ADFS Migration 2016 => 2019 - new WAP servers not communicating with new ADFS servers

Patrick-350 1 Reputation point
2020-11-24T14:58:19.677+00:00

Hi,
I have a problem with ADFS migration, especially the WAP servers are making problems.

Current situation:
ADFS-DB on SQL Server
2* Windows Server 2016 with ADFS role (LB with KEMP)
2* Windows Server 2016 with WAP role (LB with KEMP)

New (so far):
2* Windows Server 2019 with ADFS role (also in the ADFS farm, working fine)
2* Windows Server 2019 with WAP role (this is where the problem starts)

Initial WAP configuration was fine, when LB points internal still to 2016 ADFS servers.

The communication of the new Sever 2019 WAP servers is problematic as soon as I point the internal load balancer to the new 2019 ADFS servers. After one minute errors 224 and 394 occurs and I am also not able to reestablish the trust.

The federation server proxy configuration could not be updated with the latest configuration on the federation service.
Additional Data
Error:
Retrieval of proxy configuration data from the Federation Server using trust certificate with thumbprint '<thumbprint>' failed with status code 'InternalServerError'.

Summarized:
New WAPs against old ADFS servers = Working
Old WAPs against new ADFS servers = Working
New WAPs against new ADFS servers = Broken

Also tested it without KEMP LB, same results.

I searched a lot and found solutions pointing to primary ADFS server but in this environment we have SQL DB so in my understanding there is no primary ADFS server.

Any ideas? Any kind of hardening is not in place (SSL/TLS settings).

Kind regards
Patrick

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-11-27T15:19:13.607+00:00

    Hello @Patrick-350 , possibilities are that the Kemp (LB) is a culprit or the proxy trust is broken. Does it work when bypassing the Kemp from WAP to ADFS?

    0 comments No comments