Error 422 and 276 when deploying a Web Application Proxy Server

When deploying a Web Application Proxy server connecting to a AD FS 2012 R2 farm, the WAP server reports sporadic 422 and 276 errors.

  • Error 442: Unable to retrieve proxy configuration data from the Federation Service
  • Error 276: The federation server proxy was not able to authenticate to the Federation Service

Recommended Action:

The solution that I have found to be the most common, has been to bind the SSL certificate used for the ADFS service to a fallback or wildcard address. Follow these steps on all your ADFS 3.0 servers to add the fallback binding:

Make sure that you have installed all available updates for Windows Server 2012R2 after adding and configured the ADFS STS or WAP Proxy role.

  1. Open a Command Prompt as administrator
  2. To list all current SSL certificate bindings run the following command:
    netsh http show sslcert
  3. Mark and copy the ‘Certificate Hash’ value to notepad
  4. Mark and copy the ‘Application ID’ value to notepad
    (The Application ID is what will associate the binding with ADFS 3.0 (for the internal STS servers) and WAP (for the ADFS Proxy).
  5. Now run the following commmand, where you insert the noted ‘Certificate Hash’ and ‘Application ID’ values from above:
    netsh http add sslcert ipport=0.0.0.0:443 certhash=Insert_Certificate_Hash_Here appid={Insert_Application_ID_here}
  6. Restart machine and repeat steps for remaining ADFS 3.0 machines.

It’s also worth thinking about doing the same thing to WAP servers that use any kind of external load balancing.

Default application IDs:

  • ADFS: {5d89a20c-beab-4389-9447-324788eb944a}
  • WAP: {f955c070-e044-456c-ac00-e9e4275b3f04}

NOTE: If these changes are made, when the ADFS service certificate is renewed, these thumbprints will also need to be updated!

For further information checkout these links:

How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2
Understanding and fixing Proxy Trust CTL Issues with AD FS 2012 R2 and Web Application Proxy

Reader Comments

Leave a Reply

Your email address will not be published. Required fields are marked *