Monday, October 07, 2013

ADFS : Could not establish trust relationship for the SSL/TLS secure channel

The full error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Trying to get the Web Application Proxy on Server 2012 R2 working with the new ADFS.

Mr. Google to the rescue.

You need to export the certificate (the one behind the federation server name) and place it in the "Computer account" (not "My user account") under "Trusted Root Certification Authorities".

And while I'm on the subject:

Every time you try and install the proxy, it creates certificates under Personal called "ADFS ProxyTrust - machine name".

But if the installation fails. the old ones are not deleted.

Then I got the above error message but the thumbprint in the message was from a previous attempt not the latest.

So I uninstalled WAP and then deleted all these certificates- under "Local Computer - Personal - Certificates".

Then I went to the ADFS installation and under the Service tab - "Revoke All Proxies".

Then re-installed WAP.

Then it worked!



Anonymous said...

Awesome stuff, solved my problem as well - thx

Anonymous said...

Are you using a self signed cert? I am trying to get WAP working in a test lab and don't have a cert from a root CA so am using a self signed one from my own M$ CA server but can't get past the SSL/TLS errors.

nzpcmad said...

Yes - all done with self-signed certificates.

Anonymous said...

Well done author. Your post helped me solve the problem. It saved me hours of work. Thank you very much.

Anonymous said...

This post helped me very much! TNX!

Anonymous said...

In my case I was using the same cert on ADFS and WAP and on WAP the certificate chain was not present. Importing the chain solved it...

Anonymous said...

Great Stuff. Worked for me .

Rick said...

thank you!!!!! here are the steps that led me to success following the error message:

uninstalled remote access service

deleted the proxy trust certs

revoked all proxy trusts from ADFS server

Imported ADFS server cert into personal store

Imported ADFS server cert chain into Trust Root Certification Authorities store

Alfredo said...

The solution helped resolved my client's problem. The actual error during the wizard was: "Time out has expired and the operation has not been completed"