ADFS 3.0 / Web Application Proxy Server 2012 R2 error

I have a working ADFS 3.0 (2012 R2) server running. It successfully operates to log me on to Office365 both on and off premises.

I am trying to install the Web Application Proxy role on a second machine in order to proxy Sharepoint 2013. I am getting stuck with an error message:

An error occurred when attempting to create the proxy trust certificate.

My ADFS server is a one-server farm. The host name of the server is adfs-host.domain.local, and the ADFS name is adfs.domain.org.

    PS C:\Windows\system32> Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'adfs.domain.org'
cmdlet Install-WebApplicationProxy at command pipeline position 1
Supply values for the following parameters:
FederationServiceTrustCredential
Install-WebApplicationProxy : An error occurred when attempting to create the proxy trust certificate.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint 'xxxxxxxxxxxxxxxxxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand


Message                                 Context                                                                  Status
-------                                 -------                                                                  ------
An error occurred while attempting t... DeploymentTask                                                            Error

I have a DNS A record point adfs.domain.org to the same IP as adfs-host.domain.local.

The name of my Web Application Proxy server is wap-host.domain.local. I copied the GoDaddy Certificate onto both machines with the private key, and installed it into the local machine personal certificate store. It is set as the Service Communications Certificate. I installed the full certificate chain on to both machines. It is a UCC certificate with 5 subject alternate names--the main one is not adfs.domain.org, but it does work for ADFS.

I tried with the firewall on and off, and I ran wireshark--it looks like it is failing at an earlier step since I didn't see any traffic attempted to the IP of my ADFS server.

The credentials I tried supplying--both a local account that has administrative access on the ADFS server, and a domain admin account.

Thanks User1721192. I am willing to try changing the DNS, but it doesn't seem like this is where the problem is originating. I am trying to set up the first WAP. Right now the adfs is working fine pointing directly to the ADFS server. If I change the DNS, it will stop working until the WAP is set up. In other words, it will break the working setup.

Yes you will need a working WAP of course. I have also set it up, and it is working smoothly. Important thing is that all clients should resolve the domainnames of all relying parties to the WAP, and that the WAP knows the 'real IP' of the relying parties (e.g. configured in the hosts file of the WAP). Let me know if this still gives issues. By the way, the windows event viewer has helped me a lot.

It is failing well before anything with DNS names come up, the error is with generating some certificate. Unfortunately the event log just offers the same error message about creating the proxy trust certificate. I am going to try a rebuild and report back.

Okay I see. Does the user you specified (local administrator account) have permissions to read the private key? (please refer to technet.microsoft.com/en-us/library/… section "To confirm that private keys for certificates are accessible by the AD FS 2.0 service user account".

It does not matter what credentials I use--it fails prior to testing the credentials. However, I tried using a domain administrator account and an account that I explicitly assigned permissions to read the private key with.

Could you tell me during which step it is failing exactly then?