Share via

ADFS Web App Proxy Not Allowing External and Backend URLs to Differ

Jamie Dewitz 21 Reputation points
2022-03-23T17:26:29.65+00:00

I am trying to publish a web application on a 2019 Datacenter server using ADFS Web Application Proxy, the older version, not the Azure version. We are replacing an old TMG setup with ADFS Web Application Proxy, that is, trying to.

When I read the documentation here, https://learn.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication it seemed to me that I could use the following configuration and the website would work:

External URL: https://app.domain.com/website/
Backend Server URL: https://appserver.domain.com/website/

I ran the PowerShell script to enable URL translation

Set-WebApplicationProxyApplication -ID appID -DisableTranslateUrlInRequestHeaders:$false

but the site still doesn't run. I can get to the site using the Backend Server URL, no problem, but I can't get to it using the External URL. I did publish the web application using the same backend server URL and external URL and that works as expected, but I need to change the external URL so it's not showing the server name.

All I know is that I set it up exactly as the document told me to, and it doesn't work - Chrome says
This site can't be reached. DNS_PROBE_FINISHED_NXDOMAIN

Are there other steps I need to take within ADFS to allow the reverse proxy functionality of the URLs to work? I just have a basic relying party trust set up for the websites, nothing complicated. Can someone help me figure out what I'm doing wrong?

Microsoft Security | Active Directory Federation Services
Accepted answer
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-03-24T19:41:53.713+00:00

    This error is also likely due to a DNS issue. You are asking ADFS directly for a token for the WAP whereas this request should also be coming from the WAP.

    When accessing an application with pre-auth through WAP, you need to make sure that from the client's perspective:

    • the FQDN of the app is pointing to the WAP IP address (or load balancer in the front of it) (seems to be ok now)

    AND

    • the FQDN of the ADFS farm is also pointing to the WAP IP address (or load balancer in the front of it)

    You cannot access an application published through WAP internally using ADFS pre-authentication if you don't also use WAP for the ADFS proxy part. So it is important to set your split brain DNS correctly. Not sure if I am clear... Let me know if that makes any sense :)

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-03-23T20:09:41.553+00:00

    That works for me as long as the path are identical. Maybe it is indeed a DNS failure? Maybe your test client doesn't know about that published name because it is not in the DNS that it is using?

    The UPN message is irrelevant to this configuration. It is only for device registration using ADFS (which isn't really a thing anymore).

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.