Web Application Proxy could not publish an application due to certificate problems

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Web Application Proxy Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012 R2

Product/Feature

Web Application Proxy

Severity

Error

Category

Configuration

Issue

Web Application Proxy could not publish an application due to certificate problems.

Impact

Users were not able to access the applications.

Resolution

In the Windows event log, look for event 12021 for more details about these applications. Consider issuing a new certificate for these applications.

Additional resolution content is required; provide (1) an introductory paragraph and (2) step-by-step procedures for each task in the best practice configuration. Each resolution should be complete and self-contained. The user should be able to implement the BP without having to go to another page, unless the implementation steps are long and complicated (e.g., Exchange disaster recovery steps). If you do have to take the customer to another topic, this topic should contain a high-level overview of those particular resolution steps.

Credential statement, if necessary.

To view details about this application in the event log

  1. On the Web Application Proxy server, open the Windows event viewer: On the Start screen, click the Apps arrow. On the Apps screen, type eventvwr.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. In the navigation pane, open Applications and Services Logs/Microsoft/Windows/Web Application Proxy/Admin.

  3. In the details pane, locate the newest event with ID 12021.

  4. Do something….

If there is a problem with the certificate used to publish this application, you may need to request a new certificate.

To request a certificate for the published application from an internal certification authority

  1. On the Web Application Proxy server, open an MMC console: On the Start screen, click the Apps arrow. On the Apps screen, type mmc.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. In the Console window, on the File menu, click Add/Remove Snap-in.

  3. On the Add or Remove Snap-ins dialog, double-click Certificates.

  4. On the Certificates snap-in dialog, click Computer account, and then click Next.

  5. On the Select Computer dialog, click Local computer, click Finish, and then click OK.

  6. In the Console window, open Certificates/Personal/Certificates.

  7. Right-click in the details pane, click All Tasks, and then click Request New Certificate.

  8. On the Certificate Enrollment dialog, click Next twice.

  9. On the Request Certificates page, select the certificate template that has been configured for website authentication, and click More information is required to enroll for this certificate.

  10. On the Certificate Properties dialog, on the Subject tab, in Subject name, in the Type list, click Common name, and in the Value box, enter a value for this certificate that covers the application that you are attempting to publish, click Add, click OK, and then click Enroll.

  11. After successfully enrolling for this certificate, click Finish.

After requesting a new certificate for this application, you can attempt to republish the application.

To publish an application

  1. In the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

  2. On the Publish New Application Wizard, on the Welcome page, click Next.

  3. On the Preauthentication page, select the required preauthentication, and then click Next.

  4. If you selected Active Directory Federation Services (AD FS), on the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

  5. On the Publishing Settings page, do the following, and then click Next:

    • In the Name box, enter a friendly name for the application.

    • In the External URL box, enter the external URL for this application; for example, https://apps.contoso.com/.

    • In the External certificate list, select the certificate whose subject covers the external URL.

      Note

      This is the certificate that you previously requested.

    • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://apps/.

    • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/apps.contoso.com.

  6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command set up additional published applications.

  7. On the Results page, make sure that the application published successfully, and then click Close.