-

 Event ID 393 - The federation server proxy could not establish a trust with the Federation Service

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn584107(v=ws.11)?redirectedfrom=MSDN


https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS

ISSUE:

We are performing a brand new deployment of Web Application proxy role on a Windows Server 2012 R2 machine.

The Application Proxy Server is in a workgroup machine, while the ADFS server is running on a domain-joined windows 2012 R2 server.

For information on the installation pre-requisites and steps, I would suggest you to review the TechNet documentation available here. 

Now back to the issue,we took the PowerShell approach to install the Web application Proxy role.

Install –WebapplicationProxy –certificateThumbprint <Hashvalue> FederationServicename <name of the adfsservice >

When we ran this command let, we encountered the following error:



TROUBLESHOOTING AND RESOLUTION:

WAP has pretty extensive event logging, so the first thing we need to do is look at the event logs under Application and service logs. There we found Event 393 corresponding to our
failure.




We then verified that the certificate thumbprint of the cert in the “ADFSTrustedDevices” cert store (on the ADFS server) matches the SSL certificate on the WAP server.

So, all prerequisites are good. At this point, we checked the time settings on the 2 servers and found that the WAP and ADFS servers are out of time sync.

Once we fixed the time sync issue, we were successfully able to run the installation task and establish proxy trust. The issue was resolved!

The key takeaway here is, time sync between Web application proxy and ADFS server is of prime importance since some of the key operations like Configuration Polling  will not work as expected if there is no correlation in time.

Comments

Post a Comment

Popular posts from this blog

altiris software key

-
Image
I think a lot of people, like me, spend a lot of time try finding how to get those download: Latest Symantec workspace Virtualization , SWV 6.1, that is advanced SVS version, is integrated with the Altiris client management suite CMS 7.  (Yes, it was also named "SVS PRO") Notice 1: This package includes the "Wise Virtual Composer", and both x86+x64 versions. Notice 2: This link currently also includes SWS (Streaming) and SWC (Corporate) [please vote my post if you use it ;-] Story : I was thinking only SVS 2.1 (Software Virtualization Solution) was integrated into the "Client Management Suite 7". But this is not the case and SWV 6.1 (Symantec Workspace Virtualization) must not be paid in addition . Free home license : Both SVS 2.1 "light" version & SWV are still free personal use. I suggest you use now the latest SWV 6.4 (That is SWV 6.1 SP7 or following! Yes Symantec do this version naming - vote here also to a...
Read more

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

-
Image
Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe) Table of Contents SPN Purpose SPN Format SetSPN Viewing or Checking SPN Registrations SPN Registration Errors Related to SPN Registration or Configuration Manually Registering SPNs Troubleshooting SPN Issues Resolving SPN Registration Issues SPN Lookup Errors Delegation External Articles SPN Purpose A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. ↑  Return to T...
Read more

Troubleshooting Netlogon Error Codes

-
Image
Quick Reference: Troubleshooting Netlogon Error Codes ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ January 28, 2013   by  Mark Morowczynski [MSFT]   //   24 Comments 0 0 Hi this is Brandon Wilson and today I will be providing you with a quick reference for troubleshooting Netlogon error codes. I say “quick reference” very loosely here, because this is one of those sticky subjects that can easily expand into many more areas and become a very long discussion. So, I’m going to do my best to focus on just the codes and possible solutions for the error codes that are more common to see. Anyone who has dealt with some of these issues knows that some of these outlined areas can lead to huge revenue loss for a business, or at the very least an annoying authentication prompt J I welcome you to leave comments and questions, or suggestions for articles that you as the reader would be interested in seeing us do on AskPFE Platforms ( http://blogs.tech...
Read more