ADFS Proxy Trust Issues

Web Application Proxy - ADFS

ADFS - Architecture 

Issues

Web Application Service not starting. When we try to manually start the service it gives this error

Open Event Viewer to check the issue in detail.

Here it says that Unable to retrieve proxy configuration data from the Federation Data.

The error results because the WAP server is unable to reinstate the trust between itself and ADFS Server.

So we configure the trust manually now.

Run the command in Powershell in WAP Server: dir Cert:\LocalMachine\My

This will give you the list of the certificates and their thumbprints.

Now you have to pick the thumprint corresponding to the Sub-Domain you are using

For-ex pick the thumbprint corresponding to sts.domain.com or *.domain.com

You can also copy the thumbprint from the certificate store in MMC by going to the certificate properties.

Copy the thumbprint and put it in this command

Install-WebApplicationProxy –CertificateThumbprint <cert-thumbprint-copied-paste-here> -FederationServiceName sts.domain.com

Run this command on the WAP Server, it will prompt you for the credentials.

Enter the ADFS Server Admin Credentials and wait for command to complete.

 Once it is complete, go to services and check whether it is started or not.

It must have started fine. 

Azure AD Ports & Connect Issues



Ports Between Azure AD Connect and Active Directory Server.

DNS	53 (TCP/UDP)	DNS lookups on the destination forest.
Kerberos	88 (TCP/UDP)	Kerberos authentication to the AD forest.
MS-RPC	135 (TCP/UDP)	Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest.
LDAP	389 (TCP/UDP)	Used for data import from AD. Data is encrypted with Kerberos Sign & Seal.
LDAP/SSL	636 (TCP/UDP)	Used for data import from AD. The data transfer is signed and encrypted. Only used if you are using SSL.

Ports Between Azure AD Connect and ADFS Server

HTTP	80 (TCP/UDP)	Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
HTTPS	443(TCP/UDP)	Used to synchronize with Azure AD.
WinRM	5985	WinRM Listener

Ports Between ADFS Proxy Servers and ADFS Servers

HTTPS	443(TCP/UDP)	Used for authentication.

Error: We cannot reach this server. Make sure Windows PowerShell remote management is enabled on the remote server and any firewalls are configured to allow Windows Remote Management. Also make sure the value that you entered for Server Name is not the Federation Service Name.    Resolution

1. Make sure that Remote Management is enabled in the Server Dashboard.



2. Make sure that the ports for Connecting to the WinRM service should be open. i.e. port number 5985.   Use telnet & nslookup commands in Windows Server to do the troubleshooting with ports.

nslookup -a gives a list of all the listening ports(TCP & UDP) on a server. 
telnet is used for connecting to remote computer on a specified port. telnet [server_name] [port_number]   Ex. telnet google.com 80

General Recommendations:

For connecting to On-Prem Active Directory, Enterprise Admin should be used.

Microsoft Recommendation says that Azure AD Connect should by-pass the Proxy Server. However if the proxy server is mandatory make sure that the certain Microsoft Domain and IPs are bypassed from the proxy server. The bare minimum list is given below.

URL	Port	Description
mscrl.microsoft.com	 HTTP/80	     Used to download CRL lists.
*.verisign.com	HTTP/80	Used to download CRL lists.
*.entrust.com	HTTP/80	Used to download CRL lists for MFA.
*.windows.net	HTTPS/443	Used to sign in to Azure AD.
secure.aadcdn.microsoftonline-p.com	HTTPS/443	Used for MFA.
*.microsoftonline.com	HTTPS/443	Used to configure your Azure AD directory and import/export data.

Find the detailed list here https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_identity

Click on the drop down on Office 365 Authentication & Identity to see full list of FQDN and IP addresses.

For proxy Server machine.config file should be edit as shown below, in this case Proxy is using port 8080.

Path for machine.config -> C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config



Network Policy Server SSL Cert Update

The SSL cert is used for validating the identity of the server. We can use the local CA cert also, but before using that we need to make sure that the Root Cert is installed on every device on which NPS server is being used to connect to Wireless Network.


We can install 2 types of SSL cert

1. WildCard SSL Cert (*.domain.com)
2. Single Name Cert (radius.domain.com)

Wildcard certificate can be used to Validate the Identity of the Server, but there is one limitation. Wildcard certificate will not work with Windows 7, Vista, XP and other Legacy Operating Systems. It will work fine with Windows 8, 8.1, 10 and mobile OS like IOS, Android. This happens because the legacy OS will not trust CA's that do not exist in their NTAuth store and those machines will not allow a connection to a SSID that it cannot validate. Ultimately, if you do not control the computer, you cannot affect a change to the NTAuth store on those machines.
So its better to use the cert with Single Name Wildcard Certificate because it supported by all the OS.


So first generate a CSR from your RADIUS Server. Steps to do that you can find below:

























Fill the properties mentioned of the certificate






















Once you click on Finish the sert file will be generated.
Upload your cert file to your Certification provider and then wait for the certificate.




Once the CSR is generated Upload the CSR to the SSL Certficate Provider website and download the certificate.


Install the certificate on the NPS (RADIUS) server.
Open the Network Policy Server Administrative Center.
Goto Policies -> Network Policies -> Wireless Connections





Double Click on it





Select Microsoft PEAP and click Edit.



Select the Certificate you installed.
Click on OK and then STOP and START the NPS Service.

















Note: remember that certificate will be installed with private key on the same server from which the CSR has been generated. If you have more than one server on which you need to insall the cert, then first install the cert on the server from which you generated the CSR, then export it in the form of .pfx with private key (make sure private key is exportable). Then install it on other servers.