Resolving Web Application Proxy error code 0x80075213

I have have worked on a case where external access to the ADFS service was blocked and the Remote Access Management console on the WAP server fails with this error:

Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure that the Web Application Proxy server can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command.

(0x80075213)

The Event log on the WAP server displayed these errors (event IDs 12025, 422) repeatedly:

Log Name: Microsoft-Windows-WebApplicationProxy/Admin

Source: Microsoft-Windows-WebApplicationProxy

Event ID: 12025

Task Category: None

Level: Error

Keywords:

User: NETWORK SERVICE

Description:

Web Application Proxy encountered an error while retrieving the configuration from configuration storage.

Log Name: AD FS/Admin

Source: AD FS

Event ID: 422

Task Category: None

Level: Error

Keywords: AD FS

User: NETWORK SERVICE

Description:

Unable to retrieve proxy configuration data from the Federation Service.

Additional Data

Trust Certificate Thumbprint:

10ADAFD5258XXXXXXXXXXXXXXXXXXF78C8436C15

Status Code:

Exception details:

System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xx.xx.xx:443

at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

— End of inner exception stack trace —

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

As a initial step, I checked the certificate used by the primary WAP server, using the Get-WebApplicationProxySslCertificate cmdlet:

Compared the CertificateHash of the WAP certificate with the service communication certificate on the primary ADFS backend servers:

Get-ChildItem -Path cert:\LocalMachine\My | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

As the CertificateHash matches, I restarted the WAP server, and verified the error status.
Finally I used the Install-WebApplicationProxy cmdlet to re-establish the trust between the WAP and the ADFS backend, using an elevated PowerShell command:

Install-WebApplicationProxy -CertificateThumbprint “SvcCertThumbprint” -FederationServiceName “fs.adatum.dk“

When prompted for credentials, enter the username and password of an account with administrative permission on the ADFS backend server.