as user name. The certificate is the same wildcard that was used on the adfs itself.

    When clicking "Configure" it comes and Event 391 in Event Viewer with the message "The federation server proxy was able to successfully etablish a trust with the Federation Service".

    After a minute or two, it comes and Error Event ID 422:

    Unable to retrieve proxy configuration data from the Federation Service. 

    Additional Data 

    Trust Certificate Thumbprint: 
    ****

    Status Code: 
     

    Exception details: 
    System.Net.WebException: The operation has timed out
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

    Anyone seen this before? No drops in the firewall.

    Thursday, April 3, 2014 11:41 AM

Answers

  • After running the following PowerShell commands we successfully managed to complete the Proxy installation:

    • Initialize-ADDeviceRegistration -ServiceAccountName domain.local\"AdfsServiceAccount$"
    • Enable-AdfsDeviceRegistration

    • Marked as answer by objectclass Monday, May 12, 2014 2:12 PM
    • Edited by objectclass Monday, May 12, 2014 2:13 PM
    Monday, May 12, 2014 2:12 PM

All replies

  • Hi,

    >>The federation server proxy was able to successfully etablish a trust with the Federation Service

    When occur the above error, please try to check the below information:

    The following are possible causes for this event:
    • The credentials that are used to establish a trust between the federation server proxy and the Federation Service are not valid, or the Federation Service cannot be reached.
    • The federation server proxy trust was revoked.
    • The federation server proxy has been inactive for a long period of time (such as 30 days or more).

    The following are possible resolutions for this event:
    • Ensure that the credentials that are being used to establish a trust between the federation server proxy and the Federation Service are valid, and that the Federation Service can be reached.
    • Run the ADFS Proxy Configuration Wizard again to renew trust with the Federation Service.

    Also please try to check this blog:
    #ADFS-Unable to Establish a Trust between Proxy and Federation Service:
    http://office365support.ca/adfs-2-0-unable-to-establish-a-trust-between-proxy-and-federation-service/ .

    Best Regards,
    Amy Peng

     


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, April 4, 2014 2:37 AM
  • I am running into the exact same issue, have you been able to make any progress?
    Tuesday, April 29, 2014 5:06 PM
  • Hi, I have not been able to figure it out yet. I've tried to reinstall the roles, both on the ADFS and on the Proxy server.

    I thought there might could be some problems using the wildcard certificate, so I got a "real" certificate for the "adfs.domain.com", still got the same problem. 



    • Edited by objectclass Wednesday, April 30, 2014 6:56 AM
    Wednesday, April 30, 2014 6:55 AM
  • • The credentials that are used to establish a trust between the federation server proxy and the Federation Service are not valid, or the Federation Service cannot be reached.

    Credentials are valid. We have tried both domain-admin and local administrator. Note that we don't get a Status Code 401 unauthorized which could indicate invalid credentials, but no status code at all.

    • The federation server proxy trust was revoked.

    It looks like trust is created ok. The WAP creates a self-signed certificate which exists on both proxy and AD FS

    • The federation server proxy has been inactive for a long period of time (such as 30 days or more).

    self-signed proxy trust certificates are still valid

    The following are possible resolutions for this event:
    • Ensure that the credentials that are being used to establish a trust between the federation server proxy and the Federation Service are valid, and that the Federation Service can be reached.

    We are 100% sure that credentials are ok. firewall is completely off, and we see signs of communication (client certificate is exchanged)

    • Run the ADFS Proxy Configuration Wizard again to renew trust with the Federation Service.


    We have tried that a "few" times..

    We turned on debug-logging on both ADFS and ADFS proxy-server, and looked at the sourcecode of ADFS. The code on the proxy where the error occurs:

