Web Application Proxy fails with Error Code 0x8007520C

Author by Shannon Fritz

I recently needed to move my lab environment to a new location, which meant a slightly extended downtime (I’m pretty busy) and a new set of public IP’s. I’m uncertain if it’s related, but one side effect of the move was that the console of my Web Application Proxy (WAP) said “The operation stopped due to an unknown general error” and gave me Error code 0x8007520C.

clip_image002

A web search for this error code literally turned up zero results, so I thought I was pretty far out in the weeds with this one on my own. On the WAP server, I found Event ID 422 in the Event Log which told me that it could not load the configuration data.

clip_image004

The full text of the error message reads…

Unable to retrieve proxy configuration data from the Federation Service. 

Additional Data

Trust Certificate Thumbprint: 090D9BB9B0471127EDE9CEA66C2AE79223E349FC

Status Code: Unauthorized

Exception details: System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

I took a look at the ADFS server, which otherwise appeared to be functioning normally, but I found Event ID 276 in the Event Log there stating that the proxy server (WAP) could not Authenticate.

clip_image006

The Full text of the error:

The federation server proxy was not able to authenticate to the Federation Service. 

User Action Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet.

Additional Data Certificate details: Subject Name:  Thumbprint:  NotBefore Time:  NotAfter Time: 

One curious item was that the event log on the WAP shows a certificate thumbprint, but the ADFS server seems to be missing one. So I wanted to know which certificate the WAP was referring to.

clip_image008

dir Cert:\LocalMachine\My

I used PowerShell to list all of the certificates so I could look for a matching thumbprint, but I found no such cert. There was no certificate with a matching thumbprint on the ADFS server either! I have no idea where that thumbprint came from… Maybe it’s time to try the fix suggested in the first event log, and using the Install-WebApplicationProxy cmdlet.

clip_image010

Using the thumbprint of the certificate that I want the WAP to use, I am prompted for the service account credentials when I use the following command.

Install-WebApplicationProxy -CertificateThumbprint '36E56E2F7ECE610C330EE370125454BBE5735A74' -FederationServiceName 'adfs.techrede.net'

This completed successfully, and after opening the WAP Console again, I can now see the list of Published Web Apps have returned!

clip_image012

I was also able to access them externally. Horary!

clip_image014

The Event Log looks happy now as well. I hope that helps someone, N'joy!

Author

Shannon Fritz

Infrastructure Architect & Server Team Lead