Table of Contents
“An error occurred while attempting to establish a trust relationship with the Federation Server” the basics.
I have 2 ADFS servers with 1 WAP server in my own developer environment. I had not switched on the servers for a while and apparently if you do not turn on your WAP server after more than 30 days, certain functions such as The Web Application Proxy are no longer enabled.
I first tried to start the Web Application Proxy Service, because it was stopped.
But unfortunately:
“Start-service : Failed to start service ‘Web Application Proxy Service (appproxysvc)’.”
Okay… That’s strange. It is necessary so…
By Googling the error message, I found a forum post on Spiceworks that tells you that you can solve this by setting the ProxyConfigurationStatus from “configured” to “not configured” in Regedit. Then you can reconfigure your Web Application Proxy role.
My WAP Server is a Core server, so I did everything with PowerShell.
After I modified the registry and reconfigured the WAP Service with PowerShell, I got the following error message:
“An error occurred while attempting to establish a trust relationship with the Federation Server.”
This error message can have various causes. I give you 4 options below. For me it was the last option, because the WAP was already configured once.
Option 1 – Are your time settings correct on both your ADFS and WAP?
When time differs from each other, usually with a minimum of 5 minutes, this can cause problems. A short but powerful one, check whether your time settings on your ADFS and WAP servers match each other. Check if this is not due to the time zone settings before making major changes.
If it is a core server you can do this:
Get-DateAnd from a management server:
Invoke-command -Computername SERVERNAME {Get-Date}Option 2 – Is DNS Configured correctly?
For example, in your hosts file in “C: \windows\system32\drivers\etc\” you often give a direct reference to the load balancer for the ADFS. Adjust this address to the direct address of your primary ADFS server and make sure that this is also temporarily in DNS itself.
Option 3 – Are you using the correct FederationServiceName?
Is it possible that port 443 listens on a different hostname?
Run this command on your primary ADFS server and check if the “Hostname:port” matches the “FederedationServiceName” you use when configuring your WAP.
netsh http show sslCheck this Technet post for more.
Option 4 – have you already configured a WAP server before?
Okay so let’s start again at the beginning, you get an error message when you start the Web Application Proxy Service.
“Start-service : Failed to start service ‘Web Application Proxy Service (appproxysvc)’.”
To solve this, we go through the following steps:
- CTRL + R and type in REGEDIT.
- Navigate to HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus.
- Change ProxyConfigurationStatus from 2 to 1 (Not Configured).
- Run the Web Application Proxy configuration Wizard again.
If I do this now I get a new error message:
“Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation service. Error: Service Unavailable”
This error message is because the ADFSEndPoint for the Proxy is disabled on the ADFS Server.
Start PowerShell on your ADFS Server, or use Enter-PSSession from your management server.
Enter the following:
enable-ADFSEndpoint -TargetAddress /adfs/services/trust/13/WindowsNow enable the Proxy to also use this endpoint:
Set-ADFSEndpoint -TargetAddress /adfs/services/trust/13/Windows -Proxy $trueRestart your ADFS Server (restart-service adfsrv).
Try to install your Web Application Proxy again:
Install-WebApplicationProxy -FederationServiceTrustCredential $fsccred -FederationServiceName test.bwb.cloud -CertificateThumbprint "0000000000000000000000000000000000"
Message Context Status
——- ——- ——
The configuration completed successfully. DeploymentSucceeded SuccessRecap
Unfortunately, the error message is very general and can therefore be related to more things.
If you run into another solution, can you indicate it in the comments?
Do you have any feedback or other ideas? Then you can leave a comment as well.
A little extra
This post contains PowerShell. Would you like to learn the basics better? I have created a new website to learn basic PowerShell in an ’emulator’ environment.
Click here to go learn Basic PowerShell.
Just encountered this issue and the guide was really helpful in resolving it.
Thank you for your post, it was very helpful! Option 4 was our fix.
for me also option 4.
enable-ADFSEndpoint and Set-ADFSEndpoint seemed to work.
Many thanks!!
Great post Bas and a very useful list of points to run through to confirm config – thank you!
In my case the root cause of the trust relationship error message was a mis-match of certs on WAP and ADFS servers, which happened when I had to renew my public cert – I’d updated the cert on the WAP and “thought” I’d done the same on the ADFS server, but hadn’t. It was only when I ran “netsh show http ssl” on BOTH servers that I realised my mistake. Once I’d run “Set-AdfsSslCertificate -Thumbprint ” ” on the ADFS server, all was good again.
So you may want to add an Option 3.1 to check certs, before doing Option 4..
You rock Mark, saved my day.
Genius!
Option 3 worked for me too 🙂
thanks, placing the federation service name with ip of primary server in the hostfile was the fix here
Thank you very much!
the solution for me was option number 3.