question

RichardMlynka-0539 avatar image
0 Votes"
RichardMlynka-0539 asked piaudonn edited

Problem with WAP 2022 - ADFS 2022 communication

Hi,

I have working ADFS, WAP both on Windows server 2019.
I added ADFS, WAP both on Windows server 2022.

WAP 2019 is working with ADFS 2019 and also with ADFS 2022.
WAP 2022 is only working with ADFS 2019.


When trying to refresh ADFS configuration on WAP 2022 against ADFS 2022 I receive error:

Description:
The federation server proxy was not able to authenticate to the Federation Service.

User Action
Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet.

Additional Data

Certificate details:

Subject Name:
<null>

Thumbprint:
<null>

NotBefore Time:
<null>

NotAfter Time:
<null>


Install-WebApplicationProxy is not helping. Certificate (wildcard) is the same on all servers - triple checked.

Anybody with working WAP 2022 against ADFS 2022?


Thank you
Richard

windows-serveradfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
2 Votes"
piaudonn answered piaudonn edited

Can you try to disable TLS1.3 on your WAP and or ADFS 2022 to test and try to repro?

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I ran into this issue myself when setting up a WAP server running on Windows Server 2022. Thank you for the fix!

1 Vote 1 ·

Hello piaudonn,

you nailed it.
Everything is working after disabling TLS1.3 for client on WAP2022.
I checked it back and forth. Enabled, disabled, enabled, disabled, ...

These are winning settings for WAP2022:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

Only side effect (looks harmless to me) is event id 36871 in system eventlog during startup.

Thank you,
Richard

0 Votes 0 ·
piaudonn avatar image piaudonn RichardMlynka-0539 ·

Cool, that was the suggestion of one of my colleague actaully. But I am glad it worked :)

0 Votes 0 ·

Bonjour,
Je suis tombé sur votre solution suite à ma tentative d'installation d'un serveur wap 2022. Ma clé "Protocols" ne contient aucune information en aval. Malgré que j'ai créé ces clé cela ne marche pas...
Auriez vous fait autre chose?

0 Votes 0 ·
piaudonn avatar image piaudonn StphaneRICCI-5899 ·

Dans ce cas il ne s'agit pas du meme probleme. Je suggere de creer un nouveau post ou vous pouvez poster votre scenario.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered RichardMlynka-0539 commented

Hello RichardMlynka,

From my experience 3 factors can produce the issue:
a) the certificate thumbprint is not the same ( you have discarded this)
b) the problematic WAP server has been more than 2 weeks disconnected from the environment, as the proxy trust certificate is a rolling certificate valid for 2 weeks and periodically updated. (being a new installation I would not suspect of it)
c) for some reason the 2022 version is not able to properly update the registry key corresponding to proxy configuration

In this case you can check the next key in the problematic server. Ensure that the value is set to 1, and then re-run the post-install config from the Management console.

HKLM\Software\Microsoft\ADFS

ProxyConfigurationStatus

1 (not configured)
2 (Web Application Proxy is configured)



--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello LimitlessTechnology,

a) checked, same
b) always online, only a few days old
c) as expected; install config doesn't finish - reason is probably TLS1.3 as noted by piaudonn below

Thank you,
Richard

0 Votes 0 ·
SaschaBless-0984 avatar image
1 Vote"
SaschaBless-0984 answered SaschaBless-0984 published

Thank you very much! Works like a charm now.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChinmoyJoshi-5542 avatar image
1 Vote"
ChinmoyJoshi-5542 answered

thanks @piaudonn disabling the 1.3 tls on wap 2022 helped me as well. I'm using 2022 servers both for adfs and WAP.

Cheers,
Chinmoy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.