https URL in Application Proxy - error "Connection to the backend server failed" Error 0x80072f00

Drew Tilley 21 Reputation points
2020-07-21T10:15:59.723+00:00

We are using Intapp Time via Azure Application Proxy currently. There's a mobile app that uses the external URL from App proxy to communicate with an internal http webserver address. This has been working fine.

We're switching the webserver to TLS 1.2 https though, I've confirmed the certificates are working fine both in a browser and the internal desktop application works fine with this.

When I change the application proxy to the https address (literally the same address, just adding the "s") the mobile application now fails with a generic 502 Bad Gateway.

To confirm this is application proxy, I setup a vpn on the mobile in to our environment and got it to connect directly to the https web server address and this worked fine, but I can't use this as a workaround as we must use Azure Application Proxy for our users.

The only clue I have found on the internal Azure proxy connector server is it has a warning message whenever I try to run the mobile app over https, this warning doesn't show when using http (external URL changed for security reasons):

Connection to the backend server failed. Error: (0x80072f00).

Details:
Transaction ID: {29f3e2bd-7af0-4528-bf7b-6d0cb8110cce}
Session ID: {29f3e2bd-7af0-4528-bf7b-6d0cb8110cce}
Published Application Name:
Published Application ID:
Published Application External URL: https://MyExternalURL.msappproxy.net/
Published Backend URL: https://InternalServer.testdomain.local/
User: <Unknown>
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; IN2023 Build/QKQ1.191222.002)
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://MyExternalURL.msappproxy.net/mobile/Register
Backend Request URL: https://InternalServer.testdomain.local/mobile/Register
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: PassThrough
State Machine State: BEHeadersReading
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: POST
Client Request Http Verb: POST

https://InternalServer.testdomain.local/mobile/Register is some kind of api call to the web server, looking in Intapp Time webserver internally it is successfully registering the device, and I can't see any errors on the webserver. I've engaged their engineers for support but the only clue seems to be the connector servers where we still get that above warning message, and on the mobile app with it's generic 502 error.

I can successfully browse the https://MyExternalURL.msappproxy.net/mobile/ URL from the smartphone's browser so clearly some of the app proxy is working, but this looks like maybe an internal communication problem.

I've tried disabling windows firewall, I've tried session logging on app proxy, I've tried the systems diagnostics change to the app proxy config file. I can't find any other useful messages being logged.

All suggestions welcome on this one

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,127 questions
0 comments No comments
{count} votes

Accepted answer
  1. Saurabh Sharma 23,816 Reputation points Microsoft Employee
    2020-07-22T19:39:01.773+00:00

    @DrewTilley-6470 Have you installed connector on Windows server 2019 ? If yes, then you need to disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation as mentioned in the document. Can you also try to check the connector traces if get more details -
    You can find those at C:\ProgramData\Microsoft\Microsoft AAD Application Proxy Connector\Trace
    Refer to troubleshooting document to further validate your environment. You may need to open a support case to investigate this issue in your environment. Please let me know if you need any help on creating a support case if require.


1 additional answer

Sort by: Most helpful
  1. nicholas.bickhart@outlook.com 5 Reputation points
    2023-06-24T12:58:00.4433333+00:00

    I'm also having a similar problem on Windows Server 2022. I can deliver certificates using my normal internal URL. I installed the app proxy and can hit the external URL just fine, but when I try to deliver a certificate using the app proxy URL, I get a "Connection to the backend server failed. Error (0x80072f00). It seems to be related to the https://appproxyurl/certsrv/mscep/mscep.dll?operation=PKIOperation.

    I've navigated to C:\ProgramData\Microsoft\Microsoft AAD Application Proxy Connector\Trace, however, the file is empty. I also have HTTPS2 disabled on my NDES server.

    It was HTTP2. I thought I had it disabled, but I didn't. Navigate to your IIS settings>Sites>Default Web Site>Binding (On the right hand side of the screen)>Https>Click Edit>Disable HTTP/2

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.