Home / server / Questions / 901216
Accepted
Rob Moir
Asked: 2018-03-13 06:32:02 +0800 CST

Issue installing Azure AD Connect ADFS Health Agent

  • 772

I'm trying to install the Azure AD Connect ADFS health agent on the primary server in an ADFS 4.0 farm running on Windows Server 2016.

The installation completes successfully but I get an error on configuration:

Register-AzureADConnectHealthADFSAgent : Could not query the MEX on http ports: 443 in hosts: localhost
At line:1 char:190
+ ... gent\PowerShell\AdHealthAdfs; Register-AzureADConnectHealthADFSAgent}
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthADFSAgent], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.Health.Adfs.PowerShell.Configuration
   Module.RegisterADHealthAdfsAgent

Now I've run that error through the google and it tells me that this could be a STS certificate issue so I've checked as per the article pointed at there, and there are no issues, no other unexpected or incorrect certificate thumbprint visible, and besides on ADFS 4.0 you can't change certificates on the secondary servers in an ADFS farm, so even simply trying to re-register the certs didn't help.

Running further diags as per maweeras' suggestions:

PS C:\Users\administrator.INTERNAL> $error[0] | fl * -f


PSMessageDetails      :
Exception             : System.InvalidOperationException: Could not query the MEX on http ports: 443 in hosts:
                        localhost
                           at Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.AdfsServiceExaminer.GetAdfs
                        FarmNameFromSts()
                           at Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.AdfsServiceExaminer.Compute
                        ServiceSignature()
                           at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthA
                        gent.ProcessRecord()
                           at System.Management.Automation.CommandProcessor.ProcessRecord()
TargetObject          :
CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthADFSAgent], InvalidOperationException
FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.
                        RegisterADHealthAdfsAgent
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}

The install/config log doesn't seem to tell us anything that isn't already here. I can browse to the MEX endpoint via its FQDN in a web browser.

windows-server-2016

1 Answers

  1. Best Answer

    Looks like localhost specific SNI binding for TLS was missing. get-adfssslcertificate should reveal a 443 binding for both hostname used for actual service and localhost.

    If missing, set-adfssslcertificate is the way to fix missing bindings. This will allow the health agent install to succeed.

    • 1