question

BergRonaldvanden-2657 avatar image
0 Votes"
BergRonaldvanden-2657 asked Crystal-MSFT edited

ADFS MEX Endpoint is Unreachable

Last week i've updated the Active Directory Federation Services 2016 and above mp to the latest version 10.0.3.1.

Since then one of our adfs servers has a flapping monitor:
Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceFederationServerMEXEndpointMonitor (UnitMonitor)

I've investigated the differences between 10.0.3.1 and 10.0.3.0 and i see that the powershell script that is ran by the monitor never worked in the previous version, so that explains why we now have an alert and previously did not.

But now, why do we get this alert? I do not have any adfs knowledge and discussed this with the adfs admin. He sais it's working fine functionally so no reason for this alert.

We extracted the script and ran it on the primary computer it always runs successfully, the variable $script:mexOK always returns true when we run it manually.

This is the error in the alert:
The WS-Metadata Exchange (MEX) endpoint 'https://<our fqdn>/adfs/services/trust/mex' that is used for authentication over SOAP and HTTP protocols is not reachable.
The uri is a load balanced address and when tested in a browser from the adfs node it also works fine.

msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BergRonaldvanden-2657 avatar image
0 Votes"
BergRonaldvanden-2657 answered Crystal-MSFT edited

I verified that the service is running for 3 days now without stopping, meanwhile these alerts are created regularly so that is not the cause.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BergRonaldvanden-2657, Thanks for the response. From your description, I know the service is running without any issue. And the ADFS is working well confirmed by ADFS admin. It seems the issue is on MP side. Would you mind to disable the rule to avoid the alert?

In previous reply, I notice the address "https://<our fqdn>/adfs/services/trust/mex" is a load balance address and can access via the browser and we can get the xml mentioned in the following link:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-endpoints#ws-mex-test-active-test

Also, we have run the script manually and the $script:mexOK returns true. Could you try to output the $uriString to confirm if the URL we get when we manually run the script is the same one with load balance address?

0 Votes 0 ·

Indeed the value of that variable contains the same url as we get in the error.

Btw, i think i've mentioned yesterday that i also added the load balance address to our url monitor, it didn't have a single state change since then while the mex alerts keep coming in so it's not the unavailability of the url that is causing the issue.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT BergRonaldvanden-2657 ·

@BergRonaldvanden-2657, Thanks for the reply. From your description, I know the url is the same and the ADFS seems working well. But we still get alert. for this issue, I think it needs deep log analysis. With Q&A limitation, for such kind of issue, we suggest to open case to handle. Here is a link with the Phone number we can call.
https://support.microsoft.com/en-au/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

@everyone, if anyone else has met the same situation, we appreciate your help to share it here.

Thanks for the understanding.

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@BergRonaldvanden-2657, Research for the error and find one link mentioned, it can be caused that the AD FS Windows Service is stopped on the federation server computer. We can verify that the AD FS Windows service is started on the remote federation server computer.
https://systemcenter.wiki/?GetElement=Microsoft.ActiveDirectoryFederationServices20.TokenIssuanceFederationServerMEXEndpointMonitor&Type=UnitMonitor&ManagementPack=Microsoft.ActiveDirectoryFederationServices.2.0&Version=7.0.8560.0
Note: Non-Microsoft link, just for the reference.

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.