Unable to reconfigure AD FS Proxy server

Bruno Martins 1 Reputation point
2022-04-22T14:17:25.543+00:00

Dear community,

We have an AD FS farm comprised of three servers, and also three WAP servers. All servers are running Windows Server 2019 and WAP are in a DMZ (not domain-joined).

One of the WAP servers stopped working after last month's Windows patching.

I am now unable to reconfigure the failed WAP server both using the GUI, after role reinstallation, neither from PowerShell:

195635-image.png

195596-image.png

I have already tried a lot of possible solutions without luck:

  • Checked for TLS 1.0 and TLS 1.1 issues through Registry Editor
  • Reinstalled WAP role multiple times
  • AD FS farm name can be resolved correctly and connectivity is established using port TCP/443
  • Replaced microsoft.identityServer.proxyservice.exe file from other WAP servers and tried reconfiguring WAP

One difference between this and the other (working) WAP servers is:

  • In the non-working WAP server, the configuration file mentioned above has no certificate associated: <trust thumbprint="" proxyTrustRenewPeriod="240" />
  • In the Personal certificates store of the non-working WAP server, there are no "ADFS ProxyTrust *" certificates, while for the working ones there are a lot of certificates of this type
  • In the AD FS farm server, there is a certificate under AdfsTrustedDevices for the working WAP, but nothing for the non-working WAP server

Any advice?

Thank you!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
{count} votes

1 answer

Sort by: Most helpful
  1. T. Kujala 8,706 Reputation points
    2022-04-23T17:14:10.357+00:00

    Hi @Bruno Martins ,

    You could try the following method.