-->

After you configure a computer with the required certificates and have installed the Federation Service Proxy role service, you are ready to configure the computer to become a federation server proxy. You can use the following procedure so that the computer acts in the federation server proxy role.

Important

Before you use this procedure to configure the federation server proxy computer, make sure that you have followed all the steps in Checklist: Setting Up a Federation Server Proxy in the order that they are listed. Make sure that at least one federation server is deployed and that all the necessary credentials for authorizing a federation server proxy configuration are implemented. You must also configure Secure Sockets Layer (SSL) bindings on the Default Web Site, or this wizard will not start. All these tasks must be completed before this federation server proxy can function.

Championship manager 2011 free download. On the WAP server, open Server Manager and click the Refresh dashboard icon (the round “yin-yang”-like icon) Click on the Open the Web Application Proxy Wizard link. At the Federation Server page, supply the requested information: In Federation service name: Enter the address of the Federation service name, like fs.adatum.dk; In. On the Proxy server I get the following errors in event log when trying to connect: Event 391: The federation server Proxy was able to successfully establish a trust with the federation service. Event 422: Unable to retrieve proxy configuration data from the federation service. On the local ADFS server I get.

After you finish setting up the computer, verify that the federation server proxy is working as expected. For more information, see Verify That a Federation Server Proxy Is Operational.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

To configure a computer for the federation server proxy role

1. There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do one of the following:

   • On the Start screen, typeAD FS Federation Server Proxy Configuration Wizard, and then press ENTER.

   • Anytime after the setup wizard is complete, open Windows Explorer, navigate to the C:WindowsADFS folder, and then double-click FspConfigWizard.exe.

2. Using either method, start the wizard, and on the Welcome page, click Next.

3. On the Specify Federation Service Name page, under Federation Service name, type the name that represents the Federation Service for which this computer will act in the proxy role.

4. Based on your specific network requirements, determine whether you will need to use an HTTP proxy server to forward requests to the Federation Service. If so, select the Use an HTTP proxy server when sending requests to this Federation Service check box, under HTTP proxy server address type the address of the proxy server, click Test Connection to verify connectivity, and then click Next.

5. When you are prompted, specify the credentials that are necessary to establish a trust between this federation server proxy and the Federation Service.

   By default, only the service account used by the Federation Service or a member of the local BUILTINAdministrators group can authorize a federation server proxy.

6. On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring this computer with these proxy settings.

7. On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.

   There is no Microsoft Management Console (MMC) snap-in to use for administering federation server proxys. To configure settings for each of the federation server proxys in your organization, use Windows PowerShell cmdlets.

Configuring an Alternate TCP/IP Port for Proxy Operations

By default, the federation server proxy service is configured to use TCP port 443 for HTTPS traffic and port 80 for HTTP traffic for communication with the federation server. To configure different ports, such as TCP port 444 for HTTPS and port 81 for HTTP, the following tasks must be completed.

Note

If you intend to initially deploy AD FS to operate under alternate TCP/IP ports, you should first modify ports in your IIS protocol bindings for HTTP and HTTPS on both the federation server and federation server proxy computers. This should occur before you run the AD FS configuration wizards for initial configuration. If you configure Internet Information Services (IIS) first, your alternate TCP/IP port settings are discovered when wizard-based configuration occurs within AD FS, and the following procedure is not necessary. If you want to change the port settings later, update IIS protocol bindings first, and then use the following procedure to update port settings appropriately. For more information about editing IIS bindings, see article 149605 in the Microsoft Knowledge Base.

