Resolving Web Application Proxy error code 0x80075213

I have have worked on a case where external access to the ADFS service was  blocked and the Remote Access Management console on the WAP server fails with this error:

 

Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure that the Web Application Proxy server can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command.

(0x80075213)

 

clip_image001[8]

The Event log on the WAP server displayed these errors (event IDs 12025, 422) repeatedly:

 

Log Name:      Microsoft-Windows-WebApplicationProxy/Admin

Source:        Microsoft-Windows-WebApplicationProxy

Event ID:      12025

Task Category: None

Level:         Error

Keywords:     

User:          NETWORK SERVICE

Description:

Web Application Proxy encountered an error while retrieving the configuration from configuration storage.

 

 

Log Name:      AD FS/Admin

Source:        AD FS

Event ID:      422

Task Category: None

Level:         Error

Keywords:      AD FS

User:          NETWORK SERVICE

Description:

Unable to retrieve proxy configuration data from the Federation Service.

 

Additional Data

Trust Certificate Thumbprint:

10ADAFD5258XXXXXXXXXXXXXXXXXXF78C8436C15

 

Status Code:

Exception details:

System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xx.xx.xx:443

   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

   — End of inner exception stack trace —

   at System.Net.HttpWebRequest.GetResponse()

   at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

 

 

As a initial step, I checked the certificate used by the primary WAP server, using the Get-WebApplicationProxySslCertificate cmdlet:

 

clip_image002[8]

 

Compared the CertificateHash of the WAP certificate with the service communication certificate on the primary ADFS backend servers:

 

Get-ChildItem -Path cert:\LocalMachine\My | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

 

clip_image003[8]

 

As the CertificateHash matches, I restarted the WAP server, and verified the error status.
Finally I used the Install-WebApplicationProxy cmdlet to re-establish the trust between the WAP and the ADFS backend, using an elevated PowerShell command:

 

Install-WebApplicationProxy -CertificateThumbprint “SvcCertThumbprint” -FederationServiceName “fs.adatum.dk

 

When prompted for credentials, enter the username and password of an account with administrative permission on the ADFS backend server.

 

clip_image004[8]

 

Verify the change in the Event log of the WAP server (event IDs 245 and 252) to ensure the connection has reestablished:

 

Log Name:      AD FS/Admin

Source:        AD FS

Event ID:      245

Task Category: None

Level:         Information

Keywords:      AD FS

Description:

The federation server proxy successfully retrieved its configuration from the Federation Service ‘fs.adatum.dk’.

 

 

Log Name:      AD FS/Admin

Source:        AD FS

Event ID:      252

Task Category: None

Level:         Information

Keywords:      AD FS

User:          NETWORK SERVICE

Description:

The AD FS proxy service made changes to the endpoints it is listening on based on the configuration it retrieved from the Federation Service.

 

Endpoints added:

https://+:443/FederationMetadata/2007-06/

https://+:443/adfs/ls/

https://+:49443/adfs/ls/

https://+:49443/adfs/portal/

https://+:443/adfs/oauth2/token/

https://+:443/adfs/oauth2/authorize/

https://+:49443/adfs/oauth2/authorize/

https://+:443/EnrollmentServer/

https://+:443/adfs/portal/

https://+:443/adfs/services/trust/2005/windowstransport/

https://+:443/adfs/services/trust/2005/certificatemixed/

https://+:49443/adfs/services/trust/2005/certificatetransport/

https://+:443/adfs/services/trust/2005/usernamemixed/

https://+:443/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256/

https://+:443/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256/

https://+:443/adfs/services/trust/13/certificatemixed/

https://+:443/adfs/services/trust/13/usernamemixed/

https://+:443/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256/

https://+:443/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/

https://+:443/adfs/services/trust/mex/

 

Endpoints removed:

 

 

I finally reloaded the ADFS service using:

 

Restart-Service adfssrv

 

 

In the Event log, look for:

 

Log Name:      AD FS/Admin

Source:        AD FS

Event ID:      198

Task Category: None

Level:         Information

Keywords:      AD FS

User:          NETWORK SERVICE

Description:

The federation server proxy started successfully.

 

 

After this, external clients could again access the ADFS sign-in page 🙂

Leave a Reply