A very common problem when installing WAP servers
for ADFS is the error "Unable to retrieve proxy configuration data from
the Federation Service. Status Code Unauthorized (401)".
Check the bindings for your ADFS servers http.sys
file (only for ADFS 3.0, older versions use IIS). The following command can be
used to display the http.sys bindings.
netsh http show sslcert
|
The fix for me was to add the static binding of
0.0.0.0:443, I have highlighted it below. Without this I was receiving the
"Unable to retrieve proxy configuration data from the Federation Service. Status
Code Unauthorized (401)" error.
To add this static 0.0.0.0:443 binding use the
netsh utility, it fails if you do not enter it in stages like it is listed
below. The certhash and appid used for this binding
should be the same that is used in your ADFS service name binding that is
displayed when you use the netsh http show sslcert command.
netsh
http
add sslcert ipport=0.0.0.0:443 certhash=insert hash appid={insert
appid}
|
Now you can try to re-run the WAP configuration
utility. I have found this works best by using PowerShell. The following
command can be used to perform this
Install-WebApplicationProxy
–CertificateThumbprint certthumbprint –FederationServiceName adfsservicename
|
You will then be prompted to enter administrator
credentials on the ADFS servers. The GUI is misleading at this stage as it
states you should use "local administrator credentials", I can
confirm this is not the case as you will get an error unless they are domain
credentials.
When you run the WAP configuration wizard it is worth knowing that you sometimes have to run the command 2/3 times before it works correctly (without changing anything). This first time I run the command after making the binding change return the error.
"The federation server proxy could not renew its trust with the Federation Service.
Additional Data
Exception details:
The remote server returned an error: (400) Bad Request.
User Action
Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer."
The message returned from the PowerShell window was "an error occurred validating the SSL certificate". The length of the certificate hash is invalid. Did you forget to add the preceding '0'."
Without changing anything I then rerun the command and it worked correctly.