A customer reported a problem that the authentication against the ADFS Proxy server in Azure had stopped working.
After analyzing the event viewer of the server the following error was presented:
EventID: 422 AD FS
Unable to retrieve proxy configuration data from the Federation Service.
Trust Certificate Thumbprint:
System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <ip>:443
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
— End of inner exception stack trace —
After investigation of the server it appeared that resolving the internal ADFS server the External IP address was returned. The cause of this was that internally the DNS record was removed. In case of a disruption of the MPLS network between the sites, users have to authenticate external against the ADFS Proxy in Azure of Office365.
In the Hosts file of the ADFS Proxy server is the internal IP address of the ADFS server entered.
After restarting of the ADFS Proxy Wizard the following Event ID’s were returned:
Best practice is for ADFS Proxy Servers to use the Hosts file to point to the Internal ADFS Server or the virtual address of a Hardware Load Balancer or a NLB address.