I've seen some posts that indicate similar issues, but I'm not clear where they left that.
We have 2 internal ADFS 3.0 servers and 2 WAPs in the DMZ.
I'm following this doc to load balance the internal servers: https://support.kemptechnologies.com/hc/en-us/articles/204250925-AD-FS-v3
and they seem to work fine, but the web application proxy servers in the DMZ are then unable to talk to internal servers. You get the events 422:
Unable to retrieve proxy configuration data from the Federation Service.
According to this article: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx
this behaviour is totally normal, because ADFS generates an internal certificate that is being used to communicate with the WAPs. And if you put a load balancer with SSL acceleration in between, you start using a different certificate and it doesn't like that.
So for a test, I deactivate the SSL acceleration and that restores the connectivity.
But since the Kemp documentation recommends to do this with SSL acceleration, I would like to fix that. What's my mistake here?
Our ADFS address is sts.ourdomain.com. Internally, this is pointing at the load balancer VS IP. The WAPs resolve that to the same address. From the internet, sts.ourdomain.com is pointing at the WAPs.
For the SNI host name, I've put in that sts.ourdomain.com.
We use a *.ourdomain.com certificate which is installed on all 4 servers and the load balancer VS. This is the certificate we specify when initiating the trust from the WAP with the Install-WebApplicationProxy command.
thanks in advance