ADFS 3.0 / Web Application Proxy Server 2012 R2 error

adfssharepoint-2013web-application-proxywindows-server-2012-r2

I have a working ADFS 3.0 (2012 R2) server running. It successfully operates to log me on to Office365 both on and off premises.

I am trying to install the Web Application Proxy role on a second machine in order to proxy Sharepoint 2013. I am getting stuck with an error message:

An error occurred when attempting to create the proxy trust certificate.

My ADFS server is a one-server farm. The host name of the server is adfs-host.domain.local, and the ADFS name is adfs.domain.org.

    PS C:\Windows\system32> Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'
cmdlet Install-WebApplicationProxy at command pipeline position 1
Supply values for the following parameters:
FederationServiceTrustCredential
Install-WebApplicationProxy : An error occurred when attempting to create the proxy trust certificate.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint 'xxxxxxxxxxxxxxxxxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand


Message                                 Context                                                                  Status
-------                                 -------                                                                  ------
An error occurred while attempting t... DeploymentTask                                                            Error

I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.

The name of my Web Application Proxy server is wap-host.domain.local. I copied the GoDaddy Certificate onto both machines with the private key, and installed it into the local machine personal certificate store. It is set as the Service Communications Certificate. I installed the full certificate chain on to both machines. It is a UCC certificate with 5 subject alternate names–the main one is not adfs.domain.org, but it does work for ADFS.

I tried with the firewall on and off, and I ran wireshark–it looks like it is failing at an earlier step since I didn't see any traffic attempted to the IP of my ADFS server.

The credentials I tried supplying–both a local account that has administrative access on the ADFS server, and a domain admin account.

Best Answer

I'm not really sure what the exact trigger was, but I installed the latest round of updates on my ADFS server and on my WAP server. Then it started working.

I am thinking that maybe the Windows 2012 R2 Update 1 broke something, and a more recent update fixed it.

Related Topic