Troubleshooting SSL Configuration Error 15021 on ADFS 3.0 (0.0.0.0:443) – Certificate Binding and WAP Service Issues


3 views

When working with ADFS 3.0 on Windows Server 2012 R2 after certificate replacement, you might encounter two critical symptoms:

1. Application server logs show: "An error occurred while using SSL configuration for endpoint 0.0.0.0:443. Error code 15021"
2. Web Application Proxy service fails with: "Error code 7023 - connection with server could not be established"

First, let's verify the certificate binding status. The PowerShell commands you've executed are correct, but we need deeper inspection:

# Check certificate bindings in HTTP.sys
netsh http show sslcert

# Verify certificate store location
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "YOUR_THUMBPRINT" } | Select-Object *

# Alternative certificate binding check
Test-NetConnection -ComputerName 0.0.0.0 -Port 443

From my experience, these issues typically stem from one of three scenarios:

  • Port 443 binding conflict with other services (IIS, SQL, etc.)
  • Incorrect private key permissions for the service account
  • Missing intermediate certificates in the chain

Even if permissions appear correct at first glance, let's validate them thoroughly:

# Check private key permissions
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "YOUR_THUMBPRINT" }
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$filePath = $rsaCert.Key.UniqueName
icacls $filePath

For the Web Application Proxy service (Error 7023), try this reset sequence:

# Stop dependent services
Stop-Service -Name ADFSSRV -Force
Stop-Service -Name W3SVC -Force

# Clear SSL bindings
netsh http delete sslcert ipport=0.0.0.0:443

# Recreate binding (replace with your actual thumbprint)
netsh http add sslcert ipport=0.0.0.0:443 certhash=YOUR_THUMBPRINT appid={5d89a20c-beab-4389-9447-324788eb944a}

# Restart services
Start-Service -Name ADFSSRV
Start-Service -Name W3SVC

If the issue persists, consider these diagnostic actions:

# Check for port conflicts
netstat -ano | findstr :443

# Verify certificate chain (output to file for analysis)
certmgr.msc

# Enable verbose ADFS logging
Set-AdfsProperties -LogLevel "Verbose"
Get-AdfsProperties | Select-Object LogLevel

After applying fixes, validate the complete solution:

# Check service status
Get-Service -Name ADFSSRV, W3SVC

# Test HTTPS connectivity
Invoke-WebRequest -Uri https://your-adfs-fqdn/adfs/ls/idpinitiatedsignon -UseBasicParsing

# Verify certificate binding
Get-AdfsSslCertificate | Format-List *

When working with ADFS 3.0 on Windows Server 2012 R2, the error "An error occurred while using SSL configuration for endpoint 0.0.0.0:443" with status code 15021 typically indicates a certificate binding issue. This often manifests after certificate renewal when the Web Application Proxy (WAP) service fails to start with error 7023.

First, verify your certificate installation using PowerShell:

# Check current SSL certificate
Get-AdfsSslCertificate

# Expected output format:
# Thumbprint                                CertificateName
# ----------                                ---------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  yourdomain.com

If the thumbprint doesn't match your new certificate, reapply it:

# Set new certificate
Set-AdfsSslCertificate -Thumbprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

Confirm the network service has proper certificate access:

# Check private key permissions
$certPath = "Cert:\LocalMachine\My\" + (Get-AdfsSslCertificate).Thumbprint
$cert = Get-Item $certPath
$key = $cert.PrivateKey
$acl = $key.CspKeyContainerInfo.UniqueKeyContainerName | Get-Acl

The 0.0.0.0:443 binding suggests a system-wide SSL conflict. Check existing bindings:

netsh http show sslcert

If another service has claimed the wildcard binding, you'll need to clear it:

# Remove conflicting binding (CAUTION: verify impact first)
netsh http delete sslcert ipport=0.0.0.0:443

After fixing certificate issues, reset the WAP service:

# Full service reset sequence
Stop-Service -Name "ADFSSRV" -Force
Stop-Service -Name "W3SVC" -Force
Start-Service -Name "W3SVC"
Start-Service -Name "ADFSSRV"
Start-Service -Name "WebApplicationProxy"

Enable detailed logging if issues persist:

# Enable ADFS debug logging
Set-AdfsProperties -DebugLevel All

Check event logs for detailed errors:

Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 20 | Sort-Object TimeCreated -Descending

Verify firewall rules allow traffic between components:

# Check existing rules
Get-NetFirewallRule -DisplayName "*ADFS*" | Select-Object DisplayName,Enabled