(2019-03-06) Will WAP v3.0 Work With ADFS v4.0 Or Later?
Posted by Jorge on 2019-03-06
Will it work to have WAP v3.0 (WAP in Windows Server 2012 R2) in an ADFS v4.0 Farm (ADFS in Windows Server 2016) during an upgrade/migration scenario?
Yes, it will, even if you increase the ADFS Farm Level! There is a “BUT”, and that is it will depend on what you are using!
–
Some examples
If you are just publishing applications and doing your thing as you were with the ADFS v3.0 Farm, you are OK to go.
Figure 1: WAP v3.0 Successfully Retrieving Its Config From An ADFS v4.0 Farm
–
The federation server proxy successfully retrieved its configuration from the Federation Service ‘FS.IAMTEC.NL’.
–
Figure 2: WAP v3.0 Successfully Added/Removed The Listed Endpoints
–
The AD FS proxy service made changes to the endpoints it is listening on based on the configuration it retrieved from the Federation Service.
Endpoints added:
https://+:443/FederationMetadata/2007-06/
https://+:443/adfs/ls/
https://+:49443/adfs/ls/
https://+:443/adfs/oauth2/token/
https://+:443/adfs/oauth2/logout/
https://+:443/adfs/oauth2/authorize/
https://+:49443/adfs/oauth2/authorize/
https://+:443/adfs/oauth2/devicecode/
https://+:443/adfs/oauth2/deviceauth/
https://+:443/adfs/.well-known/openid-configuration/
https://+:443/adfs/discovery/keys/
https://+:443/EnrollmentServer/
https://+:443/adfs/portal/
https://+:49443/adfs/portal/
https://+:443/adfs/portal/updatepassword/
https://+:443/adfs/userinfo/
https://+:443/adfs/services/trust/2005/windowstransport/
https://+:443/adfs/services/trust/2005/certificatemixed/
https://+:49443/adfs/services/trust/2005/certificatetransport/
https://+:443/adfs/services/trust/2005/usernamemixed/
https://+:443/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256/
https://+:443/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256/
https://+:443/adfs/services/trust/13/certificatemixed/
https://+:443/adfs/services/trust/13/usernamemixed/
https://+:443/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256/
https://+:443/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/
https://+:443/adfs/services/trust/mex/
Endpoints removed:
–
Remember though that ADFS v4.0 supports other endpoints. And that’s were the WAP v3.0 may not understand everything published by ADFS v4.0. For the following endpoint you will see the following error when WAP v3.0 retrieves its config from the ADFS v4.0 farm.
Figure 3: WAP v3.0 Fails To Add A Listener For A Specific Endpoint Published By ADFDS v4.0
–
AD FS proxy service failed to start a listener for the endpoint ‘Endpoint details:
Prefix : /.well-known/webfinger
PortType : HttpsDevicePort
ClientCertificateQueryMode : None
CertificateValidation : None
AuthenticationSchemes : Anonymous
ServicePath : /.well-known/webfinger
ServicePortType : HttpsDevicePort
SupportsNtlm : False
‘
Exceptiondetails:
System.Net.HttpListenerException (0x80004005): Access is denied
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.Start()
at Microsoft.IdentityServer.ProxyService.EndpointManager.ApplyConfiguration(ProxyEndpointConfiguration proxyEndpointConfiguration)
User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.
–
Now, a good way to make sure your WAP v3.0 stops functioning in an ADFS v4.0 farm, is to enable “Alternate Host Name Binding” as explanined in (2019-03-05) Certificate Based Authentication In ADFS (Legacy And New) – The Complete Information To Get This Working
As soon as you enable “Alternate Host Name Binding” you will see the following error when WAP v3.0 tries to retrieve its config from the ADFS v4.0 farm. Also pay attention to what it suggests you should do! 
Figure 4: WAP v3.0 Fails To Retrieve Its Config From The ADFS v4.0 Farm After Enabling Alternate Host Name Binding
–
Unable to retrieve proxy configuration data from the Federation Service.
Additional Data
Trust Certificate Thumbprint:
7EB5B6A48B7273468ECC5EB67E05E62DDD04D145
Status Code:
UpgradeRequired
Exception details:
System.Net.WebException: The remote server returned an error: (426) Upgrade Required.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()
–
If you want to make your WAP v3.0 again in this scenario you really need to disable Alternate Host Name Binding!
–
So before enabling “Alternate Host Name Binding” make sure to upgrade your WAP v3.0 to the latest version, it deserves it!
–
To disable “Alternate Host Name Binding” and start using legacy mode again for Certificate Based AuthN, just execute the following command on one ADFS server:
Set-AdfsProperties -TlsClientPort 49443
Then restart the ADFS service on all nodes:
Restart-Service ADFSSRV
–
Now, is this a complete list of what can go wrong? Probably not, therefore be careful!
–
Have fun!
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 
Leave a Reply