MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Unable to install Web Application Proxy

I got an issue while installing Web Application Proxy which does not seems documented anywhere so I am sharing. It is a small issue which does not let the trust complete.

Got the following Error while completing the web Application Proxy setup:

Unable to retrieve proxy configuration data from the Federation Server.


In the event viewer, we got the following error event 25 times



Unable to retrieve proxy configuration data from the Federation Service.

Additional Data

Trust Certificate Thumbprint:

466D9F4B1 0D44E1C02E19A

Status Code:

Unauthorized

Exception details:

System.Net.WebException: The remote server returned an error: (401) Unauthorized.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()


-On the ADFS Server, I got this error event


The federation server proxy was not able to authenticate to the Federation Service.

User Action

Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet.



-Now there is an ultimate blog which will help in fixing the issue because multiple things can cause this issue.

https://blogs.technet.microsoft.com/applicationproxyblog/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy/#pi148362=1

-I used the script mentioned in the blog and run on my ADFS server.

-I got the warning with my IIS binding.


-I removed the IP and changed to all unassigned IP.

=Rerun the Web Application Proxy setup and it completed successfully.



The same issue can also come if you replace your certificate and don’t update in the ADFS and ADFS Proxy properties.

The solution is more explain in this blog. http://www.reinhard-online.nl/2014/10/strange-behavior-ad-fs-windows-server_88.html>

Run the following command in PowerShell to check if thumbprint is different than actual certificate in the certificate MMC

netsh http show sslcert

If you have different Thumbprint then we need to replace the certificate by running the following commands

Netsh http delete sslcert hostnameport=url:port

Netsh

Http

add sslcert hostnameport=url:port certhash=ThumbPrint appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY sslctlstorename=same as output

Restart the ADFS service on both ADFS Proxy and ADFS server.

We might also need to run the following only if above steps does not fix the issue.

Install-WebApplicationProxy -CertificateThumbprint ’thumbprint′ -FederationServiceName ‘adfs URL’


Prabhat Nigam

Microsoft MVP | CTO @ Golden Five

Team@MSExchangeGuru

Don’t forget to register December 2016 “New York Exchange User Group” meeting. This is the online session on “Upgrading or Migrating to Exchange 2016 CU3″
http://www.meetup.com/nyexug/events/235096894/

Leave a Reply

ad

Categories

Archives