To configure alternate TCP/IP ports for the federation server proxy to use

1. Configure the federation server to use the nondefault ports.

   To do this, specify the nondefault port number by including it with the HttpsPort and HttpPort options as part of the Set-ADFSProperties cmdlet. For example, to configure these ports, use the following commands in the Windows PowerShell session on the federation server computer:

2. Configure the federation server proxy to use the nondefault port.

   To do this, specify the nondefault port number by including it with the HttpsPort and HttpPort options as part of the Set-ADFSProxyProperties cmdlet. For example, to configure these ports, use the following commands in the Windows PowerShell session on the federation server computer:

   Note

   Endpoint URLs are not enabled by default for the federation server proxy service. If you are configuring a new federation server installation, you must enable federation server proxy service endpoints first. For example, it is assumed that for all the endpoints that the example in this procedure refers to you have enabled them for proxy by selecting them in the AD FS Management snap-in and then selecting Enable on proxy.

3. Update the IIS installation at the federation server proxy so that Security Assertion Markup Language (SAML) and WS-Trust endpoints are configured to reflect the updated port number. To do this, you can use Notepad to modify the following in the Web.config file, which is located at systemdrive%inetpubadfsls on the federation server proxy computer. For example, assuming that you have a federation server named sts1.contoso.com and the new port number is 444, browse to and open the Web.config file in Notepad on the federation server proxy computer, locate the following section, modify the port number as highlighted below, and then save and exit Notepad.

4. Add the federation server proxy service user account to the access control list (ACL) for the related endpoint URLs. For example, if the port number is 1234 and the user account that is used to run the AD FSfederation server proxy service under is the built-in Network Service account, type the following command at a command prompt:

   The previous commands must be run on both the federation server and the federation server proxy computers.

Additional references

Troubleshoot Azure AD connectivity. 7 minutes to read.In this articleThis article explains how connectivity between Azure AD Connect and Azure AD works and how to troubleshoot connectivity issues. These issues are most likely to be seen in an environment with a proxy server. Troubleshoot connectivity issues in the installation wizardAzure AD Connect is using Modern Authentication (using the ADAL library) for authentication. The installation wizard and the sync engine proper require machine.config to be properly configured since these two are.NET applications.In this article, we show how Fabrikam connects to Azure AD through its proxy. The proxy server is named fabrikamproxy and is using port 8080.First we need to make sure is correctly configured. NoteIn some non-Microsoft blogs, it is documented that changes should be made to miiserver.exe.config instead.

However, this file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. For that reason, the recommendation is to update machine.config instead.The proxy server must also have the required URLs opened. The official list is documented in.Of these URLs, the following table is the absolute bare minimum to be able to connect to Azure AD at all. This list does not include any optional features, such as password writeback, or Azure AD Connect Health.

It is documented here to help in troubleshooting for the initial configuration. URLPortDescriptionmscrl.microsoft.comHTTP/80Used to download CRL lists.verisign.comHTTP/80Used to download CRL lists.entrust.netHTTP/80Used to download CRL lists for MFA.windows.netHTTPS/443Used to sign in to Azure AD.secure.aadcdn.microsoftonline-p.comHTTPS/443Used for MFA.microsoftonline.comHTTPS/443Used to configure your Azure AD directory and import/export data.Errors in the wizardThe installation wizard is using two different security contexts.

On the page Connect to Azure AD, it is using the currently signed in user. On the page Configure, it is changing to the. If there is an issue, it appears most likely already at the Connect to Azure AD page in the wizard since the proxy configuration is global.The following issues are the most common errors you encounter in the installation wizard. Domain Information UnavailableAuthentication was successful.

Could not retrieve domain information from Azure AD. Unspecified Authentication FailureShown as Unexpected error in the installation wizard. Can happen if you try to use a Microsoft Account rather than a school or organization account. Troubleshooting steps for previous releases.With releases starting with build number 1.1.105.0 (released February 2016), the sign-in assistant was retired. This section and the configuration should no longer be required, but is kept as reference.For the single-sign in assistant to work, winhttp must be configured. This configuration can be done with.The Sign-in assistant has not been correctly configuredThis error appears when the Sign-in assistant cannot reach the proxy or the proxy is not allowing the request. If you see this error, look at the proxy configuration in and verify it is correct.

If that looks correct, follow the steps in to see if the issue is present outside the wizard as well.Next stepsLearn more about. Related Articles.