    namespace Microsoft.IdentityServer.Management.Proxy
    {
      internal class StsConfigurationProvider : IStsConfigurationProvider
      {
        public ProxyConfigurationData GetStsProxyConfiguration()
        {
          ProxyConfiguration current = AssemblyServices.Create<IProxyConfigurationInstanceProvider>().Current;
          IProxyTrustProvider proxyTrustProvider = AssemblyServices.Create<IProxyTrustProvider>();
          string str1 = string.Empty;
          X509Certificate2 x509Certificate2 = (X509Certificate2) null;
          HttpWebResponse proxyRequest;
          try
          {
            x509Certificate2 = proxyTrustProvider.GetTrustCertificate();
            if (x509Certificate2 != null)
              str1 = x509Certificate2.Thumbprint;
            proxyRequest = (HttpWebResponse) ProxyConfigurationData.CreateWebRequest(current.HostInfo.Name, current.HostInfo.HttpsPort, x509Certificate2).GetResponse();
            DebugLog.SecurityTokenServiceTraceLog.InfoSafe("Successfully retrieved proxy configuration from sts", new object[0]);
          }
          catch (WebException ex)
          {
            string str2 = string.Empty;
            HttpWebResponse httpWebResponse = (HttpWebResponse) null;
            if (ex.Response is HttpWebResponse)
            {
              httpWebResponse = ex.Response as HttpWebResponse;
              str2 = ((object) httpWebResponse.StatusCode).ToString();
            }
            MSISEventLog.WriteEntry(EventLogEntryType.Error, MSISEventId.FsProxyConfigurationRetrievalFailure, (object) str1, (object) str2, (object) ((object) ex).ToString());
            DebugLog.SecurityTokenServiceTraceLog.ErrorSafe("Request for configuration failed with status:{0}\nMessage: {1}\nStackTrace:{2}", (object) ex.Status, (object) ex.Message, (object) ex.StackTrace);
            if (httpWebResponse != null && httpWebResponse.StatusCode == HttpStatusCode.Unauthorized)
              throw new ProxyTrustException("proxy trust failed", x509Certificate2, (Exception) ex);
            else
              return (ProxyConfigurationData) null;
          }
          return ProxyConfigurationData.GetConfigurationData(proxyRequest);
        }
      }
    }
    
    We get a "normal" System.Net.WebException: The operation has timed out on the ADFS Proxy. No 401, 404, just no response..

    Here is the debug-log from the ADFS Proxy server:

    Running configuration tasks for Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand. Progress: Stopping the AD FS Windows Proxy Service... Progress: Updating Proxy Service Configuration... Progress: Configuring the proxy trust certificate... Progress: Establishing trust relationship with Federation Server... Proxy trust establishment succeeded for certificate A3C1FF39211B1283484D668336F74D3C929F8AB3. Response returned status code OK and status description OK Progress: Retrieving configuration information from the Federation Server... thumbprint 'A3C1FF39211B1283484D668336F74D3C929F8AB3 'not found in the Current User/My certificate store. This is expected if this is the first trust renewal. Found certificate matching thumbprint 'A3C1FF39211B1283484D668336F74D3C929F8AB3' Request for configuration failed with status:Timeout

     

    ERROR:

    Message: The operation has timed out

    StackTrace:   at System.Net.HttpWebRequest.GetResponse()

       at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()


    As you can see the client-certificate for the ADFS Proxy is created successfully, and this certificate is also sent to the ADFS server!

    On the ADFS server-side, we found the following error in debug-eventlog:

    ERROR: ProxyConfigurationListener.OnGetContext: Error writing back to the client. Client may have dropped the connection

    Here is the sourcecode for that method:

    public override void OnGetContext(WrappedHttpListenerContext context)
        {
          try
          {
            ProxyRequestHandler requestHandler = this.GetRequestHandler(context);
            if (requestHandler == null)
            {
              DebugLog.ProxyConfigurationTraceLog.ErrorSafe("ProxyConfigurationListener.OnGetContext: There were no registered handlers to handle the request to : '{0}'. ", new object[1]
              {
                (object) context.Request.LocalEndpoint
              });
              context.Response.StatusCode = 503;
            }
            else
            {
              DebugLog.ProxyConfigurationTraceLog.InfoSafe("ProxyConfigurationListener.OnGetContext: RequestHandler chosen: {0}", new object[1]
              {
                (object) requestHandler.GetType()
              });
              requestHandler.OnGetContext(context);
            }
          }
          catch (ProxyTrustException ex)
          {
            DebugLog.ProxyConfigurationTraceLog.ErrorSafe("ProxyConfigurationListener.OnGetContext: Rejecting request to : '{0}'. Error: {2}", (object) context.Request.LocalEndpoint, (object) ex);
          }
          catch (Exception ex)
          {
            if (ExceptionUtility.IsFatal(ex))
            {
              throw;
            }
            else
            {
              MSISEventLog.WriteEntry(EventLogEntryType.Error, MSISEventId.ProxyConfigurationEndpointError, (object) context.Request.Url.AbsolutePath, (object) ex.Message);
              DebugLog.ProxyConfigurationTraceLog.LogExceptionError(ex);
              context.Response.StatusCode = 400;
            }
          }
          finally
          {
            try
            {
              if (context.Response != null)
                context.Response.Close();
            }
            catch (HttpListenerException ex)
            {
              DebugLog.ProxyConfigurationTraceLog.InfoSafe("ProxyConfigurationListener.OnGetContext: Error writing back to the client. Client may have dropped the connection", new object[0]);
            }
          }
        }

    I'm not sure how the HttpListener on the ADFS-server works, but it looks like ADFS is ready to return the proxy-configuration to the proxy-server, but then the connection is gone?

