I don't know if anyone has seen this issue or has any ideas?
We've recently migrated ADFS from ADFS 2.1 on W2008r2 to ADFS 4.0 on W2016.
Basic functionality seems fine but I'm seeing an issue with updating federation metadata with all of my relying party trusts; attempting to right-click and select "Update from Federation Metadata..." (or going to properties, monitoring, test URL) gives the following error:
"An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid metadata endpoint".
The error message associated is
Method not found: 'Microsoft.identitymodel.protocols.WSFederation.Metadata.MetadataBase Microsoft.Identity.Model.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(System.IO.Stream)'.
There is no proxy server required and no proxy server defined. I can browse to the federation metadata URL just fine in IE on the ADFS server and get the expected XML page. I've checked that certificates are correctly defined, that the ADFS service account has read access to them, etc.
There are no error messages in the event log either at service start or when trying to test/update metadata. Trying to add a new relying party trust gives the same error.
I've run the ADFS diagnostics, and test-adfsserverhealth gives an error which I think is key, but I don't know where to go next.
Name : PingFederationMetadata
Result : Fail
Detail : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a
send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing
connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An
existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags
socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest
asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer,
AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,
ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadData(Uri address)
at CallSite.Target(Closure , CallSite , Object , Object )
Output : {PingFedmetadataException}
ExceptionMessage :
Looks like you are running into issue in https://blogs.technet.microsoft.com/pie/2016/10/23/adfs-2016-cannot-addupdate-relying-party-from-the-gui-from-metadata-files/
I had this issue as well until I discovered the TLS settings between the two systems were in conflict. The server hosting the metadata was set to use only TLS 1.2 while the ADFS server running on Windows Server 2016 was set to the default TLS settings. When I changed the ADFS server to only use TLS 1.2, the issue was resolved.