This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 51%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
I am wondering if any one has setup Azure AD application proxy with Integrated Windows Authentication ?
I worked with a client to set it up with Exchange OWA, and it was working until this weekend. This morning the client told me it stop working, now it shows
Azure AD Application Proxy
Status code: BadGateway
Weird part is I setup a POC for the client and it was working before, now it got same BadGateway error. Since the two application proxy are in different Azure AD tenant/different domain, that seems indicate there might be something wrong with Azure AD?
Application Proxy Connector session log shows:
Web Application Proxy encountered an unexpected error while processing the request.
Error: The logon attempt failed
(0x8009030c)
Details:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Session ID: {00000000-0000-0000-0000-000000000000}
Published Application Name:
Published Application ID:
Published Application External URL: https://owa.xxx.ca/owa/
Published Backend URL: https://mail.xxx.ca/owa/
User: xxx@X .ca
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://owa.xxx.ca/owa
Backend Request URL: <Not Applicable>
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: WIA
State Machine State: OuOfOrderFEHeadersWriting
Response Code to Client: 500
Response Message to Client: Internal Server Error
Client Certificate Issuer: <Not Found>
Something I am not sure is it shows "Preauthentication Flow: PassThrough", but the application is configured as "Azure AD Authentication":
I tried to delete the enterprise application and recreate it, still got same error.
OK opened a support ticket and got response from Microsoft:
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc
looks like a hotfix caused this and we will need to install another hotfix to fix it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 33%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Seeing the same issue, thanks for sharing this
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 9%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFO%3C/text%3E%3C/svg%3E)
Thanks for sharing.
I already banged my head for hours.
The DCs in the affected environment are on Server 2012 R2, is there anout-of-band update for 2012 R2?
On the target DCs you see this in the logs:
A Kerberos service ticket was requested.
Account Information:
Account Name: AzAppProxyHost$@DOMAIN.LOCAL
Account Domain: DOMAIN.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name: HTTP/host.domain.local
Service ID: S-1-0-0
Network Information:
Client Address: ::ffff:10.10.xx.xx
Client Port: 49837
Additional Information:
Ticket Options: 0x40830000
Ticket Encryption Type: 0xFFFFFFFF
Failure Code: 0x29
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
Failure Code: 0x29:
0x29 KRB_AP_ERR_MODIFIED Message stream modified and checksum didn't match
Regards, Flo.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 2%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Thank you!!!! This post saved me hours of banging my head.
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2750
Take action: Out-of-band update to address authentication issues on DCs relating to Kerberos delegation scenarios
Microsoft is releasing Out-of-band (OOB) updates today, November 14, 2021, to resolve issues in which authentication might fail on DCs with certain Kerberos delegation scenarios on all supported versions of Windows Server when used as a Domain Controller. To get the standalone update package, search for it in the Microsoft Update Catalog. You can import this update into Windows Server Update Services (WSUS) manually. See the Microsoft Update Catalog for instructions. Note These updates are not available from Windows Update and will not install automatically.
For instructions on how to install this update for your operating system, see the KB for your OS listed below:
Windows Server 2019: KB5008602
Windows Server 2016: KB5008601
Windows Server 2012 R2: KB5008603
Windows Server 2012: KB5008604
Windows Server 2008 R2 SP1: KB5008605
Windows Server 2008 SP2: KB5008606