Cannot Reach Specific URL hosted behind web application proxy server

liam 1 Reputation point
2021-08-19T07:16:57.513+00:00

I am trying to setup ADFS authentication for a website(https://applicationname.com/) currently working in passthrough using a web application proxy server.

The ADFS site itself is currently published on the WAP in passthrough mode but when I attempt to load https://adfs.domainname.com/adfs/ls/ from an external PC I get an ERR_CONNECTION_CLOSED error in the browser.

Loading https://adfs.domainname.com/adfs/ls/ from a PC within my corp network, or from the WAP itself works perfectly fine.

When I try loading https://applicationname.com/ from a PC external to my corporate network, the request hits the WAP which then redirects the browser session to https://adfs.domainname.com/adfs/ls/ for authentication and again produces an ERR_CONNECTION_CLOSED error.

I have multiple other applications in passthrough mode on the WAP, all of which are still working.

Checking my Firewall logs shows that external traffic to https://adfs.domainname.com/adfs/ls/ is being passed through to the WAP which is in a DMZ however I it is never passed back to the firewall to be transferred to the CORP network, there is no deny entry in the logs indicating it has hit the firewall again at all. For the working published sites and when loading https://adfs.domainname.com/adfs/ls/ locally on the WAP, I can see the 443 request hitting the firewall and being moved from the DMZ to the CORP network.

I have also noticed when trying to load https://adfs.domainname.com/adfs/ls/ nothing shows up in the web application proxy session log in event viewer at all. When loading the working applications, several events show up for each request.

My first thought was an issue with the Windows Firewall on the WP server, but disabling the FW entirely shows the same results.

I tried deleting and re-publishing the adfs application and got the following error:

Web Application Proxy could not bind the SSL server certificate.
Error: Cannot create a file when that file already exists.
(0x800700b7)
All other configuration settings were applied.

Details:
Certificate thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXX
Host name: adfs.domainname.com

Is this something to do with the published adfs application and the adfs farm sharing the same FQDN? My understanding was that publishing the application under another domainname will caused issues with ADFS.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,209 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-08-19T20:38:43.29+00:00

    The ADFS site itself is currently published on the WAP.

    This isn't necessary (and quite frankly, might even break things, I never try to do it myself). The WAP IS an ADFS proxy out of the box. You don't need to publish the ADFS URLs with it.

    The ERR_CONNECTION_CLOSED is often seen in case of TLS SNI misconfiguration. Is the certificate you use for app publication containing the right subject name and/or SAN?

    The WAP logs will just show the errors. There are no logs in the WAP when it returns an HTTP 200. You will see the logs on the ADFS server that deal with the request though as long as you have the verbose loggin enabled (and that is VERY verbose as you even see the WAP getting its configuration all the time).

    Maybe you can strat by remoinv the ADFS publication and then share with us the application's publication configuration.