question

AlastairDavie-3932 avatar image
0 Votes"
AlastairDavie-3932 asked ·

Unable to publish Win2019 web app on an established WAP / ADFS farm. Backend server refusing connection.

Hi,

We have a WAP / AD FS on-premise farm running on Win2016 with a number of published applications. It was setup sometime 2017 / 2018 and running fine until now. We have a mix of pass-through, claims aware and non-claims aware application.

We are currently upgrading one of the on-premise ASP.Net application from a Window Server 2008 R2 to Windows Server 2019. The web app is hosted on-premise and is non-claims aware, ASP.Net Forms application using Windows (Integrated) Authentication. I believe the configration is identical but I've got a problem witht Win2019 deployed app that I don't have with the Win2008R2 deployed app.

We connect using the same URL regardless of being on the internal network or not. And the Win2008R2 is accessed both externally and internally. The Win2019 deployed works fine when the user is on the internal network, but can't access externally, (i.e. going through WAP). When connecting externally to the Win2019 deployed web app, we go through the ADFS signin page, but once authenticated, WAP presents user with a 500 error (using Edge) for the Win2019 server application.

On the Win2019 web server, at the moment of signin, I get nothing in the IIS log file, but I get Audit Failure (times 3), event ID 4625 in the Security Event log. Events show a "NULL SID" and Login ID 0x0. "An Error occured during Logon". Status 0xC000035B. The IP address matches one of the WAP servers. I've turned on Kerberos logging, but nothing on this server.

On the WAP server in the WAP event log, in sequence
- Information: Web Application Proxy received an HTTP request with a valid edge token.
- Information: Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.
- Warning: Web Application Proxy cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error
- Error: Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server.
- Error: Web Application Proxy encountered an unexpected error while processing the request. Error: The access code is invalid. (0x8007000c)


Turning on Kerberos logging, at the same instant I get a 0x19 KDC_ERR_PREAUTH_REQUIRED error.

I'll put the full setup below, but any thought on what the problem is would be most appriciated.

Thanks in advance.


Setup is as follows:

  • 2 WAP servers and 2 ADFS servers, all on Win2016

  • WAP servers are in a DMZ.

  • Firewall rule on the internal firewall open on port 443 between WAP and both web servers, that I will call oldSrv.myDomain.local and newSrv.myDomain.local.

  • ordSrv.myDomain.local has an internal DNS entry of webapp_prd.myDomain.co.uk

  • newSrv.myDomain.local has an internal DNS entry of webapp_uat.myDomain.co.uk

  • External DNS entry for both webapp_prd.myDomain.co.uk and webapp_uat.myDomain.co.uk point to the IP address used by WAP (load balanced with NLB)

  • Same ASP.Net Forms web application deployed to both web servers. Applications set to use Windows Authentication

  • Application pools on both web servers running under same domain account myDomain\theAppPoolUser

  • Have run SETSPN to register the following SPNs to myDomain\theAppPoolUser and checked for duplicates
  • Wildcard SSL certificate (with provate key) on WAP and web servers, for *.myDomain.co.uk

  • In ADFS, have setup both Relying Party Trusts as non-claims aware

  • In WAP, have setup both published application in same manner, but "new" and "old" as appropriate. i.e. the "old" config as
  • Web Servers running IIS,

    • SSL certificate bound to port 443 and no host name specified in binding

    • Anonymous Authentication disabled on root and application folder

    • Windows Authentication enabled on root and application folders

    • Extended Protection Off

    • Kernal-mode authentication Enabled

    • Provider is Negotiate only

    • Application Pool running v4.0 .Net, and Integrated mode

    • Load User Profile is False

adfswindows-server-iis-configuration
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AlastairDavie-3932 You can refer to this link for similar errors: Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED. Click Start, click Run, type "regedit", navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Add or edit this key: Registry Value: LogLevel Value Type: REG_DWORD Value Data: 0x0.





0 Votes 0 ·

@SamWu-MSFT thanks for the suggestion as I understand that having Kerberos logging can generate a lot of events.
Fortunately I only turned it on while trying to debug the inability to connect to the the web application on the Win2019 server from an external network, and had turned it off when I failed to turn up anything.

0 Votes 0 ·

If I change the "Backend Server SPN" so that I don't use the FQDN, then the Win2019 deployed application works,
i.e, HTTP/newSrv

Any thoughts on why this change in behaviour?
Everything I've seen say to use the FQDN for the SPN

0 Votes 0 ·

0 Answers