Netherlands: Software

Introductie Windows Server 2016

Issue link:

Contents of this Issue


Page 111 of 173

103 C H A P T E R 4 | Networking corruption. It's also possible that the AD FS server cannot be reached due to a network issue and therefore the AD FS database is not readable. There are several paths to resolution for these types of errors: Run the Install-WebApplicationProxy cmdlet again to clear up configuration issues. Confirm network connectivity to the AD FS server from the Web Application Proxy server. Verify that the WebApplicationProxy service is running on the Web Application Proxy server. Supporting non-SPI-capable clients Server Name Indication (SNI) is a feature of Secure Sockets Layer (SSL) Transport Layer Security (TLS) that is used in Web Application Proxy server and AD FS to reduce network infrastructure requirements. Traditionally, an SSL certificate had to be bound to an IP address/port combination. This meant that you would need to have a separate IP address configured if you wanted to bind a different certificate to the same port number on a server. With the use of SNI, a certificate is instead bound to the host name and port, allowing you to conserve IP addresses and reduce complexity. It's important to realize that SNI relies on the requesting client supporting SNI. If the SSL Client Hello doesn't contain the SNI header, http.sys won't be able to determine which certificate to offer the client and will reset the connection. Most modern clients support SNI, but there are some clients that tend to cause issues. Generally, older browsers, legacy operating systems, hardware load balancers, health probes, older versions of WebDAV, ActiveSync on Android, and some older VoIP conferencing devices might be non-SNI- capable devices. If it is necessary to support non-SNI clients, the easiest solution is to create a fallback certificate binding in http.sys. The fallback certificate needs to include any fully qualified doman names (FQDNs) that may need to be supported, including the FQDN for the AD FS service itself (, the FQDN of any applications published via Web Application Proxy (, and the FQDN to support Enterprise registration ( if you are using Workplace Join. When you have generated the certificate, get the application GUID and certificate thumbprints in use by using the following Windows PowerShell cmdlet: Get-WebApplicationProxyApplication | fl Name,ExternalURL,ExternalCertificateThumbprint Now that you have the application GUID and certificate thumbprint, you can bind it to the IP wildcard and port 443 by using the following syntax: netsh http add sslcert ipport= certhash=certthumprint appid={applicationguid} Note that this will need to be run on each server in the AD FS farm, as well as on any Web Application Proxy server. More info You can find technical details on SNI as a subsection of the TLS Extensions RFC at

Articles in this issue

Links on this page

Archives of this issue

view archives of Netherlands: Software - Introductie Windows Server 2016