ADFS Proxy – An error occurred when attempting to establish a trust relationship with the federation service

This is a really weird and annoying error which can drive you crazy. But let’s start from the beginning. So what do we have?

  • An Office 365 tenant
  • An ADFS server in the internal network
  • An ADFS Proxy (a WAP) in the perimeter network
  • a wildcard certificate which was issued by a public CA

So up to not nothing special. The ADFS server configures well and is up & running. The firewall between the ADFS and the ADFS proxy was opened on port 443 so that these both can communicate with each other. So I’ve started the configuration of the WAP server, entering all the necessary data and then this error raised:

WAP Error GUI

Trying the configuration with PowerShell didn’t work better:

WAP Error Shell

So the first view was to the eventlog of the machines. What did I see?

  • On the ADFS proxy: No entries – neither in the Application not the ADFS eventlog. Yeah. *Happiness*
  • On the ADFS server: Event ID 364 with not helpful descriptions like this:
    • Encountered error during federation passive request. […] Contact your administrator for details – and a long stacktrace

Opening one of the ADFS websites from the ADFS proxy the following error raises:

ADFS TLS

It seems that the certificate is not presented well from the ADFS to the WAP and the error message in Internet Explorer is useless.

So.. what to do next? Start to google and analyze the traffic using fiddler. To shorten the story a little bit: In the fiddler logs I could see there is a problem with the certificate, but this may also be related to fiddlers SSL-decryption feature.

Googling around this error brings up a ton of tips and tricks what it could be, for example:

  • Certificate error: https://support.microsoft.com/en-us/help/3044974
  • About the Cipher Suites:
    • https://support.microsoft.com/en-us/help/3194197/considerations-for-disabling-and-replacing-tls-1.0-in-adfs
    • http://s4b-usergroup.com/office365-blog/adfs-3-0-tls-error/
    • really cool explanation: https://blogs.technet.microsoft.com/keithab/2015/06/22/error-while-configuring-wapthe-underlying-connection-was-closedpart-2/

But all this did not work.

 

So after 4 days of troubleshooting, re-installing and investigating I decided to begin from scratch and check each and every point again. And at this point the firewall guys told me: “Yes port 443 is open. Yes we have content inspection running”.

And here we go. Disabling content inspection solved the problem for this issue, now the ADFS and the WAP can communicate with each other. And the morale of this course: doublecheck with the firewall guys and the network security instruments. This can save you a lot of days for troublehsooting 🙂

Published by Andreas

Founder of M365 Evangelists Cloud-Architect, Strategy Consultant, Consultant for Microsoft technologies, Graph API enthusiast, PowerShell enthusiast