    Friday, May 9, 2014 11:29 AM
  •       finally
          {
            try
            {
              if (context.Response != null)
                context.Response.Close();
            }
            catch (HttpListenerException ex)
            {
              DebugLog.ProxyConfigurationTraceLog.InfoSafe("ProxyConfigurationListener.OnGetContext: Error writing back to the client. Client may have dropped the connection", new object[0]);
            }
          }

    The HttpListenerException "ex" is not logged, so we don't catch the exact errormessage/code here. Maybe this exception should be logged by ADFS?
    Saturday, May 10, 2014 10:24 AM
  • After running the following PowerShell commands we successfully managed to complete the Proxy installation:

    • Initialize-ADDeviceRegistration -ServiceAccountName domain.local\"AdfsServiceAccount$"
    • Enable-AdfsDeviceRegistration

    • Marked as answer by objectclass Monday, May 12, 2014 2:12 PM
    • Edited by objectclass Monday, May 12, 2014 2:13 PM
    Monday, May 12, 2014 2:12 PM
  • HI,

    Were you able to resolve this issue?

    I am running into the same issue with the Web Proxy configuration. But in my case I  the issue happens when I point the proxy to a secondary server. If i point it to the primary ADFS, I am able to finish the config if I point the proxy to the primary server.

    The above command I think are for enabling the Workplace join and I don't see how they pertain to this issue??

    Monday, August 18, 2014 1:54 PM
  • Hi

    Has anybody come across a fix for this issue yet?    The powershell commands above seem to relate to work place join.

    I get a different error "Time out has expired and the operation has not been completed."  After config of the Web App Proxy.

    All event logs report no error and The federation server proxy successfully retrieved its configuration from the Federation Service 'adfs.mydomain.com'.

    Grateful for any input on this,

    Thanks

    Tuesday, October 7, 2014 8:54 PM
  • I had this same issue and found that is was caused by binding the SSL certificate to a specific IP address on the ADFS server (not the WAP).

    Once I went into the IIS config, set the SSL so it didn't bind to any one IP address everything worked fine.

    • Proposed as answer by RobvH Wednesday, September 2, 2015 12:32 PM
    • Unproposed as answer by RobvH Wednesday, September 2, 2015 12:32 PM
    Friday, January 9, 2015 4:28 PM
  • Ran into the same issue during our installation

    (events 391 and 422 on proxy and event 276 on the adfs server)

    Turned out it was caused by our security policy, which disables several ciphers and protocols

    In particular it was caused by disabling renegotiating

    Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    On the proxy server DisableRenegoOnClient = 0 (or remove entry)

    On the ADFS server DisableRenegoOnClient = 0 (or remove) and DisableRenegoOnServer = 0 (or remove)

    Once that was done connecting the proxy to the farm went fine

    • Proposed as answer by abiamb Wednesday, February 24, 2016 7:53 AM
    Wednesday, September 2, 2015 12:41 PM
  • saved our day! Thanks RobvH
    Wednesday, February 24, 2016 7:53 AM
  • We had  the exact same issue, but it wasn't caused by this. We actually didn't have those keys at all on our ADFS server.

    What fixed it for us was a combination of installing hotfix KB3020773 on the adfs server and proxy, and changing a registry key.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    SendTrustedIssuerList from 1 to 0, and then rebooting the ADFS server.

    After that I went through the wap config wizard no problem. Hope this helps someone else. I banged my head for days on this.


    • Proposed as answer by Thomas Ko Saturday, April 9, 2016 7:47 PM
    Tuesday, March 15, 2016 7:55 PM
  • Thanks @ colesm, you saved our ADFS life.

    We hardened the WAP server via IISCrypto40 best practices and the issue started arising weeks after we exchanged the public SSL certificate. Setting the  mentioned key to 0 on the WAP servers solved the issue.

    Thanks and Kudos

    Thomas

    Saturday, April 9, 2016 7:51 PM
  • Wow, this was a life-saver even when Microsoft couldn't figure it out!

    Regards, Nimantha Wickremasinghe C|EH, CNSS 4011, VCA, CCNA, MCP, MCITP, MCSA, MCTS

    Friday, October 5, 2018 10:13 AM