Perhaps as you were setting up your brand new shiny 2012 R2 Web Application Proxy (WAP) to connect to your 2012 R2 Active Directory Federation Services (ADFS 3.0) server you ran into a 404 error in the web browser followed by this error message in the event viewer logs when trying to do your idpinitiated sign on test from the internet using the WAP DNS URL:
Event ID 144
The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching endpoint registered at the proxy.
Huh?!?!? Okay, so here is one of the reasons why it is generating: the root part of your DNS you use at the proxy must match the DNS you have on your internal ADFS server.
For example, if you configured your internal federation service name to be different (adfs.internaldomain.com) than the web application proxy name (adfs.yourexternalweb.com) then when the proxy tries to interpret the request it sees the mismatching DNS as an illegitimate request, thus blocking it. And while the WAP will publish various web applications that have different DNS this does not cover the initial configuration of the WAP when it is initially pointed to the internal ADFS server.
So what’s the solution?
Get a DNS entry on your internal domain to point to your internal ADFS server using what you used for the web application proxy. These names MUST match for the WAP to work. If you cannot get a DNS entry on your internal domain to match the DNS on the external domain then my recommendation would be to use your etc/hosts file to point your proxy to your ADFS server.
Once you have the DNS entry or etc/hosts entry in place for your WAP and ADFS server then do the following:
1. Put the adfs.yourexternalweb.com public cert (with private key) on the ADFS server to be used for communications.
2. (Assuming ADFS has already been configured) Remove the adfs role from the ADFS server and do not save the databases and reboot.
4. Install the ADFS role with the new matching Federation Service name (adfs.yourexternalweb.com). Make sure to point to the newly installed certificate. Do not utilize old database information. Create a new WID database.
5. Remove the WAP role from the WAP server.
7. Reinstall WAP role and Configure. Once post deployment has completed successfully do NOT create an app for ADFS as it is automatically publishing ADFS as a proxy under the covers.
Hope this helps. Questions are welcome.