question

ClintonvanAxel-5933 avatar image
0 Votes"
ClintonvanAxel-5933 asked ClintonvanAxel-5933 commented

Failed to add ADFS4.0 to farm

I have two ADFS 3.0 servers and two ADFSproxy servers(DMZ). All located in Azure. The machines all or load balanced.
Now i try to add a windows 2016 server (ADFS 4.0) on a different VNET but peer with the old VNET.

When i try to add the ADFS 4.0 (windows 2016 machine) I get this error.

Unable to retrieve configuration from the primary server. The specified DNS name of the primary federation server could not be resolved. Verify that the DNS name is correct, and that the AD FS service is running on the primary federation server and try again.

adfs
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image piaudonn ·

Did you validate that DNS resolution of the primary FQDN from the ADFS 4 was working?
Also that you can reach the port 80 from this new machine?

0 Votes 0 ·

2 Answers

ClintonvanAxel-5933 avatar image
0 Votes"
ClintonvanAxel-5933 answered ClintonvanAxel-5933 commented

Fixed the problem. I was adding the farm name and thats was only reachable from outside. So it landed on the WAP. But the question was. What is your Primary server in the farm.


But i have a question if I add the windows 2016 (ADFS4.0) machine to the farm. Does it take all Replying party trusts. Even if i gone raise the farm level.


· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image piaudonn ·

Yes, the entire configuration is in the database.

0 Votes 0 ·
ClintonvanAxel-5933 avatar image ClintonvanAxel-5933 piaudonn ·

Also do you need to update the office365 sign-in rely party trust. I saw on a website that you need to add some registry keys.

0 Votes 0 ·
piaudonn avatar image piaudonn ClintonvanAxel-5933 ·

Nope. The trust stays as-is.

Do you have references for the registry thing?

0 Votes 0 ·
Show more comments
ClintonvanAxel-5933 avatar image
0 Votes"
ClintonvanAxel-5933 answered piaudonn converted comment to answer

When i open the port 80 on the adfsproxy server. i get another error:

The HTTP service located at http:///adfs/services/policystoretransfer is unavailable. This could be because the service is too busy or because no endpoint was found listening at the specified address. Please ensure that the address is correct and try accessing the service again later.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image piaudonn ·

The port 80 on the WAP server is useful only for:
- Port 80 to 443 redirection for application publication.
- Health probe for load-balancers not compatible with SNI.
Why is the ADFS proxy involved in your troubleshooting?


0 Votes 0 ·