Solve JWT WAP authentication problems

Solve JWT WAP authentication problems

Q. I am receiving an error authenticating with Windows Azure Pack for the tenant and management portals with a 500 error and a JWT10329 detailed error.

A. Ensure you have an up-to-date certificate on your ADFS server. The certificates can be viewed in the ADFS management portal under Service - Certificates. If the certificate has expired request a new certificate, use the Set Service Communications Certificate action to update it and then also use PowerShell to update. The PowerShell below lists the certificates to get the thumbprint then configure it to be used by SSL

PS C:\> dir cert:\localmachine\my


Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my


Thumbprint Subject
---------- -------
085F0D04CEB4A3CC95232FDCDCB83BE2F16F9199 CN=savdaladfs01.savilltech.net


PS C:\> Set-AdfsSslCertificate -Thumbprint 085F0D04CEB4A3CC95232FDCDCB83BE2F16F9
199
PS C:\> Get-AdfsSslCertificate

HostName PortNumber CertificateHash
-------- ---------- ---------------
localhost 443 085F0D04CEB4A3CC95232FDCDCB83...
savdaladfs01.savilltech.net 443 085F0D04CEB4A3CC95232FDCDCB83...
savdaladfs01.savilltech.net 49443 085F0D04CEB4A3CC95232FDCDCB83...
EnterpriseRegistration.savillt... 443 085F0D04CEB4A3CC95232FDCDCB83...

The next step is to ensure the ADFS configuration on the WAP server is correct. Change the connection string for your SQL server along with the name of your ADFS server. Running the commands below fixed the WAP authentication errors via ADFS in my environment.

Import-Module -Name MgmtSvcConfig

$ConnectionString = 'Data Source=savdalsql01;Initial Catalog=Microsoft.MgmtSvc.Config;User ID=sa;Password=Pa55word'

Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint "https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml" -ConnectionString $ConnectionString 

Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint 'https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString $ConnectionString

Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint 'https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString $ConnectionString #-DisableCertificateValidation

Set-MgmtSvcIdentityProviderSettings -Target Windows -MetadataEndpoint 'https://savdaladfs01.savilltech.net/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString $ConnectionString #-DisableCertificateValidation

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish