Monday, October 07, 2013

ADFS : Could not establish trust relationship for the SSL/TLS secure channel

The full error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Trying to get the Web Application Proxy on Server 2012 R2 working with the new ADFS.

Mr. Google to the rescue.

You need to export the certificate (the one behind the federation server name) and place it in the "Computer account" (not "My user account") under "Trusted Root Certification Authorities".

And while I'm on the subject:

Every time you try and install the proxy, it creates certificates under Personal called "ADFS ProxyTrust - machine name".

But if the installation fails. the old ones are not deleted.

Then I got the above error message but the thumbprint in the message was from a previous attempt not the latest.

So I uninstalled WAP and then deleted all these certificates- under "Local Computer - Personal - Certificates".

Then I went to the ADFS installation and under the Service tab - "Revoke All Proxies".

Then re-installed WAP.

Then it worked!

Enjoy!

12 comments:

Anonymous said...

Awesome stuff, solved my problem as well - thx

Anonymous said...

Are you using a self signed cert? I am trying to get WAP working in a test lab and don't have a cert from a root CA so am using a self signed one from my own M$ CA server but can't get past the SSL/TLS errors.

nzpcmad said...

Yes - all done with self-signed certificates.

Anonymous said...

Well done author. Your post helped me solve the problem. It saved me hours of work. Thank you very much.

Anonymous said...

This post helped me very much! TNX!

Anonymous said...

In my case I was using the same cert on ADFS and WAP and on WAP the certificate chain was not present. Importing the chain solved it...

Anonymous said...

Great Stuff. Worked for me .
Thanks

Rick said...

thank you!!!!! here are the steps that led me to success following the error message:

uninstalled remote access service

deleted the proxy trust certs

revoked all proxy trusts from ADFS server

Imported ADFS server cert into personal store

Imported ADFS server cert chain into Trust Root Certification Authorities store

Alfredo said...

The solution helped resolved my client's problem. The actual error during the wizard was: "Time out has expired and the operation has not been completed"

dhanashree dhamgunde said...

Hello All,
I am facing below error -
Set-AWSSamlRoleProfile : Unable to set credentials: System.Net.WebException: The underlying connection was closed:
Could not establish trust relationship for the SSL/TLS secure channel. --->
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation
procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest,
Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest
asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest
asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest
asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest
asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest
asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback,
Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state,
Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
I have followed all the steps mentioned in this blog but still no luck. :(
Could anyone please guide me ?
Thanks in Advance!

Anonymous said...

It works for me, thx!

G09 said...

I Just wanted to add my fix to these:

Nothing worked until I found out that my load balancer works to pass traffic between the WAP and ADFS servers but not to establish the trust initially. I had to put a host entry on the WAP server so the ADFS addess resolved to one of the ADFS servers. Once that was done I tried again and the trust was established successfully. Then I could remove the host file entry.