Upon investigating this issue, I realised that the Cisco core switch failed to learn the IP/MAC address of the ADFS NLB Cluster, and thus caused all servers and workstations to fail to connect to ADFS, and SSO to fail. The interesting part was that the Proxy servers' NLB cluster was working fine, and the Cisco Core Switch was able to learn the MAC and IP without problem. After investigating this issue and not finding anything online, and after deleting and re-creating the cluster, I logged a case with Microsoft. They advised that there's two Microsoft updates which could potentially resolve the NLB connectivity issue:
Update 1
Update 2
These updates were applied to both ADFS servers, and after a reboot, resolved the problem. After testing SSO, it was still failing. Checking the Proxy Servers now, I noticed that they can communicate with the ADFS servers now, but the Web Application Proxy was not connecting with ADFS itself, showing the following event log:
After checking online, this can occur when there's a mismatch with the certificate thumbprint on the ADFS servers, and the Proxy servers. From PowerShell, I ran the following command to see what certificatges were installed on the server, and to confirm the thumbprint of the specific one I wanted to use:
dir Cert:/LocalMachine/My
After obtaining the correct thumbprint, I then ran the following command on the two Proxy Servers:
Install-WebApplicationProxy -CertificateThumbprint 'XXXXXXXXXXXXXXXXXX' -FederationServiceName 'fs.domain.wa.gov.au'
Once this had been completed on both Proxy servers, Single Sign On was now back up and running, and the Proxy Servers could now communicate with the ADFS servers.
No comments:
Post a Comment