I recently needed to move my lab environment to a new location, which meant a slightly extended downtime (I’m pretty busy) and a new set of public IP’s. I’m uncertain if it’s related, but one side effect of the move was that the console of my Web Application Proxy (WAP) said “The operation stopped due to an unknown general error” and gave me Error code 0x8007520C.
A web search for this error code literally turned up zero results, so I thought I was pretty far out in the weeds with this one on my own. On the WAP server, I found Event ID 422 in the Event Log which told me that it could not load the configuration data.
The full text of the error message reads…
Unable to retrieve proxy configuration data from the Federation Service.
Trust Certificate Thumbprint: 090D9BB9B0471127EDE9CEA66C2AE79223E349FC
Status Code: Unauthorized
Exception details: System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()
I took a look at the ADFS server, which otherwise appeared to be functioning normally, but I found Event ID 276 in the Event Log there stating that the proxy server (WAP) could not Authenticate.
The Full text of the error:
The federation server proxy was not able to authenticate to the Federation Service.
User Action Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet.
Additional Data Certificate details: Subject Name: Thumbprint: NotBefore Time: NotAfter Time:
One curious item was that the event log on the WAP shows a certificate thumbprint, but the ADFS server seems to be missing one. So I wanted to know which certificate the WAP was referring to.
I used PowerShell to list all of the certificates so I could look for a matching thumbprint, but I found no such cert. There was no certificate with a matching thumbprint on the ADFS server either! I have no idea where that thumbprint came from… Maybe it’s time to try the fix suggested in the first event log, and using the Install-WebApplicationProxy cmdlet.
Using the thumbprint of the certificate that I want the WAP to use, I am prompted for the service account credentials when I use the following command.
Install-WebApplicationProxy -CertificateThumbprint '36E56E2F7ECE610C330EE370125454BBE5735A74' -FederationServiceName 'adfs.techrede.net'
This completed successfully, and after opening the WAP Console again, I can now see the list of Published Web Apps have returned!
I was also able to access them externally. Horary!
The Event Log looks happy now as well. I hope that helps someone, N'joy!