ADFS WAP error - Unable to retrieve proxy configuration data from the Federation Service.

 This error typically occurs when the Web Application Proxy (WAP) is unable to authenticate with the ADFS server. Here are some common causes and troubleshooting steps:



Possible Causes:

  1. Service Account Password Expiry or Mismatch

    • The WAP server authenticates with ADFS using a trust relationship that relies on a certificate and/or service account.
    • If the password has changed or expired, WAP cannot authenticate.

  2. Expired or Incorrect ADFS Proxy Trust Certificate

    • The WAP server uses a certificate to establish trust with ADFS.
    • If the certificate is expired or mismatched, authentication will fail.

  3. Time Synchronization Issues

    • ADFS and WAP must be synchronized within a few minutes of each other.
    • If there is a time difference, authentication may fail.

  4. Network Connectivity Issues

    • Ensure WAP can reach the ADFS server on port 443 (HTTPS).
    • Check firewall rules and proxy settings.

  5. ADFS Authentication Issues

    • The ADFS server may not be accepting requests from the WAP server.
    • There may be an issue with Windows Authentication on ADFS.

Troubleshooting Steps:

1. Verify ADFS and WAP Service Accounts

  • On the ADFS Server, open ADFS Management Console:
    • Navigate to Service → Authentication Methods and check authentication settings.
    • Ensure the service account used by ADFS has the correct permissions.
  • If using a gMSA (Group Managed Service Account), ensure it's configured correctly.

2. Check the WAP Trust Relationship

  • Run the following PowerShell command on the WAP server to check the trust status:
    powershell
    Get-WebApplicationProxyConfiguration
    • If the output shows errors or missing trust details, you may need to re-register WAP with ADFS.

3. Re-register WAP with ADFS

  • Open PowerShell as Administrator on the WAP server and re-run the registration:
    powershell
    Install-WebApplicationProxy -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint "4312CE271DAF7F2A4337D9D7AD4D8D7E0B537A0F"
    • Use the correct ADFS admin credentials.
    • Replace the certificate thumbprint with the correct one.

4. Check Event Logs on Both ADFS & WAP

  • On the WAP Server, check logs under:

    • Event Viewer → Applications and Services Logs → AD FS / Admin
    • Look for any proxy trust or authentication errors.

  • On the ADFS Server, check:

    • Event Viewer → Applications and Services Logs → AD FS / Admin
    • Look for failed authentication requests from the WAP server.

5. Verify Time Synchronization

  • Run the following command on both WAP and ADFS to check time:

    powershell
    w32tm /query /status
    • Ensure both servers are synchronized with the correct NTP source.

  • If out of sync, resynchronize:

    powershell
    w32tm /resync

6. Verify Network and Firewall Rules

  • Ensure WAP can reach ADFS:
    powershell
    Test-NetConnection <ADFS_Server_FQDN> -Port 443
  • Check if WAP is correctly resolving the ADFS name:
    powershell
    nslookup <ADFS_Server_FQDN>

7. Ensure the ADFS Certificate is Valid

  • On the ADFS Server, run:
    powershell
    Get-AdfsSslCertificate
  • Ensure the certificate is not expired and matches the one used by WAP.

Final Steps

  • If you find the trust certificate is expired, update it and re-register WAP.
  • If all else fails, consider removing WAP and reinstalling it:
    powershell
    Uninstall-WebApplicationProxy
Install-WebApplicationProxy -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint "


If the Web Application Proxy (WAP) service fails to start with a 401 Unauthorized error, it usually indicates an authentication or trust issue between WAP and the ADFS server. Let's go through a structured troubleshooting approach.

🔍 Possible Causes:

  1. Expired or Incorrect ADFS Proxy Trust Certificate

    • If the certificate used for WAP to ADFS trust is expired or incorrect, authentication will fail.

  2. WAP Not Registered with ADFS Correctly

    • If the WAP server is not properly joined to ADFS, the authentication request will be rejected.

  3. ADFS Server Authentication Issues

    • Windows Authentication may not be working correctly on the ADFS server.

  4. Time Synchronization Issues

    • If the WAP server and ADFS server have a time difference, authentication will fail.

  5. Network or Firewall Blocking Communication

    • WAP must communicate with ADFS over port 443 (HTTPS).
    • Check DNS resolution to ensure WAP can reach the ADFS server.

🔧 Troubleshooting Steps

1️⃣ Verify the ADFS Proxy Trust Certificate

  • Run this command on the WAP Server to check the current configuration:

    powershell
    Get-WebApplicationProxyConfiguration
    • Look for Trust Certificate Thumbprint.
    • Ensure this matches the ADFS SSL certificate.

  • Check the certificate validity:

    powershell
    Get-AdfsSslCertificate

  • If the certificate is expired or incorrect, reconfigure the WAP trust (see step 5).

