I have a working ADFS 3.0 (2012 R2) server running. It successfully operates to log me on to Office365 both on and off premises.
I am trying to install the Web Application Proxy role on a second machine in order to proxy Sharepoint 2013. I am getting stuck with an error message:
An error occurred when attempting to create the proxy trust certificate.
My ADFS server is a one-server farm. The host name of the server is adfs-host.domain.local, and the ADFS name is adfs.domain.org.
PS C:\Windows\system32> Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'
cmdlet Install-WebApplicationProxy at command pipeline position 1
Supply values for the following parameters:
FederationServiceTrustCredential
Install-WebApplicationProxy : An error occurred when attempting to create the proxy trust certificate.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint 'xxxxxxxxxxxxxxxxxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand
Message Context Status
------- ------- ------
An error occurred while attempting t... DeploymentTask Error
I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.
The name of my Web Application Proxy server is wap-host.domain.local. I copied the GoDaddy Certificate onto both machines with the private key, and installed it into the local machine personal certificate store. It is set as the Service Communications Certificate. I installed the full certificate chain on to both machines. It is a UCC certificate with 5 subject alternate names–the main one is not adfs.domain.org, but it does work for ADFS.
I tried with the firewall on and off, and I ran wireshark–it looks like it is failing at an earlier step since I didn't see any traffic attempted to the IP of my ADFS server.
The credentials I tried supplying–both a local account that has administrative access on the ADFS server, and a domain admin account.
Best Answer
I'm not really sure what the exact trigger was, but I installed the latest round of updates on my ADFS server and on my WAP server. Then it started working.
I am thinking that maybe the Windows 2012 R2 Update 1 broke something, and a more recent update fixed it.