Internet Information Services
Microsoft web server software.
1,575 questions
Unable to publish Win2019 web app on an established WAP / ADFS farm. Backend server refusing connection.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 57.99999999999999%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Alastair Davie
1
Reputation point
Hi,
We have a WAP / AD FS on-premise farm running on Win2016 with a number of published applications. It was setup sometime 2017 / 2018 and running fine until now. We have a mix of pass-through, claims aware and non-claims aware application.
We are currently upgrading one of the on-premise ASP.Net application from a Window Server 2008 R2 to Windows Server 2019. The web app is hosted on-premise and is non-claims aware, ASP.Net Forms application using Windows (Integrated) Authentication. I believe the configration is identical but I've got a problem witht Win2019 deployed app that I don't have with the Win2008R2 deployed app.
We connect using the same URL regardless of being on the internal network or not. And the Win2008R2 is accessed both externally and internally. The Win2019 deployed works fine when the user is on the internal network, but can't access externally, (i.e. going through WAP). When connecting externally to the Win2019 deployed web app, we go through the ADFS signin page, but once authenticated, WAP presents user with a 500 error (using Edge) for the Win2019 server application.
On the Win2019 web server, at the moment of signin, I get nothing in the IIS log file, but I get Audit Failure (times 3), event ID 4625 in the Security Event log. Events show a "NULL SID" and Login ID 0x0. "An Error occured during Logon". Status 0xC000035B. The IP address matches one of the WAP servers. I've turned on Kerberos logging, but nothing on this server.
On the WAP server in the WAP event log, in sequence
- Information: Web Application Proxy received an HTTP request with a valid edge token.
- Information: Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.
- Warning: Web Application Proxy cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error
- Error: Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server.
- Error: Web Application Proxy encountered an unexpected error while processing the request. Error: The access code is invalid. (0x8007000c)
Turning on Kerberos logging, at the same instant I get a 0x19 KDC_ERR_PREAUTH_REQUIRED error.
I'll put the full setup below, but any thought on what the problem is would be most appriciated.
Thanks in advance.
Setup is as follows:
- 2 WAP servers and 2 ADFS servers, all on Win2016
- WAP servers are in a DMZ.
- Firewall rule on the internal firewall open on port 443 between WAP and both web servers, that I will call oldSrv.myDomain.local and newSrv.myDomain.local.
- ordSrv.myDomain.local has an internal DNS entry of webapp_prd.myDomain.co.uk
- newSrv.myDomain.local has an internal DNS entry of webapp_uat.myDomain.co.uk
- External DNS entry for both webapp_prd.myDomain.co.uk and webapp_uat.myDomain.co.uk point to the IP address used by WAP (load balanced with NLB)
- Same ASP.Net Forms web application deployed to both web servers. Applications set to use Windows Authentication
- Application pools on both web servers running under same domain account myDomain\theAppPoolUser
- Have run SETSPN to register the following SPNs to myDomain\theAppPoolUser and checked for duplicates
- HTTP/oldSrv.myDomain.local
- HTTP/oldSrv.myDomain
- HTTP/newSrv.myDomain.local
- HTTP/newSrv.myDomain
- Wildcard SSL certificate (with provate key) on WAP and web servers, for *.myDomain.co.uk
- In ADFS, have setup both Relying Party Trusts as non-claims aware
- In WAP, have setup both published application in same manner, but "new" and "old" as appropriate. i.e. the "old" config as
- External URL - https://webapp_prd.myDomain.co.uk
- Backend server URL https://webapp_prd.myDomain.co.uk
- Backend server SPN http/oldSrv.myDomain.co.uk
- Enable HTTP to HTTPS redirection is On
- Set to use *.myDomain.co.uk certificate
- Web Servers running IIS,
- SSL certificate bound to port 443 and no host name specified in binding
- Anonymous Authentication disabled on root and application folder
- Windows Authentication enabled on root and application folders
- Extended Protection Off
- Kernal-mode authentication Enabled
- Provider is Negotiate only
- Application Pool running v4.0 .Net, and Integrated mode
- Load User Profile is False
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor2021-03-17T05:57:35.313+00:00 @Alastair Davie You can refer to this link for similar errors: Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED. Click Start, click Run, type "regedit", navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ParametersAdd or edit this key: Registry Value: LogLevel Value Type: REG_DWORD Value Data: 0x0. -
Alastair Davie 1 Reputation point
2021-03-17T07:21:28.67+00:00 @Sam Wu-MSFT thanks for the suggestion as I understand that having Kerberos logging can generate a lot of events.
Fortunately I only turned it on while trying to debug the inability to connect to the the web application on the Win2019 server from an external network, and had turned it off when I failed to turn up anything. -
Alastair Davie 1 Reputation point
2021-03-17T10:13:34.09+00:00 If I change the "Backend Server SPN" so that I don't use the FQDN, then the Win2019 deployed application works,
i.e, HTTP/newSrvAny thoughts on why this change in behaviour?
Everything I've seen say to use the FQDN for the SPN
Sign in to comment