I am trying to setup a test ADFS server environment with the goal of using federated Office 365.
My test environment has
two domain controllers at 2008R2 functional level, 1 server 2008R2 and the other 2012 with one local (non-
routable) internal domain name and one externally routable name for mail. I have added the externally routable
name as an alternate UPN suffix.
two exchange servers, 1 2010 and the other 2013.
one 2012R2 ADFS server and one 2012R2 WAP proxy server.
The 2 AD FS servers seem to work alright. I can login (adfsmachinename/adfs/ls/idpinitiatedsignon) and also pull
the https://mycomp/adfs/fs/federationserverservice.asmx from any of the machines in the domain. All servers are
joined to the domain and in the same subnet.
The problem is setting up the Web application Proxies to establish the trust. when I use the Web Application Proxy
Configuration Wizard I put in the wildcard cert that is from comodo for the routable domain name and is on both
the ADFS and WAP servers. I use either a domain admin or local admin of the ADFS server but it always fails with
the same message:
"Unable to retrieve proxy configuration data from the Federation Server."
On the AD FS WAP server the event logs event 422:
Trust Certificate Thumbprint:
6185C255555555544555555555535D06
Status Code:
Unauthorized
Exception details:
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()
note: the process creates a new cert ADFS ProxyTrust-localservername which has the thumbprint in the error listed.
at the same time the event log on the ADFS server it is trying to trust with comes up with event id 276:
The federation server proxy was not able to authenticate to the Federation Service.
User Action
Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host
name that is identified in the certificate subject name and re-establish trust between the proxy and the
Federation Service using the Install-WebApplicationProxy cmdlet.
Additional Data
Certificate details:
Subject Name:
<null>
Thumbprint:
<null>
NotBefore Time:
<null>
NotAfter Time:
<null>
No matter what I seem to try with local admin account it has the same error. verified the passwords, try domain
admin, local admin, ADFS domain service admin etc.