Following a ‘hiccup’, involving a Web Application Proxy (WAP) server, internal services were no longer being published to the outside world.
After some investigation, both the ADFS and WAP services showed as stopped on the server. Attempting to start the ADFS service from the services console produced the following error:
Windows could not start the Active Directory Federation Service service on Local Computer.
Error 1064: An exception occurred in the service when handling the control request.
Under the System section of the Windows Event Log, the following error was shown:
Event ID: 7023
The Active Directory Federation Services service terminated with the following error:
An exception occurred in the service when handling the control request.
Followed a few moments later by the following error:
Event ID: 7023
The Web Application Proxy Service terminated with the following error:
A certificate is required to complete client authentication
Looking in the ‘AD FS’ section of the Event Log (under ‘Applications and Services Logs’), the following errors were shown (note that the first error was generally shown multiple times, followed by a single instance of the second error):
Event ID: 383
The Web request failed because the web.config is malformed.
Fix the malformed data in the web.config file.
Root element is missing (C:WindowsADFSConfigmicrosoft.identityServer.proxyservice.exe.config)
Root element is missing.
Event ID: 199
The federation server proxy could not be started.
Reason: Error retrieving proxy configuration from the Federation Service.
An error occurred when attempting to load the proxy configuration.
Checking the file at C:WindowsADFSConfigmicrosoft.identityServer.proxyservice.exe.config showed that while the file size was still indicated as 2k, the file was blank.
I’ve seen a number of reports online indicating that WAP seems happy to chew up the contents of this configuration file following an outage, although I can find no information on why this might happen. If you have a backup of the file in question, it should be a simple matter to restore this file and restart the ADFS and WAP services to restore service. If you don’t, and have no other example server from which you can pull a similar copy of the file then the following steps must be taken:
- Remove the Web Application Proxy role from the server. Once this is complete, a reboot will be required.
- Re-add the Web Application Proxy role to the server.
- Once this is complete, initiate the configuration wizard.
- Use the same configuration parameters as you used when configuring the service initially, namely federation service name (e.g. federation.domain.com), local admin details for the federation server and the federation certificate (unless you’ve replaced the certificate used, in which case obviously you should use the new certificate details); you noted those down during initial configuration, right?
- Once configuration is complete, the Remote Access Management Console should open automatically. All of your publishing rules should still be in place, and your published services should be available immediately.
For reference, here’s a sample config file, from which you should be able to reconstruct an appropriate file for your service:
<?xml version="1.0" encoding="utf-8"?> <configuration> <configSections> <section name="microsoft.identityServer.proxyservice" type="Microsoft.IdentityServer.Management.Proxy.Configuration.ProxyConfiguration, Microsoft.IdentityServer.Management.Proxy, Version=184.108.40.206, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> </configSections> <microsoft.identityServer.proxyservice> <congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64" enabled="true" connectionTimeoutInSec="60" /> <connectionPool connectionPoolSize="200" scavengeInterval="5" /> <diagnostics eventLogLevel="15" /> <host tlsClientPort="49443" httpPort="80" httpsPort="443" name="federation.domain.com" /> <proxy address="" /> <trust thumbprint="1234567890ABCDEF1234567890ABCDEF12345678" proxyTrustRenewPeriod="21600" /> </microsoft.identityServer.proxyservice> <!-- <system.serviceModel> <diagnostics> <messageLogging logEntireMessage="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true"> </messageLogging> </diagnostics> </system.serviceModel> --> </configuration>