WAP and ADFS trust certificate lifetime

Description:

The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores. 

What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.

If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).

This can also happen when we move the VM’s configuration to another storage.

Resolution:

We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:

HKLM\Software\Microsoft\ADFS

ProxyConfigurationStatus

• 1 (not configured)
• 2 (Web Application Proxy is configured)

Invalidate RID Pool Script

 

To invalidate the current RID pool in Active Directory

Open an elevated Windows PowerShell session, run the following command and press ENTER:

$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DomainSid = $Domain.objectSid
$RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$RootDSE.UsePropertyCache = $false
$RootDSE.Put("invalidateRidPool", $DomainSid.Value)$RootDSE.SetInfo()

Cannot Install .Net Framework on Windows Server

Description:

You try to install .Net Framework 4.7.x to a Windows Server.

However the installation seems to be hang or stuck forever.

Resolution:

Go to "services.msc"  and check for Windows Installer services. Make sure the services is running. If not, perform a manual start and wait for a while. The installation should continue and completed within a couple of minutes.

Log Files Deleted or Missing after Running Performance Monitor on Windows Server

Description:

You run a performance monitor on Windows Server. You use one of the existing template to collect the data. You leave it running for 5 minutes (default). After it completes, no report being generated and the log files seems to be gone. However if you run it for only 1 minutes, the report can be generated normally.

Resolution:

Go to Data Manager section in Data Collector. Uncheck at the Maximum root path size option.

Try to run the data collector again.

Clear Cached Kerberos Tickets

To clear the cached Kerberos tickets:

Open Command Prompt with Administrative permission

Type:

Klist purge

klist purge –li 0x3e7