Web Application Proxy fails with Unauthorised (401) error
I recently had a problem with a Web Application Proxy server that sat in a DMZ. It had dropped off the VLAN and was unable to talk to anything else on the network. The server was used for ADFS and as most of the the authentication was performed internally it took a couple of weeks for the client to notice the issue. I was easily able to resolve the VLAN issue however the Web Application Proxy service failed to start even after the network issue was resolved. Every time I tried to start the service I would get the following error
Error 0x80190191: Unauthorised (401).
After checking through the event logs I also noticed the following entry every time I tried to start the service.
Event ID: 422
Source: AD FS
Description: Unable to retrieve proxy configuration data from the Federation Service.
After performing some research I discovered that there is a certificate that is updated approximately every two weeks that allowed the Web Application Proxy server in the DMZ to talk to the ADFS server on the internal network. The issue turned out to be fairly easy to resolve.
First we need to locate the thumbprint of a usable certificate on the Web Application Proxy server. Open powershell and run the following command
You will receive a list of all the currently installed certificates and corresponding thumbprints. I used the primary certificate for ADFS.
You will then need to run the following command (ensure you replace the thumbprint and federation service name with the correct value from your environment)
Install-WebApplicationProxy -CertificateThumbprint 8AE7D4D9449AD06D6F6C58722E4706C4E28449FC -FederationServiceName ‘adfs.contoso.com.au’
You should now be able to start the Web Application Proxy service successfully.