ADFS WAP Proxy – An error occurred when attempting to establish a trust relationship with the federation service.

Environment

  • Windows 2012 R2 server on the LAN with the Active Directory Federation Service Role installed
  • Windows 2012 R2 server in the DMZ with the Remote Access role and the Web Application Proxy (WAP) feature installed

Problem

Getting the following error running the Web Application Proxy Configuration Wizard

“An error occurred when attempting to establish a trust relationship with the federation service. Error:  The request was aborted:  Could not create SSL/TLS secure channel”

Event ID 393 was written to the event log

This is a relatively common error and is usually related to a problem with the certificates, ports, or permissions of the account used to run the wizard.  A quick search of the web and you will find plenty of examples and solutions.

However, I have to admit, that after a lot of troubleshooting I was stumped.  I opened a support ticket with the good folks at Microsoft Premier Support.  After a 6 hour remote support session (with a great engineer), we found the problem.

A network trace from both the Proxy and the ADFS, and a seemingly unrelated Event ID 36874 on the ADFS server provided the clues as to the cause of the problem.

Cause

The template that the Windows 2012 R2 servers had been deployed which included server hardening – specifically with cipher, protocols, hashes and multiple subkeys with values disabled.

The hardened server registry for the Security Providers looked like this

The specific server hardened registry keys were as follows:

  1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
    1. “Enabled”=dword:00000000
  2. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
    1. “Enabled”=dword:00000000
  3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    1. “Enabled”=dword:00000000
  4. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    1. “Enabled”=dword:00000000
  5. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
    1. “Enabled”=dword:00000000
  6. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    1. “Enabled”=dword:00000000
  7. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    1. “Enabled”=dword:00000000
  8. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    1. “Enabled”=dword:00000000
  9. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    1. “Enabled”=dword:00000000
  10. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    1. “Enabled”=dword:00000000
  11. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    1. “Enabled”=dword:00000000
  12. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
    1. “Enabled”=dword:00000000
  13. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
    1. “Enabled”=dword:00000000
  14. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
    1. “Enabled”=dword:00000000
  15. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
    1. “Enabled”=dword:00000000
  16. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
    1. “Enabled”=dword:ffffffff
  17. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
    1. “Enabled”=dword:ffffffff
  18. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
    1. “Enabled”=dword:ffffffff
  19. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    1. “Enabled”=dword:00000000
  20. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
    1. “Enabled”=dword:00000000
  21. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
    1. “Enabled”=dword:ffffffff
  22. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  23. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  24. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  25. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  26. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    1. “DisabledByDefault”=dword:00000001
    2. “Enabled”=dword:00000000
  27. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  28. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  29. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  30. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  31. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  32. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  33. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  34. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    1. “Enabled”=dword:ffffffff
    2. “DisabledByDefault”=dword:00000000
  35. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    1. “Enabled”=dword:ffffffff
    2. “DisabledByDefault”=dword:00000000

 

Solution

Removed the hardened SCHANNEL registry keys on both the ADFS & PROXY servers and rebooted.

The cleaned up registry look like this

Leave a Reply

Your email address will not be published. Required fields are marked *