ADFS 3.0 Error: The Web request failed because the web.config file is malformed

Had a strange one today after an Azure outage. One of my Server 2012 R2 ADFS proxies wouldn’t start the ADFS service.

When looking in the logs, it appeared like a case of simply having to re-establish the proxy trust, but I got a different error when trying to start the service:

The federation server proxy could not be started.
Reason: Error retrieving proxy configuration from the Federation Service.

Additional Data
Exception details:
An error occurred when attempting to load the proxy configuration.

There were other errors in the ADFS Event logs about a malformed config file:

The Web request failed because the web.config file is malformed.

User Action:
Fix the malformed data in the web.config file.

Exception details:
Root element is missing. (C:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config)
Root element is missing.

When I opened the abovementioned config file, it was empty. I compared this to the config file on the other ADFS proxy, and that one looked like a normal config file.

My solution, and what ended up fixing the issue in the end, was simply to copy the contents of the .config file from the working ADFS proxy to the broken one. I could then re-establish the proxy trust, and everything started running again.

I’m not sure if this would work, but in case you don’t have another ADFS proxy to grab the config file from, here’s a sanitised version of mine:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="microsoft.identityServer.proxyservice" type="Microsoft.IdentityServer.Management.Proxy.Configuration.ProxyConfiguration, Microsoft.IdentityServer.Management.Proxy, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
</configSections>
<microsoft.identityServer.proxyservice>
<congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64"
enabled="true" />
<connectionPool connectionPoolSize="200" scavengeInterval="5" />
<diagnostics eventLogLevel="15" />
<host tlsClientPort="49443" httpPort="80" httpsPort="443" name="adfs.example.com" />
<proxy address="" />
<trust thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
proxyTrustRenewPeriod="21600" />
</microsoft.identityServer.proxyservice>
<!-- <system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true">
</messageLogging>
</diagnostics>
</system.serviceModel> -->
</configuration>

Once I’d resolved the problem, I did a bit of searching around for this error message, and it appears that other people have had the same problem previously, with no resolution listed in the one thread that I looked at on the TechNet forums.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s