During the upgrade process it is expected that there will be multiple versions of AD FS and WAP servers operating in a farm at a given time. This is actually a good option as it allows us to easily upgrade from AD FS 2012 R2 to a newer version such as 2016 or 2019. We can do this without having to build a brand new farm from scratch and then cutting over applications to the new farm with its new namespace and new certificate.
Ideally we want to minimise the time that we are in the coexistence mode as such configurations are always the most complex, and until we fully transition to the new version we are not able to leverage the new features. So there are many good reasons to make the transition in a quick timeframe. Of course we need to allow time for testing and verification so this is not going to be a single weekend project unless it is a small deployment.
There are some caveats to running in a mixed farm, and the ability to edit published applications from an up-level WAP server is one of them. In the case below, the certificate for the published application has expired and we need to update the certificate. From the Internet, Edge shows a generic error message - ERR_CONNECTION_RESET.
A clue is also present in the browser bar – note that there is no padlock. Only the exclamation symbol.
In the Remote Access Management console, we can see that two web applications have been published to the Internet – /OWA and /ECP. In this example there is AD FS pre-authentication which is being done on WAP.
If we select to edit the application, we can see the details.
In this case, there is an issue as the underlying certificate for the published application is missing. This was because the original certificate was removed after the new certificate was installed. However WAP was not updated to use the new certificate.
Since the new certificate is already installed, we can simply select it from the dropdown.
Clicking Next, then takes us to the confirmation screen, and note that there is no OK button.
The button to click is called Edit.
As a very helpful hint, the actual PowerShell code to do the same task is also provided. Again, please noted that the example below is for an AD FS pre-authenticated web app. Please see this post for a pass-through example.
Set-WebApplicationProxyApplication -BackendServerAuthenticationSpn 'http/owa.tailspintoys.ca' -BackendServerUrl "https://owa.tailspintoys.ca/ecp/" -ExternalCertificateThumbprint '94F3CCBF46430438AA1DB1C89247524ADAD60A2D' -ExternalUrl "https://owa.tailspintoys.ca/ecp/" -Name 'Exchange ECP' -ID '84925804-2d44-36b5-822d-af3e93957d94'
However, the wizard does not complete successfully.
EventID 1206 is logged in Microsoft-Windows-Web Application Proxy/Admin eventlog. The details are shown below.
The following error occurred when the user tried to execute a PowerShell or WMI command.
Error: You cannot change the existing Web Application Proxy configuration from a server running a new version if there are servers running an older version on the cluster. Make your configuration changes from a Web Application Proxy server that is running the older version. After all Web Application Proxy servers are running the new version, upgrade the configuration by running the ‘Set-WebApplicationProxyConfiguration’ with the "-UpgradeConfigurationVersion" switch.
Thankfully the solution is more than straightforward, and is actually mentioned in the error message. Those really are the best error messages, aren't they?
We need to perform the task from the old version of WAP in the farm so the configuration level matches the admin tool where the changes are being made.
In AD FS for Windows Server 2016, the farm behavior level (FBL) was introduced. This is farm-wide setting that determines the features the AD FS farm can use.
AD FS FARM BEHAVIOR LEVELS (FBL)
|Windows Version||FBL||AD FS Database Name|