This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 36%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
I am trying to setup ADFS authentication for a website(https://applicationname.com/) currently working in passthrough using a web application proxy server.
The ADFS site itself is currently published on the WAP in passthrough mode but when I attempt to load https://adfs.domainname.com/adfs/ls/ from an external PC I get an ERR_CONNECTION_CLOSED error in the browser.
Loading https://adfs.domainname.com/adfs/ls/ from a PC within my corp network, or from the WAP itself works perfectly fine.
When I try loading https://applicationname.com/ from a PC external to my corporate network, the request hits the WAP which then redirects the browser session to https://adfs.domainname.com/adfs/ls/ for authentication and again produces an ERR_CONNECTION_CLOSED error.
I have multiple other applications in passthrough mode on the WAP, all of which are still working.
Checking my Firewall logs shows that external traffic to https://adfs.domainname.com/adfs/ls/ is being passed through to the WAP which is in a DMZ however I it is never passed back to the firewall to be transferred to the CORP network, there is no deny entry in the logs indicating it has hit the firewall again at all. For the working published sites and when loading https://adfs.domainname.com/adfs/ls/ locally on the WAP, I can see the 443 request hitting the firewall and being moved from the DMZ to the CORP network.
I have also noticed when trying to load https://adfs.domainname.com/adfs/ls/ nothing shows up in the web application proxy session log in event viewer at all. When loading the working applications, several events show up for each request.
My first thought was an issue with the Windows Firewall on the WP server, but disabling the FW entirely shows the same results.
I tried deleting and re-publishing the adfs application and got the following error:
Web Application Proxy could not bind the SSL server certificate.
Error: Cannot create a file when that file already exists.
(0x800700b7)
All other configuration settings were applied.
Details:
Certificate thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXX
Host name: adfs.domainname.com
Is this something to do with the published adfs application and the adfs farm sharing the same FQDN? My understanding was that publishing the application under another domainname will caused issues with ADFS.
The ADFS site itself is currently published on the WAP.
This isn't necessary (and quite frankly, might even break things, I never try to do it myself). The WAP IS an ADFS proxy out of the box. You don't need to publish the ADFS URLs with it.
The ERR_CONNECTION_CLOSED is often seen in case of TLS SNI misconfiguration. Is the certificate you use for app publication containing the right subject name and/or SAN?
The WAP logs will just show the errors. There are no logs in the WAP when it returns an HTTP 200. You will see the logs on the ADFS server that deal with the request though as long as you have the verbose loggin enabled (and that is VERY verbose as you even see the WAP getting its configuration all the time).
Maybe you can strat by remoinv the ADFS publication and then share with us the application's publication configuration.
Thanks Piaudonn,
I'm using a wildcard cert so no SANs.
I have removed the ADFS publication as suggestion but I am still seeing the same error.
I've attached screen shots of the application configuration.
I've tried setting the preauthentication to AD FS for MSOFBA and OAuth.
MSOFBA is doing the same thing after unpublishing the adfs app.
OAuth shows a HTTP 401 error instead of ERR_CONNECTION_CLOSED, it also doesn't redirect the browser url to adfs.