2️⃣ Check ADFS Authentication & Service Account

  • Run this command on the ADFS Server:

    powershell
    Get-AdfsProperties | Select Hostname, FederationServiceName
    • Ensure the hostname is correct.

  • Ensure the ADFS service account is valid and has not expired.

3️⃣ Test WAP to ADFS Communication

  • From the WAP Server, check if ADFS is accessible:

    powershell
    Test-NetConnection <ADFS_Server_FQDN> -Port 443

  • Verify that WAP can authenticate with ADFS:

    powershell
    Invoke-WebRequest -Uri "https://<ADFS_Server_FQDN>/adfs/probe" -UseBasicParsing
    • If you get 401 Unauthorized, the issue is with authentication.

4️⃣ Ensure WAP and ADFS Clocks are Synchronized

  • On both servers, check the time:

    powershell
    w32tm /query /status

  • If out of sync, force synchronization:

    powershell
    w32tm /resync

5️⃣ Re-register WAP with ADFS

If WAP is misconfigured, re-register it:

1️⃣ Uninstall WAP
Run this command on the WAP Server:

powershell
Uninstall-WebApplicationProxy

2️⃣ Reinstall WAP and Reconfigure Trust

powershell
Install-WebApplicationProxy -FederationServiceName "<ADFS_Server_FQDN>" -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint "4312CE271DAF7F2A4337D9D7AD4D8D7E0B537A0F"
  • Replace <ADFS_Server_FQDN> with your ADFS server name.
  • Enter ADFS administrator credentials when prompted.
  • Ensure the certificate thumbprint matches the ADFS SSL certificate.

6️⃣ Restart Services & Check Logs

  • Restart the ADFS and WAP services:

    powershell
    Restart-Service adfssrv -Force
Restart-Service WebApplicationProxy -Force

  • Check Event Viewer Logs on WAP:

    • Event Viewer → Applications and Services Logs → AD FS / Admin
    • Look for errors related to proxy authentication.

🎯 Final Check

After performing these steps, try starting the WAP service again:

powershell
Start-Service WebApplicationProxy

Comments

Post a Comment

Popular posts from this blog

Drag and Drop Not Working on Windows 11 Taskbar (24H2)

Image
 Windows 11 introduced several UI changes, including modifications to how drag and drop works on the taskbar. While Microsoft reinstated some drag-and-drop functionality in previous updates, many users have reported that it is no longer working in the latest Windows 11 24H2 update. If you're facing this issue, here’s a detailed step-by-step troubleshooting guide to help you restore drag-and-drop functionality. Why Drag and Drop Might Not Be Working? Before we dive into the fixes, here are some possible reasons why drag and drop is not working on your Windows 11 taskbar: Windows 11 24H2 update may have removed or altered the functionality. Corrupted system files affecting UI behavior. Issues with third-party tools like Windows 11 Drag & Drop to the Taskbar . Missing or outdated system components such as Visual C++ Redistributable. Step 1: Check If Native Drag and Drop Works Since Microsoft has changed taskbar functionality over updates, ensure that drag and drop is working as ex...
Read more

Windows 11 Installation on HP 15 DWX-3XXX: Challenges and Solutions

Image
  If you are considering installing Windows 11 on an HP 15 DWX-3XXX laptop, you might run into some unexpected issues, particularly with BIOS updates . While Windows 11 installs and runs fine, the BIOS update process can be problematic, leading to an endless reboot cycle and confusion about whether the update was successful. Here’s a breakdown of what happened during the installation and how to navigate these challenges. Windows 11 Installation on HP 15 DWX-3XXX Installation Process Windows 11 installs without major issues – The installation goes smoothly, but some users may need to manually load NVMe drivers during setup. System runs well under Windows 11 – Performance is stable, and basic functionality works fine. BIOS update becomes a nightmare – Updating the BIOS using any method (Windows Update, Device Manager, or a bootable USB) leads to continuous rebooting. BIOS Update Problems The BIOS update from HP causes an endless reboot cycle: The system continuously ...
Read more

How to Upgrade from Windows 10 to Windows 11 Pro Online Without USB

Image
  Upgrading your PC from Windows 10 to Windows 11 Pro online is a straightforward process. You don’t need a USB drive or any external media. If your PC meets the system requirements, you can perform the upgrade directly through Windows Update or the Installation Assistant. System Requirements for Windows 11 Pro Before upgrading, ensure that your PC meets the minimum system requirements: Processor: 1 GHz or faster with at least two cores (64-bit compatible) RAM: 4 GB or more Storage: 64 GB or larger TPM: Version 2.0 Secure Boot: Enabled Graphics Card: DirectX 12 compatible Display: 720p resolution or higher To check if your PC is compatible, download and run the PC Health Check tool from Microsoft's website. Method 1: Upgrade Using Windows Update Open Settings – Press Win + I to open the Settings app. Go to Update & Security – Click on "Update & Security" and select "Windows Update." Check for Updates – Click on "Check f...
Read more