I have recently architecture & deployed highly available Active Directory Federation Service and Web Application Proxy setup for one of my customers. The setup is meant for providing Single Sign on for Office 365 applications, Proxy authentication and few external web applications.
Since the go live date was for later dates I had planned to keep the servers’ shutdown and bring them back online when needed. Nearly 6 weeks have passed and we are nearing to bring the servers into production hence I brought the servers back online to ensure that ADFS and WAP are working as expected and to perform updates.
ADFS was fine however WAP server operational status under Remote Access Management console was critical, with Web Application Proxy Core service failed to start and event 422 logged into the event viewer.
Noticed under computer certificate store, ADFS Proxy Trust – Server certificate was expired. I re-established the proxy trust between ADFS and WAP using the following command
Install-WebApplicationProxy -CertificateThumbprint ‘3075567A477D4829709***************’ -FederationServiceName ‘sso.domain.com’
It would ask you for the ADFS service account password. Once that was done the trust was established and WAP operational status came back to green and you would see Event id 245 success.
However, I noticed that ADFS Proxy Trust – Server was only valid for 2 weeks. I tried to find out why only 2 weeks and if there is way to increase the expiration time.
These self-signed certificates are also stored under ADFS Server, AdfsTrustedDevices and propagated across the farm. WAP uses these certs to talk to ADFS servers. Now regarding the 2 weeks’ time period limit. So how this all problem happened? Why did the certificate trust between ADFS & WAP broke? The answer lies in how WAP self-signed certificate renewal process works. WAP self-signed Proxy Trust – ServerName certificates are self-renewed after every 2 weeks and if for some reasons the servers are not online during the self-renewal period, the cert won’t renew causing trust to break. That would explain why the trust broke when ADFS servers were brought online.