none
Azure ADFS health monitoring errors - need resolution / guidance RRS feed

  • Question

  • ADFS actually appears to be working correctly, however I cannot seem to clear the following AD connect alerts appearing on ALL the ADFS services in the farm. ADFS sign in works from extranet and intranet. Having trouble with Office 365 Single-Sign on due to MFA being enabled - need to check if app password will work.

    Regardless - can't seem to figure or find info on these errors:

    Test Authentication Request (Synthetic Transaction) failed to obtain a token

    The test authentication requests (Synthetic Transactions) initiated from this server has failed to obtain a token after 5 retries. This may be caused due to transient network issues, AD DS Domain Controller availability or a mis-configured AD FS server. As a result, authentication requests processed by the federation service may fail. Please note that the agent uses the Local Computer Account context to obtain a token from the Federation Service.

    Thanks for any guidance!

    Tuesday, November 1, 2016 4:55 PM

All replies

  • Hi,

    Thanks for posting the query here!

    Have you tried adding hosts file entry like the alert says ?

    Please add a host file entry to get around this issue on your ADFS servers. The alert details should have instructions on how to do that.

    Hope this helps you 

    Let me know if you need further assistance on this.

    Thanks & Regards
    Vijisankar
    ____________________________________________________________________________________________________
    Kindly click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading the thread and also “Vote as Helpful”.
    Wednesday, November 2, 2016 10:41 AM
  • Thank you Vijisankar -

    The alert does mention creating hosts file.  It does not give any guidance as to what hosts should be included in such file.  As these are the ADFS servers and the domain's DNS was resolving correctly, it did not occur to me that this would fix anything.  If it was the proxies that were having trouble I would have acknowledged the hosts file could be the problem. The text of the alert was as follows:

    "If the service name cannot be resolved, please refer to the FAQ section for instructions of adding a HOST file entry of your AD FS service with the IP address of this server. This will allow the synthetic transaction module running on this server to request a token"

    I did look and could not find any info in a FAQ regarding the hosts file for Azure AD FS Health services. Any follow up you could provide would be great.

    Thank you!

     

    Wednesday, November 2, 2016 11:29 AM
  • Refer to - https://blogs.technet.microsoft.com/aadceeteam/feed/ might be helpful.

    Regards,

    Sadiqh

    Wednesday, November 2, 2016 3:01 PM
    Moderator
  • Thank you Sadiqh -

    Those links were very helpful.  However I am still unable to get the service to pass the token request test.  Please see the test results.

