ADFS 3.0 / Web Application Proxy Server 2012 R2 error

Question

I have a working ADFS 3.0 (2012 R2) server running. It successfully operates to log me on to Office365 both on and off premises.

I am trying to install the Web Application Proxy role on a second machine in order to proxy Sharepoint 2013. I am getting stuck with an error message:

An error occurred when attempting to create the proxy trust certificate.

My ADFS server is a one-server farm. The host name of the server is adfs-host.domain.local, and the ADFS name is adfs.domain.org.

    PS C:\Windows\system32> Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'
cmdlet Install-WebApplicationProxy at command pipeline position 1
Supply values for the following parameters:
FederationServiceTrustCredential
Install-WebApplicationProxy : An error occurred when attempting to create the proxy trust certificate.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint 'xxxxxxxxxxxxxxxxxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand


Message                                 Context                                                                  Status
-------                                 -------                                                                  ------
An error occurred while attempting t... DeploymentTask                                                            Error

I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.

The name of my Web Application Proxy server is wap-host.domain.local. I copied the GoDaddy Certificate onto both machines with the private key, and installed it into the local machine personal certificate store. It is set as the Service Communications Certificate. I installed the full certificate chain on to both machines. It is a UCC certificate with 5 subject alternate names--the main one is not adfs.domain.org, but it does work for ADFS.

I tried with the firewall on and off, and I ran wireshark--it looks like it is failing at an earlier step since I didn't see any traffic attempted to the IP of my ADFS server.

The credentials I tried supplying--both a local account that has administrative access on the ADFS server, and a domain admin account.

score 1 · Accepted Answer · answered Jul 02 '14 at 19:52

I'm not really sure what the exact trigger was, but I installed the latest round of updates on my ADFS server and on my WAP server. Then it started working.

I am thinking that maybe the Windows 2012 R2 Update 1 broke something, and a more recent update fixed it.

score 0 · Answer 2 · answered Mar 16 '22 at 15:51

I am having exactly the same issue with one of our WAP servers, but I am using a WAP cluster and updates are not solving the problem.

Any other hint?

I have basically followed any advice I have found online. The only thing left is completely deleting the server and creating a new one...

score 0 · Answer 3 · answered Jun 30 '14 at 10:07

I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.

Your DNS A record should point adfs.domain.org to the WAP IP (wap-host.domain.local). This web page explains pretty much everything about WAP certificates:

Client machines on the internet (or outside of your internal LAN) resolve the name adfsresource.treyresearch.net to the IP address of adfsproxy.treyresearch.net. It is important to remember that you won’t specify the name adfsproxy.treyresearch.net anywhere in your setup. The website on this server should have a certificate issued to the name adfsresource.treyresearch.net.

Finally, your proxy should resolve adfs.domain.org to the adfs-host.domain.local machine, but only your proxy must have knowledge about this DNS record.

score 0 · Answer 4 · answered Sep 10 '18 at 15:02

My microsoft.identityServer.proxyservice.exe.config file was blank.

I was unable to resolve this issue without rolling back the web server to an earlier checkpoint, where the connection was working. Once I did so I backed up a copy of the c:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config file and then applied updates to the server and restarted it. At this point the server would report and error and not start the web proxy. Then the following command worked (previously they would give the error above):

Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'

With just the blank microsoft.identityServer.proxyservice.exe.config file, I wasn't able to get the Install-WebApplicationProxy command to work.

ADFS 3.0 / Web Application Proxy Server 2012 R2 error

4 Answers4