This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 56.00000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Good morning,
I have been setting up an ADFS server and Web Application proxy. I have gotten it to the point that is authenticates our external applications using user name and password, yet I've noticed in developer tools that when users authenticate with their certificate, initially the prompt for them to add their certificate pin will show up but instead of redirecting their SAML request to adfs/ls it will redirect their SAML request to adfs/certauth and give a 503 service not available.
On the ADFS when I look at the endpoints I see the endpoint for adfs/ls but not adfs/certauth. I do see an endpoint for adfs/servertrust/certificates (not the exact name). If I open a browser externally, on the ADFS or the WAP I can reach the adfs/ls endpoint but the adfs/servertrust/certificates redirects to the same 503 error. If I go to the adfs/ls endpoint in a browser on the WAP, ADFS, or external URL it brings me to the logon page.
If I change the adfs/ls endpoint to adfs/cert auth it also brings me to the slash page.
My Certificate for the ADFS and WAP are the same and have the certauth added as a SAN. And the application has 49443, 443 allowed inbound, and the firewall is not interfering.
I've compared this new ADFS to an existing one which properly authenticates users with their token and it has all the same ADFS authentication methods selected. On the ADFS that is working the Services, Tokensigning, and decrytpting certs all had the same thumbprint. So I changed the ADFS not authenticating certs to use the same services cert's thumbprint for the token certs. This still did not result in the authentication working for certificates.
I have added a DNS entry for both the auth and certauth using the WAP's private IP. I have also published the external application to use Pass through auth using the external cert and external login url of the app with no success.
I do not understand why at authentication the external application's URL redirects from adfs/ls to adfs/certauth. I have a hunch this is the issue, but can anyone provide any other ideas for what to try next?
The error I received most recently was There are no registers protocol handlers on path /adfs/certauth to process the incoming request. I think if the application's SAML request went to adfs/ls it would potentially authenticate using the cert as expected, I just don't understand where the adfs/certauth is coming from.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 44%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
Hi @Stephanie Lopez,
Thank you for asking this question on the Microsoft Q&A Platform.
Here are some links to help you out with troubleshooting steps AD FS 2.0 service fails to start https://video2.skills-academy.com/en-us/troubleshoot/windows-server/identity/adfs-2-service-fails-to-start
Best regards,