Unable to publish Win2019 web app on an established WAP / ADFS farm. Backend server refusing connection.
Hi,
We have a WAP / AD FS on-premise farm running on Win2016 with a number of published applications. It was setup sometime 2017 / 2018 and running fine until now. We have a mix of pass-through, claims aware and non-claims aware application.
We are currently upgrading one of the on-premise ASP.Net application from a Window Server 2008 R2 to Windows Server 2019. The web app is hosted on-premise and is non-claims aware, ASP.Net Forms application using Windows (Integrated) Authentication. I believe the configration is identical but I've got a problem witht Win2019 deployed app that I don't have with the Win2008R2 deployed app.
We connect using the same URL regardless of being on the internal network or not. And the Win2008R2 is accessed both externally and internally. The Win2019 deployed works fine when the user is on the internal network, but can't access externally, (i.e. going through WAP). When connecting externally to the Win2019 deployed web app, we go through the ADFS signin page, but once authenticated, WAP presents user with a 500 error (using Edge) for the Win2019 server application.
On the Win2019 web server, at the moment of signin, I get nothing in the IIS log file, but I get Audit Failure (times 3), event ID 4625 in the Security Event log. Events show a "NULL SID" and Login ID 0x0. "An Error occured during Logon". Status 0xC000035B. The IP address matches one of the WAP servers. I've turned on Kerberos logging, but nothing on this server.
On the WAP server in the WAP event log, in sequence
- Information: Web Application Proxy received an HTTP request with a valid edge token.
- Information: Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.
- Warning: Web Application Proxy cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error
- Error: Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server.
- Error: Web Application Proxy encountered an unexpected error while processing the request. Error: The access code is invalid. (0x8007000c)
Turning on Kerberos logging, at the same instant I get a 0x19 KDC_ERR_PREAUTH_REQUIRED error.
I'll put the full setup below, but any thought on what the problem is would be most appriciated.
Thanks in advance.
Setup is as follows:
- 2 WAP servers and 2 ADFS servers, all on Win2016
- WAP servers are in a DMZ.
- Firewall rule on the internal firewall open on port 443 between WAP and both web servers, that I will call oldSrv.myDomain.local and newSrv.myDomain.local.
- ordSrv.myDomain.local has an internal DNS entry of webapp_prd.myDomain.co.uk
- newSrv.myDomain.local has an internal DNS entry of webapp_uat.myDomain.co.uk
- External DNS entry for both webapp_prd.myDomain.co.uk and webapp_uat.myDomain.co.uk point to the IP address used by WAP (load balanced with NLB)
- Same ASP.Net Forms web application deployed to both web servers. Applications set to use Windows Authentication
- Application pools on both web servers running under same domain account myDomain\theAppPoolUser
- Have run SETSPN to register the following SPNs to myDomain\theAppPoolUser and checked for duplicates
- HTTP/oldSrv.myDomain.local
- HTTP/oldSrv.myDomain
- HTTP/newSrv.myDomain.local
- HTTP/newSrv.myDomain
- Wildcard SSL certificate (with provate key) on WAP and web servers, for *.myDomain.co.uk
- In ADFS, have setup both Relying Party Trusts as non-claims aware
- In WAP, have setup both published application in same manner, but "new" and "old" as appropriate. i.e. the "old" config as
- External URL - https://webapp_prd.myDomain.co.uk
- Backend server URL https://webapp_prd.myDomain.co.uk
- Backend server SPN http/oldSrv.myDomain.co.uk
- Enable HTTP to HTTPS redirection is On
- Set to use *.myDomain.co.uk certificate
- Web Servers running IIS,
- SSL certificate bound to port 443 and no host name specified in binding
- Anonymous Authentication disabled on root and application folder
- Windows Authentication enabled on root and application folders
- Extended Protection Off
- Kernal-mode authentication Enabled
- Provider is Negotiate only
- Application Pool running v4.0 .Net, and Integrated mode
- Load User Profile is False