I have following issue and scenario in Windows 2016 ADFs farm:

  • 2 ADFS 2016 (configured with O365 RPT)
  • 2 WAP 2016
  • HLB for the ADFS Servers
  • Azure AD Health Agent installed on the ADFS Servers and WAP servers

All the services are running fine and end users can access O365 with no issue, but we still getting error message in Azure AD portal related to the Azure AD health Agent for ADFS, and same error comes via ADFSDiagnostics.psm1 module.

STATE    Active

RAISED  9/15/2017, 2:56:49 PM

LAST DETECTED 10/2/2017, 10:17:51 AM

ISSUE   

The test authentication requests (Synthetic Transactions) initiated from this server has failed to obtain a token after 5 retries. This may be caused due to transient network issues, AD DS Domain Controller availability or a mis-configured AD FS server. As a result, authentication requests processed by the federation service may fail. Please note that the agent uses the Local Computer Account context to obtain a token from the Federation Service.

Following statement was found from AAD Connect health FAQ section

Q: I am getting alerted that “Test Authentication Request (Synthetic Transaction) failed to obtain a token.” How do I troubleshoot the issue?

Azure AD Connect Health for AD FS generates this alert when the Health Agent installed on an AD FS server fails to obtain a token as part of a synthetic transaction initiated by the Health Agent. The Health agent uses the local system context and attempts to get a token for a self relying party. This is a catch-all test to ensure that AD FS is in a state of issuing tokens.

Most often this test fails because the Health Agent is unable to resolve the AD FS farm name. This can happen if the AD FS servers are behind a network load balancers and the request gets initiated from a node that’s behind the load balancer (as opposed to a regular client that is in front of the load balancer). This can be fixed by updating the “hosts” file located under “C:\Windows\System32\drivers\etc” to include the IP address of the AD FS server or a loopback IP address (127.0.0.1) for the AD FS farm name (such as sts.contoso.com). Adding the host file will short-circuit the network call, thus allowing the Health Agent to get the token.

 Solution in our case was to add AD FS server IP-address to hosts file. When configuration was made it took approximately 2min when health agent sent information to Azure AD service and everything was green again.