Just read this post:
2012R2 AD FS WAP proxy problem
This was to do with installing WAP with Active Directory Federation Service and getting:
"Unable to retrieve proxy configuration data from the Federation Server."
The interesting part is the piece at the end:
"Turns out certificate binding precedence is the culprit. While IIS is not required for 2012 R2 ADFS roles anymore, it can actually get in the way if it is on the same machine. Binding cert to default web site in IIS will place an ip:port entry into sslcert bindings, which has a higher precedence than service:port entries that ADFS sets up. Since the IIS entry has no Ctl Store Name, the WAP certificate is placed in a store that is filtered out when ADFS checks for its presence.
Type "netsh http show sslcert" in a terminal on your ADFS machines and look for entries higher on the list than your ADFS service name entries. If those don't have Ctl Store Name of AdfsTrustedDevices and they can resolve to your ADFS service, the install will fail."
The point for me is that sometimes I'm having problems with ADFS in terms of connectivity. The metadata address and the IDPInitiatedSignOn only work when you have a half-decent install. Ping is disabled by default. So I install IIS just so I can check connectivity
e.g. https://server.domain.
and you should get the IIS splash screen.
So this is something to be aware of.
On a 2012 R2 server with no IIS:
PS C:\> netsh http show sslcert
SSL Certificate bindings:
-------------------------
Hostname:port :server.domain:443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : localhost:443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : server.domain:49443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
On a 2016 server with IIS:
PS C:\> netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 51b70e988101c789769c9cd9487c29e88ea7225e
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
IP:port : 0.0.0.0:5986
Certificate Hash : bf7db9570b805aa6771be18154e60e4decb295db
Application ID : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Disabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : server.domain:443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : localhost:443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : server.domain:49443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Reject Connections : Disabled
Note that I didn't have this problem on this installation. I suspect it's because "and they can resolve to your ADFS service." and the IP address 0.0.0.0 ain't going anywhere!
Enjoy!
No comments:
Post a Comment