We have a WAP / AD FS on-premise farm running on Win2016 with a number of published applications. It was setup sometime 2017 / 2018 and running fine until now. We have a mix of pass-through, claims aware and non-claims aware application.
We are currently upgrading one of the on-premise ASP.Net application from a Window Server 2008 R2 to Windows Server 2019. The web app is hosted on-premise and is non-claims aware, ASP.Net Forms application using Windows (Integrated) Authentication. I believe the configration is identical but I've got a problem witht Win2019 deployed app that I don't have with the Win2008R2 deployed app.
We connect using the same URL regardless of being on the internal network or not. And the Win2008R2 is accessed both externally and internally. The Win2019 deployed works fine when the user is on the internal network, but can't access externally, (i.e. going through WAP). When connecting externally to the Win2019 deployed web app, we go through the ADFS signin page, but once authenticated, WAP presents user with a 500 error (using Edge) for the Win2019 server application.
On the Win2019 web server, at the moment of signin, I get nothing in the IIS log file, but I get Audit Failure (times 3), event ID 4625 in the Security Event log. Events show a "NULL SID" and Login ID 0x0. "An Error occured during Logon". Status 0xC000035B. The IP address matches one of the WAP servers. I've turned on Kerberos logging, but nothing on this server.
On the WAP server in the WAP event log, in sequence
- Information: Web Application Proxy received an HTTP request with a valid edge token.
- Information: Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.
- Warning: Web Application Proxy cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error
- Error: Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server.
- Error: Web Application Proxy encountered an unexpected error while processing the request. Error: The access code is invalid. (0x8007000c)
Turning on Kerberos logging, at the same instant I get a 0x19 KDC_ERR_PREAUTH_REQUIRED error.
I'll put the full setup below, but any thought on what the problem is would be most appriciated.
Thanks in advance.
Setup is as follows:
2 WAP servers and 2 ADFS servers, all on Win2016
WAP servers are in a DMZ.
Same ASP.Net Forms web application deployed to both web servers. Applications set to use Windows Authentication
Application pools on both web servers running under same domain account myDomain\theAppPoolUser
- Have run SETSPN to register the following SPNs to myDomain\theAppPoolUser and checked for duplicates
Wildcard SSL certificate (with provate key) on WAP and web servers, for *.myDomain.co.uk
In ADFS, have setup both Relying Party Trusts as non-claims aware
- In WAP, have setup both published application in same manner, but "new" and "old" as appropriate. i.e. the "old" config as
Web Servers running IIS,
SSL certificate bound to port 443 and no host name specified in binding
Anonymous Authentication disabled on root and application folder
Windows Authentication enabled on root and application folders
Extended Protection Off
Kernal-mode authentication Enabled
Provider is Negotiate only
Application Pool running v4.0 .Net, and Integrated mode
Load User Profile is False