Article ID: 121183, created on Apr 18, 2014, last review on Oct 1, 2015

  • Applies to:
  • Operations Automation


During installation of WAP different error while saving WAP settings, syncing plans at Plans pages, opening Admin Portal are thrown at Cloud Infrastructure > Windows Azure Pack > Settings page.

Examples of errors:

  • opening Admin Portal:

    P400002: Invalid request
  • Trying to submitting settings:

    [AZURE] Failed to communicate with WAP Admin API
  • syncing plans:

    [AZURE] Certificate not trusted


These errors are caused by misconfiguration in certificates.


Please check the following:

  1. On OA MN run the command:

    # /usr/java/default/bin/keytool -list -destkeystore /usr/local/share/WAP/WAPKeyStore

    You will see the list of certificates: wap, mgmtsvc-adminapi, mgmtsvc-usage. Pay attention to their SHA1 field.

  2. Go to WAP node, open IIS Manager > Server Certificates and compare 'Certificate hash' with SHA1 values that you obtained at step 1 (for MgmtSvc-AdminAPI and MgmtSvc-Usage certificates)

  3. To verify WAP certificate, open Certificates snap-in as described in WAP guide (page 15, steps 13-17), navigate to Certificates > Trusted Root Certification Authorities, find WAP certificate, double-click it, switch to Details tab and compare SHA1 value with Thumbprint value.

    If thumbprints do not coincide, then export it again from IIS to MN (in case of MgmtSvc-AdminAPI/MgmtSvc-Usage) or from MN to WAP node (in case of wap certificate).

  4. check that certificates MgmtSvc-AdminAPI and MgmtSvc-Usage are bound to respective sites in IIS Manager. To do it (on the example of MgmtSvc-AdminAPI), go to IIS Manager > Sites > MgmtSvc-AdminAPI > Bindings, double click https binding and verify that MgmtSvc-AdminAPI certificate is selected in SSL Certificates drop-down menu.

  5. Check that the following cmdlets from Deployment Guide (page 16) were performed (use the special Azure Pack powershell console):

    PS> Set-MgmtSvcRelyingPartySettings -Target @('Admin', 'Tenant') -MetadataEndpoint https://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString -DisableCertificateValidation 
    PS> Set-MgmtSvcIdentityProviderSettings -Target Membership –MetadataEndpoint https://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString -DisableCertificateValidation
    $cnctString='Data Source=;User ID=sa;Password=123qweASD'

Also, pay attention, that SQL server native ip address can differs from dsn database ip. Log into the WAP database SQL server and check the: SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for MSSQLSERVER -> TCP\IP -> IP Adress (tab) -> is active.

This ip address should be used in $cnctString variable.

Search Words

post-upgrade POA 6.0.1 - provisioning failed on WAP/AZURE upgrade order

WAP - update 7 - Failed to communicate with WAP Admin API

Failed to communicate with WAP Admin API

certificate validation

azure updated to UR6 - CertificateException: Certificate not trusted

azurepack provisioning

update wap certificate breaks login to tenent portal

caea8340e2d186a540518d08602aa065 5356b422f65bdad1c3e9edca5d74a1ae e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF