Description:
The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores.
What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.
If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).
This can also happen when we move the VM’s configuration to another storage.
Resolution:
We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:
HKLM\Software\Microsoft\ADFS
ProxyConfigurationStatus
- 1 (not configured)
- 2 (Web Application Proxy is configured)