Share via

Web Application Proxy 2025 strange behavior

Richard Mlynka 0 Reputation points
2025-10-23T13:42:38.72+00:00

Hi,

I added to ADFS 2022 farm ADFS 2025 server and WAP 2025 server.

I added existing SPNs to WAP 2025 Delegation tab

Apps published without PreAuth work.

Apps published with PreAuth throw 500 and event log logs errors 13019 and 12027 on WAP 2025 (access to apps through WAP 2022 works fine).
But if I access apps with PreAuth through WAP 2025 with admin account then it works (other user accounts do not work).

I checked probably everything multiple times.

What am I missing?

Thank you,

Richard

Microsoft Security | Microsoft Entra | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Richard Mlynka 0 Reputation points
    2025-11-08T17:22:39.51+00:00

    It's 2025.

    But adding WAP server computer account to "Pre-Windows 2000 Compatible Access" group still helps to resolve ADFS -> WAP Kerberos communication. Don't forget to reboot WAP server.

    Without this you get misleading error:
    Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect.

    HTH

    Was this answer helpful?

    0 comments
  2. Richard Mlynka 0 Reputation points
    2025-10-23T17:33:01.35+00:00

    Klist sessions on ADFS server show session for user trying to access PreAuth app.

    Klist sessions on WAP 2025 server does not show session for user trying to access PreAuth app. Security event log shows event 4625 0xC0000064, caller process AppProxy.exe

    Looks like communication between ADFS server and WAP 2025 is somehow broken for most of user accounts (2 users account with admin privilege have no problem).

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.