question

MarcelPalme-8257 avatar image
0 Votes"
MarcelPalme-8257 asked piaudonn commented

ADFS 2019 NonClaimsAwareRelyingPartyTrust

We are currently having a problem accessing NonClaimsAware RelyingPartyTrust. We publish TFS externally and receive many error messages from event 12027 on the ADFS server. Only that the password or the username is not wrong! Access then also works, but before that access is very often denied. I suspect that the error is to be found in some temporal relationship between TGT and tokens from ADFS. Does anyone know such behavior? MfG Marcel

adfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Marcel -

We'll need more details. What is the event 12027 you are refering to?

Non claim aware application requires quite some configuration. The WAP server needs to be domain joined, depending on your DC operating system, you'll might also need it to be joined to the same domain as the actual service. Then things can also be impacted based on a lot of other factor. Anyhow, we'll need to know:

  • The publication configuration (ideally a screenshot or the export of the Get-WebApplicationProxyApplication for the app)

  • An overview of your domain configuration (in which domain are your users, the WAP server, and the actual application)

  • An overview of your split-brain DNS configuration (what DNS records resolve to what IP from the client's perspective)

  • Actual error message in the security logs and the ADFS Admin logs (and the client's experience description too)

Thanks!



0 Votes 0 ·

1 Answer

MarcelPalme-8257 avatar image
0 Votes"
MarcelPalme-8257 answered piaudonn commented

I am using ADFS 2019. The WAPS are a domain member. The delegation to the WAP computer accounts contains the HTTP SPN's of the Sharepoint server. A HA proxy (passthrough) is used as a load balancher between the WAPs and ADFS. All servers are in the same domain. The configuration works 90%

This is the event that I get:

Web Application Proxy encountered an unexpected error while processing the request.
Error: The user name or password is incorrect.
(0x8007052e)


I have only noticed these errors since I connected my adfs to a syslog server. before i had thought that users really entered their passwords incorrectly. But that is definitely wrong - users enter their password correctly

Marcel

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If everything were to be set up correctly it would work. So we need to assume something is missing :)

Could you show us the configuration of the publication and of the WAP delegation settings?
Could you show us the actual events you see on the WAP and/or the ADFS servers when a test user connects to the system using a correct password?

0 Votes 0 ·