7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

  • Windows Server 2012 R2 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.1.5: The X-MS-ADFS-Proxy-Client-IP header is not sent by the Web Application Proxy on Windows Server 2012 R2.

<2> Section 2.2.1.6: The X-MS-ProxyAuth-Token header is not sent by the Web Application Proxy on Windows Server 2012 R2, Windows Server 2016, Windows Server v1709 operating system, or Windows Server v1803 operating system.

<3> Section 2.2.2.4:  The service-host-name-for-user-tls-auth field is not supported by the Web Application Proxy on Windows Server 2012 R2.

<4> Section 2.2.2.4:  The farm-behavior-version-number field is not supported by the Web Application Proxy on Windows Server 2012 R2.

<5> Section 2.2.2.4:  The ignore-token-binding field is not supported by the Web Application Proxy on Windows Server 2012 R2.

<6> Section 2.2.2.4:  The updated-farm-behavior-level field is not supported by the Web Application Proxy on Windows Server 2012 R2, Windows Server 2016, Windows Server v1709, or Windows Server v1803.

<7> Section 2.2.2.11: The Error-Type field of [Serialized Request with Certificate] is not supported on Windows Server 2012 R2. It is also not supported on Windows Server 2016 unless [MSKB-4034661] is installed.

<8> Section 2.2.2.11: The Error-Code field of [Serialized Request with Certificate] is not supported on Windows Server 2012 R2. It is also not supported on Windows Server 2016 unless [MSKB-4034661] is installed.

<9> Section 3.1.1.1:  Any writes to [Server State] require, by default, 5 minutes to propagate to other nodes in the server in an AD FS farm configuration using WID.

<10> Section 3.3.5.2.1.3:  Windows does not remove the old certificate from [Server State].

<11> Section 3.4.5:  The following table shows the values of api-version that can be set by the Web Application Proxy in each operating system.

Operating System

api-version values supported

Windows Server 2012 R2

1

Windows Server 2016

Windows Server operating system

Windows Server 2019

2

<12> Section 3.11.5: In Windows Server 2012 R2, and in Windows Server 2016 without [MSKB-4034661] installed, the client simply ignores the request if no certificate was obtained.

<13> Section 3.11.5.1: In Windows Server 2012 R2, and in Windows Server 2016 without [MSKB-4034661] installed, the client simply ignores a request with an invalid certificate.

<14> Section 3.12.5.1.3:  Windows validates that the sign-in request comes from a SAML-P IdP initiated request with a query string parameter RelayState containing an identifier of a web application in the server that relies on the WS-Fed protocol for authentication.

<15> Section 3.12.5.1.5:  Preauthentication for active clients is not supported on Windows Server 2012 R2.

<16> Section 3.13.5.2.3:  Preauthentication of active requests is not supported on Windows Server 2012 R2.