0

So we had ADFS Proxy connected with ADFS (Install-WebApplicationProxy), both Windows Server 2019. Had to re-establish the trust, but it waits a loong time, retrying auth

AD FS Event logs

ADFS Side has event 276 with weird values:

The federation server proxy was not able to authenticate to the Federation Service. User Action Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet.

Additional Data

Certificate details:

Subject Name:

Thumbprint:

NotBefore Time:

NotAfter Time:

There are lots of thsee events as each ~20 sec proxy retries auth. However the first event generated after Install-WebApplicationProxy is 395:

The trust between the federation server proxy and the Federation Service was established successfully using the account 'example\administrator'.

Proxy trust certificate subject: CN=ADFS ProxyTrust - ADFSproxy. Proxy trust certificate thumbprint: 3F5DBD1C735A57C5FEA8C18905EE83CEAE3EA732 So obviously my credentials are correct, the cert could be delivered to ADFS. I validated it using certlm.msc - the cert is under AdfsTrustedDevices

SChannel logs

I see following event on both, ADFS and ADFS Proxy:

Event 36867:

Creating a TLS client credential.

However for ADFS Proxy there are also warnings, Event Id 36857:

The remote server has requested TLS client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This TLS connection request may succeed or fail, depending on the server's policy settings.

AD FS Tracing

Turned on Debug log.

ADFS:

Multiple Event 107 Errors:

ProxyRequestHandler.DefaultExceptionHandler: ProxyTrust could not be verified for certificate with subject name '' and thumbprint ''.

Exception details: Exception: No client certificate associated with the request was found. StackTrace: at Microsoft.IdentityServer.Web.Proxy.TlsRequestVerificationMethod.VerifyTrustedRequest(WrappedHttpListenerContext context, String& auditInformation) at Microsoft.IdentityServer.Web.Rest.RestRequestHandler.OnGetContext(WrappedHttpListenerContext context)

Error retrieving proxy configuration. Microsoft.IdentityServer.WebHost.Proxy.ProxyTrustException: No client certificate associated with the request was found. at Microsoft.IdentityServer.Web.Proxy.TlsRequestVerificationMethod.VerifyTrustedRequest(WrappedHttpListenerContext context, String& auditInformation) at Microsoft.IdentityServer.Web.Rest.RestRequestHandler.OnGetContext(WrappedHttpListenerContext context)

TlsRequestVerificationMethod: Incoming request didnt contain a cert.

ADFS Proxy.

Event 54:

Found certificate matching thumbprint '3F5DBD1C735A57C5FEA8C18905EE83CEAE3EA732'

Event 52 Errors:

Request for configuration failed with status:ProtocolError Message: The remote server returned an error: (401) Unauthorized. Exception:System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration(X509Certificate2 trustCert)

Random things tried

All in all seems cert gets delivered to ADFS but client auth fails.

I don't know too much internals for ADFS Proxy / Web Application Proxy - hope there is someone who can direct me how to further troubleshoot this. Now we must endure some downtime :(

P.S. If someone recommends re-establishing trust - I AM trying to do that. These events are generated as part of that process. It fails with: An error occurred while attempting to retrieve configuration data from the Federation Server. Unable to retrieve pro...

P.P.S Could it be some configuration that prevents certificates within AdfsTrustedDevices be used for client auth? P.S. ADFS ProxyTrust - ADFSproxy cert doesn't have any enchanced key usage - but I checked with other proxy server which was working, it neither has. How does it even trust this self-signed cert? Does ADFS implicitly trust selfsigned certs within AdfsTrustedDevices?

Janis Veinbergs
  • 1,605

1 Answers1

0

So seems that ADFS is using something called SendTrustedIssuerList: Management of trusted issuers for client authentication and using AdfsTrustedDevices to trust adfs proxy server client authentication cert.

When authentication of the client computer is required using SSL or TLS, the server can be configured to send a list of trusted certificate issuers. This list contains the set of certificate issuers which the server will trust and is a hint to the client computer as to which client certificate to select if there are multiple certificates present. In addition, the certificate chain the client computer sends to the server must be validated against the configured trusted issuers list.

It couldn't trust that cert because I manually removed the binding hostnameport=adfs.example.com:443 and re-added without parameter sslctlstorename=AdfsTrustedDevices.

I had to:

  1. netsh http delete sslcert hostnameport=adfs.example.com:443
  2. netsh http add sslcert hostnameport=adfs.example.com:443 certhash=<thumb> appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY ccs=AdfsTrustedDevices

Lesson learned: If cert renewal from AD FS Management console doesn't re-bind certificate, use netsh http update sslcert

Janis Veinbergs
  • 1,605