Introducing
IntroducingWindowsServer2016_ebook
IntroducingWindowsServer2016_ebook
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Figure 2-92: Viewing details from the Best Practices Analyzer<br />
The table on TechNet offers the following suggestion for event 12021:<br />
Make sure that the certificate thumbprints that are configured for Web Application Proxy applications<br />
are installed on all the Web Application Proxy machines with a private key in the local computer store.<br />
Armed with this information, you can review the certificates on the Web Application Proxy server to<br />
ensure that they have the correct names and expiration dates, and that the thumbprint matches the<br />
one on the server. Then, you can review the certificates on the server, ensure that they are correct, and<br />
reissue them if they are incorrect.<br />
Certificate issues<br />
Certificates play an important role in AD FS and Web Application Proxy. Getting the proper<br />
certificates—with the correct names in the certificates on the appropriate machines—is therefore<br />
critical to getting Web Application Proxy to function correctly with AD FS.<br />
You might see issues with certificates manifested in error messages like the following:<br />
The trust certificate ("ADFS ProxyTrust – WAP01") is not valid.<br />
There are several possible causes of this issue:<br />
<br />
<br />
<br />
<br />
There might be some sort of network interruption between the Web Application Proxy server and<br />
the AD FS server.<br />
The Web Application Proxy server might have been down for an extended period of time.<br />
There might be an issue validating the certificate due to problems in the CA infrastructure.<br />
Time synchronization issues between the Web Application Proxy and AD FS servers might cause<br />
them to be out of synchronization.<br />
To resolve these problems, verify the time settings on the Web Application Proxy and AD FS servers<br />
and then rerun the Install-WebApplicationProxy cmdlets.<br />
Configuration data in AD FS is inconsistent or corrupt<br />
You might also encounter errors for which the configuration data in AD FS could not be found or the<br />
data is unusable to the Web Application Proxy server. This can result in errors such as<br />
Configuration data was not found in AD FS.<br />
or<br />
The configuration data stored in AD FS is corrupted or Web Application Proxy was unable to parse it.<br />
or:<br />
Web Application Proxy was unable to retrieve the list of Relying Parties from AD FS.<br />
Several things can cause these errors. It’s possible that Web Application Proxy was never fully installed<br />
and configured, or there were changes that occurred on the AD FS database that resulted in<br />
corruption. It’s also possible that the AD FS server cannot be reached due to a network issue and<br />
therefore the AD FS database is not readable.<br />
85 CHAPTER 2 | Software-defined datacenter