Web Application Proxy: Could not perform Integrated Windows authentication to the backend servers

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Web Application Proxy Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012 R2


Web Application Proxy






The backend server rejected the Kerberos ticket that was presented by Web Application Proxy.


The backend server was not able to authenticate users.


Check the Windows event log for event 12008 to identify the application. Check the Kerberos configuration on the domain controller and backend server for each application. This might also occur if the Web Application Proxy server time is not synchronized with the domain controller or the backend server.

Additional resolution content is required; provide (1) an introductory paragraph and (2) step-by-step procedures for each task in the best practice configuration. Each resolution should be complete and self-contained. The user should be able to implement the BP without having to go to another page, unless the implementation steps are long and complicated (e.g., Exchange disaster recovery steps). If you do have to take the customer to another topic, this topic should contain a high-level overview of those particular resolution steps.

Credential statement, if necessary.

To <perform a configuration task>

  1. Perform step 1.

  2. Perform step 2.

Use explanatory text between procedures as necessary.

To <perform another configuration task>

  1. Perform step 1.

  2. Perform step 2.

Additional references

Brief supporting information. If there are no additional resources, delete this heading.