Tuesday, May 31, 2016

Help on The federation server proxy could not renew its trust with the Federation Service. ADFS 3.0


If you run a Windows Server 2012 R2 ADFS with Web Application Proxy (WAP) you may run into a situation where the web browser page is just saying

"
The page cannot be displayed because an internal server error has occurred.
"

and in the event log of the server running WAP you see this error (and many more afterwards)

Eventlog (Apps and Services/AD FS/Admin)
The federation server proxy could not renew its trust with the Federation Service.



So that means the trust relationship between WAP and the ADFS is broken. So you can uninstall WAP from that machine and reinstall it. the install wizard will guide you to reconnect to the ADFS server or you run the following commands to re-instate the trust.



 dir Cert:\LocalMachine\My

dir Cert: .... will list all certificates available to connect to the ADFS server. select the one with the name of the ADFS in it if you see multiple certs. You will need the thumbprint of the certificate later in this process


 $ADFScredentials = Get-Credential

Enter here your admin user on the ADFS server


Then enter the Install-WebApplicationProxy command, note there is no Reconnect or Renew command let, to re-establish the trust relationship to the ADFS server.

 Install-WebApplicationProxy -CertificateThumbprint CC35E9EE9EBA26697ABDC9C74CC4218818B1D1B8 -FederationServiceName "sso.domain.org" -FederationServiceTrustCredential $ADFScredentials


I blog this here for my own notes but I hope it will help others as well.