Hi,
First of all, thanks for reading this, english is not my mother tongue, so, don't hit me hard if I write something incorrect.
After navigating so much, and without finding any useful info, or solution that work on my environment, Im kindly asking for help. Hope you can help me with this issue on the ADFS!!
By the way, the primary ADFS is working and is authenticating from Office 365 without problems so far.
The environment :
* 3 ADFS Backend 2.0 servers - All in Server 2012
* 3 ADFS proxies
* Windows Internal Database in ADFS Backends.
The problem is that on the secondary servers im getting in the ADFS event logs : 345 and 344.
There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.Additional Data
Master Name : ADFS1.contoso.com
Endpoint Uri : http://adfs1.contoso.com/adfs/services/policystoretransfer
Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://adfs1.contoso.com/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetHeaders()
at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()
I have checked :
* Date and time on the servers - All OK
* Ports opened between them : 80,443,1500 and 1501 seems to be open. I can connect with telnet from the secondary to primary.
* ADFSsrv Account is local administrator in the 3 servers. It is the account which I start all the ADFS Services in all the servers. The WID service account is one generated with a MSSQL something in there.
* Three WIDs can be accesed and I can see the pipe data source using a get-wmi command (I dont remember
which one)
* Updated on the three servers the Accepted protocols to be http,net.tcp
* Same patch level on all the nodes . I know this is not the best scenario, but due to a problema with the WSUS, these servers have never been updated (so, no patches for the three of them).
* I can't see any endpoints for the Policystoretransfer, I guess is something internal always approved.
* The DNS resolution seems OK. It has 2 networks (management and service) but from nslookup I can get names with correct IPs and I can ping them from secondaries to primary.
By the way something curious, if I try to access the url on the error description : http://adfs1.contoso.com/adfs/services/policystoretransfer ,I can't access from any of the hosts (even the primary). And I can't see this on the IIS (I have on IIS only ADFS and LS virtual directories). I have both virtual directories on IIS : "adfs" and "ls", but don't know if i don't have some content on the server.
Thanks in advance to all!
Cheers,