    PS C:\Program Files\Azure AD Connect Health Adfs Agent\diagnostics> Import-Module .\ADFSDiagnostics.psm1
    PS C:\Program Files\Azure AD Connect Health Adfs Agent\diagnostics> Test-ADFSServerHealth | ft Name,Result -AutoSize
    Name                                                         Result
    ----                                                         ------
    IsAdfsRunning                                                  Pass
    IsWidRunning                                                   Pass
    PingFederationMetadata                                         Pass
    CheckAdfsSslBindings                                           Pass
    Test-Certificate-Token-Decrypting-Primary-NotFoundInStore    NotRun
    Test-Certificate-Token-Decrypting-Primary-IsSelfSigned       NotRun
    Test-Certificate-Token-Decrypting-Primary-PrivateKeyAbsent   NotRun
    Test-Certificate-Token-Decrypting-Primary-Expired              Pass
    Test-Certificate-Token-Decrypting-Primary-Revoked              Pass
    Test-Certificate-Token-Decrypting-Primary-AboutToExpire      NotRun
    Test-Certificate-Token-Signing-Primary-NotFoundInStore       NotRun
    Test-Certificate-Token-Signing-Primary-IsSelfSigned          NotRun
    Test-Certificate-Token-Signing-Primary-PrivateKeyAbsent      NotRun
    Test-Certificate-Token-Signing-Primary-Expired                 Pass
    Test-Certificate-Token-Signing-Primary-Revoked                 Pass
    Test-Certificate-Token-Signing-Primary-AboutToExpire         NotRun
    Test-Certificate-SSL-Primary-NotFoundInStore                   Pass
    Test-Certificate-SSL-Primary-IsSelfSigned                      Pass
    Test-Certificate-SSL-Primary-PrivateKeyAbsent                  Pass
    Test-Certificate-SSL-Primary-Expired                           Pass
    Test-Certificate-SSL-Primary-Revoked                           Pass
    Test-Certificate-SSL-Primary-AboutToExpire                     Pass
    Test-Certificate-Token-Decrypting-Secondary-NotFoundInStore  NotRun
    Test-Certificate-Token-Decrypting-Secondary-IsSelfSigned     NotRun
    Test-Certificate-Token-Decrypting-Secondary-PrivateKeyAbsent NotRun
    Test-Certificate-Token-Decrypting-Secondary-Expired            Pass
    Test-Certificate-Token-Decrypting-Secondary-Revoked            Pass
    Test-Certificate-Token-Decrypting-Secondary-AboutToExpire    NotRun
    Test-Certificate-Token-Signing-Secondary-NotFoundInStore     NotRun
    Test-Certificate-Token-Signing-Secondary-IsSelfSigned        NotRun
    Test-Certificate-Token-Signing-Secondary-PrivateKeyAbsent    NotRun
    Test-Certificate-Token-Signing-Secondary-Expired               Pass
    Test-Certificate-Token-Signing-Secondary-Revoked               Pass
    Test-Certificate-Token-Signing-Secondary-AboutToExpire       NotRun
    CheckFarmDNSHostResolution                                     Pass
    CheckDuplicateSPN                                              Pass
    TestServiceAccountProperties                                   Pass
    TestAppPoolIDMatchesServiceID                                NotRun
    TestComputerNameEqFarmName                                     Pass
    TestSSLUsingADFSPort                                         NotRun
    TestSSLCertSubjectContainsADFSFarmName                         Pass
    TestAdfsAuditPolicyEnabled                                     Pass
    TestAdfsRequestToken                                           Fail
    CheckOffice365Endpoints                                        Pass
    TestADFSO365RelyingParty                                       Pass
    TestNtlmOnlySupportedClientAtProxyEnabled                      Pass

    When I go further and run the Test-AdfsServerToken command - I get this:

    Invoke-Webrequest :  Service Unavailable

    HTTP Error 503....

    I've already modified the hosts file to include "127.0.0.1 adfs.domain.com" so that the agent resolves to itself.

    Any ideas on where to go further for a resolution? i'd like to script a solution for the other servers in the farm.

    Thank you!

    Wednesday, November 2, 2016 5:36 PM
  • Hi mercblue281,

    Based on the above thread, it looks like there is something else going on that we are not able to catch. For further investigation, can you open a support case with Microsoft Support? That way we can dig deeper in additional details to get to the bottom of this.

    Thanks

    -Varun


    Thanks -Varun Karandikar

    Monday, November 7, 2016 10:49 PM
  • https://blogs.technet.microsoft.com/aadceeteam/2015/02/13/under-the-hood-tour-of-azure-ad-connect-health-ad-fs-diagnostics-module/ Synthetic Checks: For example, retrieve federation metadata, and get a token from the STS). One thing worth mentioning here is that in order to have the synthetic transaction that gets a token from the STS using the actual server where the cmdlet is running, you should consider tweaking the host file to point to itself (either with IPv4 127.0.0.1 or IPv6 ::1) when resolving the AD FS host farm name. Otherwise, the synthetic transaction will go through the usual DNS resolution where another server will actually serve the request.
    Thursday, June 29, 2017 10:31 AM
  • Appreciate your feedback here. Will pass on your suggestions to Azure AD Connect Health team.
    Sunday, July 2, 2017 9:07 AM
    Moderator