ADFSTroubleshootingWindows Server

ADFS WAP error – Unable to retrieve proxy configuration data from the Federation Service.

by antoniorennvick
Spread the love

 This error typically occurs when the Web Application Proxy (WAP) is unable to authenticate with the ADFS server. Here are some common causes and troubleshooting steps:

Possible Causes:

  1. Service Account Password Expiry or Mismatch

    • The WAP server authenticates with ADFS using a trust relationship that relies on a certificate and/or service account.
    • If the password has changed or expired, WAP cannot authenticate.

  2. Expired or Incorrect ADFS Proxy Trust Certificate

    • The WAP server uses a certificate to establish trust with ADFS.
    • If the certificate is expired or mismatched, authentication will fail.

  3. Time Synchronization Issues

    • ADFS and WAP must be synchronized within a few minutes of each other.
    • If there is a time difference, authentication may fail.

  4. Network Connectivity Issues

    • Ensure WAP can reach the ADFS server on port 443 (HTTPS).
    • Check firewall rules and proxy settings.

  5. ADFS Authentication Issues

    • The ADFS server may not be accepting requests from the WAP server.
    • There may be an issue with Windows Authentication on ADFS.

Troubleshooting Steps:

1. Verify ADFS and WAP Service Accounts

  • On the ADFS Server, open ADFS Management Console:
    • Navigate to Service → Authentication Methods and check authentication settings.
    • Ensure the service account used by ADFS has the correct permissions.
  • If using a gMSA (Group Managed Service Account), ensure it’s configured correctly.

2. Check the WAP Trust Relationship

  • Run the following PowerShell command on the WAP server to check the trust status: 
    powershell
    Get-WebApplicationProxyConfiguration
    • If the output shows errors or missing trust details, you may need to re-register WAP with ADFS.

3. Re-register WAP with ADFS

  • Open PowerShell as Administrator on the WAP server and re-run the registration: 
    powershell
    Install-WebApplicationProxy -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint "4312CE271DAF7F2A4337D9D7AD4D8D7E0B537A0F"
    • Use the correct ADFS admin credentials.
    • Replace the certificate thumbprint with the correct one.

4. Check Event Logs on Both ADFS & WAP

  • On the WAP Server, check logs under:

    • Event Viewer → Applications and Services Logs → AD FS / Admin
    • Look for any proxy trust or authentication errors.

  • On the ADFS Server, check:

    • Event Viewer → Applications and Services Logs → AD FS / Admin
    • Look for failed authentication requests from the WAP server.

5. Verify Time Synchronization

  • Run the following command on both WAP and ADFS to check time:

    powershell
    w32tm /query /status
    • Ensure both servers are synchronized with the correct NTP source.

  • If out of sync, resynchronize:

    powershell
    w32tm /resync

6. Verify Network and Firewall Rules

  • Ensure WAP can reach ADFS: 
    powershell
    Test-NetConnection <ADFS_Server_FQDN> -Port 443
  • Check if WAP is correctly resolving the ADFS name: 
    powershell
    nslookup <ADFS_Server_FQDN>

7. Ensure the ADFS Certificate is Valid

  • On the ADFS Server, run: 
    powershell
    Get-AdfsSslCertificate
  • Ensure the certificate is not expired and matches the one used by WAP.

Final Steps

  • If you find the trust certificate is expired, update it and re-register WAP.
  • If all else fails, consider removing WAP and reinstalling it: 
    powershell
    Uninstall-WebApplicationProxy
Install-WebApplicationProxy -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint "


If the Web Application Proxy (WAP) service fails to start with a 401 Unauthorized error, it usually indicates an authentication or trust issue between WAP and the ADFS server. Let’s go through a structured troubleshooting approach.

🔍 Possible Causes:

  1. Expired or Incorrect ADFS Proxy Trust Certificate

    • If the certificate used for WAP to ADFS trust is expired or incorrect, authentication will fail.

  2. WAP Not Registered with ADFS Correctly

    • If the WAP server is not properly joined to ADFS, the authentication request will be rejected.

  3. ADFS Server Authentication Issues

    • Windows Authentication may not be working correctly on the ADFS server.

  4. Time Synchronization Issues

    • If the WAP server and ADFS server have a time difference, authentication will fail.

  5. Network or Firewall Blocking Communication

    • WAP must communicate with ADFS over port 443 (HTTPS).
    • Check DNS resolution to ensure WAP can reach the ADFS server.

🔧 Troubleshooting Steps

1️⃣ Verify the ADFS Proxy Trust Certificate

  • Run this command on the WAP Server to check the current configuration:

    powershell
    Get-WebApplicationProxyConfiguration
    • Look for Trust Certificate Thumbprint.
    • Ensure this matches the ADFS SSL certificate.

  • Check the certificate validity:

    powershell
    Get-AdfsSslCertificate

  • If the certificate is expired or incorrect, reconfigure the WAP trust (see step 5).

2️⃣ Check ADFS Authentication & Service Account

  • Run this command on the ADFS Server:

    powershell
    Get-AdfsProperties | Select Hostname, FederationServiceName
    • Ensure the hostname is correct.

  • Ensure the ADFS service account is valid and has not expired.

3️⃣ Test WAP to ADFS Communication

  • From the WAP Server, check if ADFS is accessible:

    powershell
    Test-NetConnection <ADFS_Server_FQDN> -Port 443

  • Verify that WAP can authenticate with ADFS:

    powershell
    Invoke-WebRequest -Uri "https://<ADFS_Server_FQDN>/adfs/probe" -UseBasicParsing
    • If you get 401 Unauthorized, the issue is with authentication.

4️⃣ Ensure WAP and ADFS Clocks are Synchronized

  • On both servers, check the time:

    powershell
    w32tm /query /status

  • If out of sync, force synchronization:

    powershell
    w32tm /resync

5️⃣ Re-register WAP with ADFS

If WAP is misconfigured, re-register it:

1️⃣ Uninstall WAP
Run this command on the WAP Server:

powershell
Uninstall-WebApplicationProxy

2️⃣ Reinstall WAP and Reconfigure Trust

powershell
Install-WebApplicationProxy -FederationServiceName "<ADFS_Server_FQDN>" -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint "4312CE271DAF7F2A4337D9D7AD4D8D7E0B537A0F"
  • Replace <ADFS_Server_FQDN> with your ADFS server name.
  • Enter ADFS administrator credentials when prompted.
  • Ensure the certificate thumbprint matches the ADFS SSL certificate.

6️⃣ Restart Services & Check Logs

  • Restart the ADFS and WAP services:

    powershell
    Restart-Service adfssrv -Force
Restart-Service WebApplicationProxy -Force

  • Check Event Viewer Logs on WAP:

    • Event Viewer → Applications and Services Logs → AD FS / Admin
    • Look for errors related to proxy authentication.

🎯 Final Check

After performing these steps, try starting the WAP service again:

powershell
Start-Service WebApplicationProxy

Related Posts

Renew ADFS Certificate

Spread the loveRenewing an Active Directory Federation Services (ADFS) certificate involves multiple steps, depending on which certificate you are renewing. The impact on users depends on the type of certificate being updated. Types of ADFS…

Leave a Reply

Your email address will not be published. Required fields are marked *