Solve JWT WAP authentication problems
Solve JWT authentication errors with ADFS and Windows Azure Pack.
September 8, 2016
Q. I am receiving an error authenticating with Windows Azure Pack for the tenant and management portals with a 500 error and a JWT10329 detailed error.
A. Ensure you have an up-to-date certificate on your ADFS server. The certificates can be viewed in the ADFS management portal under Service - Certificates. If the certificate has expired request a new certificate, use the Set Service Communications Certificate action to update it and then also use PowerShell to update. The PowerShell below lists the certificates to get the thumbprint then configure it to be used by SSL
PS C:> dir cert:localmachinemyDirectory: Microsoft.PowerShell.SecurityCertificate::localmachinemyThumbprint Subject---------- -------085F0D04CEB4A3CC95232FDCDCB83BE2F16F9199 CN=savdaladfs01.savilltech.netPS C:> Set-AdfsSslCertificate -Thumbprint 085F0D04CEB4A3CC95232FDCDCB83BE2F16F9199PS C:> Get-AdfsSslCertificateHostName PortNumber CertificateHash-------- ---------- ---------------localhost 443 085F0D04CEB4A3CC95232FDCDCB83...savdaladfs01.savilltech.net 443 085F0D04CEB4A3CC95232FDCDCB83...savdaladfs01.savilltech.net 49443 085F0D04CEB4A3CC95232FDCDCB83...EnterpriseRegistration.savillt... 443 085F0D04CEB4A3CC95232FDCDCB83...
The next step is to ensure the ADFS configuration on the WAP server is correct. Change the connection string for your SQL server along with the name of your ADFS server. Running the commands below fixed the WAP authentication errors via ADFS in my environment.
Import-Module -Name MgmtSvcConfig$ConnectionString = 'Data Source=savdalsql01;Initial Catalog=Microsoft.MgmtSvc.Config;User ID=sa;Password=Pa55word'Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint "https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml" -ConnectionString $ConnectionString Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint 'https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString $ConnectionStringSet-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint 'https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString $ConnectionString #-DisableCertificateValidationSet-MgmtSvcIdentityProviderSettings -Target Windows -MetadataEndpoint 'https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString $ConnectionString #-DisableCertificateValidation
About the Author
You May Also Like