Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,642 questions
Setting up Legacy Web Service behind WAP & ADFS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 46%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Kelly Sparks
121
Reputation points
I have internal legacy app (not SAML/oauth2 aware) that I would like to verify with an ADFS login.
I have WAP: Internet DNS: https://fs.domain.com and I have https://myapp.domain.com if needed pointing to WAP public IP: 55.55.55.55
I have ADFS: Internal DNS: fs.domain.com pointing to internal ADFS: 10.7.1.5 & myapp.domain.com pointing to 10.7.1.6
Note: This setup is working fine with O365 federated to ADFS.
Now I want to add a legacy application: Internal DNS: myapp.domain.com/app on 10.7.1.6
I would like external users to have to be authenticated via ADFS in order to get to myapp.domain.com
Can WAP proxy this/do this?
When I publish a new app I have these options:
- Active Directory Federation Services (AD FS)
- Pass-through
I choose ADFS, then I have these options?
a) Web and MSOFBA
b) HTTP Basic
c) OAuth2
I'm sure c) OAuth2 is not what I want, and b) HTTP Basic didn't provide me with the ADFS Login page, so I have tried to setup Web and MSOFBA, but I must be missing something.
I have ADFS setup with a filter: https://myapp.domain.com, which seems to work. (Although the option to add a proxy endpoint was greyed out.)
On WAP I have:
External URL: https://myapp.domain.com/myapp/
External Cert: *.domain.com (CA Cert that works fine.)
Enable HTTP to HTTPs redirection unchecked.
Backend server URL: https://myapp.domain.com/myapp/ (I also tried making this URL a different name: ex myapp_internal.domain.com, but that didn't seem to work. The proxy seemed to just ignore it.)
Backend server SPN: HTTP/myapp.domain.com (But I haven't actually created this. Not sure I need to, but the widget would not let me proceed without it. The backend application is a legacy web service and has now knowledge of AD credentials.)
I'm open to any suggestions.. Honestly this shouldn't be this hard, but there are lots of options and the documentation on this type of setup is rather non existent.. unless of course, I'm attempting to do something that WAP was never intended to do.
Note: This setup is entirely on premise and not in Azure.