Share via


Web Application Proxy Troubleshooting

 

This content is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Azure AD Application Proxy content.

This section provides troubleshooting procedures for Web Application Proxy including event explanations and solutions. There are three places where errors are displayed:

  • In the Web Application Proxy administrator console

    Each event ID listed in the administrator console can be viewed in the Windows Event Viewer and corresponding descriptions and solutions are found below.

  • In PowerShell errors

    All errors are presented to the PowerShell user using standard PowerShell error prompts. All PowerShell commands are logged as events. All events that occur in PowerShell are listed in the Windows Event Viewer with the ID number 12016, and are defined below in the PowerShell section.

  • In the Best Practices Analyzer

    These events are described in the Best Practices Analyzer for Web Application Proxy

PowerShell Messages

Event or symptom Possible cause Resolution
The trust certificate ("ADFS ProxyTrust - <WAP machine name>") is not valid This could be caused by any of the following:

- The Application Proxy machine was down for too long.
- Disconnections between the Web Application Proxy and AD FS
- Certificate infrastructure issues
- Changes on the AD FS machine, or the renew process between the Web Application Proxy and the AD FS did not run as planned every 8 hours, then they need to renew trust
- The clock of the Web Application Proxy machine and the AD FS are not synchronized.
Make sure the clocks are synchronized. Run the Install-WebApplicationProxy cmdlet.
Configuration data was not found in AD FS This may be because Web Application Proxy was not fully installed yet or because of changes in the AD FS database or corruption of the database. Run the Install-WebApplicationProxy Cmdlet
An error occurred when Web Application Proxy tried to read configuration from AD FS. This may indicate that AD FS is not reachable, or that AD FS encountered an internal problem trying to read configuration from the AD FS database. Verify that AD FS is reachable and working properly.
The configuration data stored in AD FS is corrupted or Web Application Proxy was unable to parse it.

OR

 Web Application Proxywas unable to retrieve the list of Relying Parties from AD FS.
This may occur if the configuration data was modified in AD FS. Restart the Web Application Proxyservice. If the problem persists, run the Install-WebApplicationProxy Cmdlet.

Administrator Console Events

The following administrator console events are generally indicative of authentication errors, invalid tokes or expired cookies.

Event or symptom Possible cause Resolution
11005

 Web Application Proxy could not create the cookie encryption key using the secret from the configuration.
The global configuration "AccessCookiesEncryptionKey" parameter was changed by the PowerShell command: Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey No actions is required. The problematic cookie was removed and the user was redirected to STS for authentication.
12000

 Web Application Proxy could not check for configuration changes for at least 60 minutes
Web Application Proxy can’t access the Web Application Proxy configuration using the command Get-WebApplicationProxyConfiguration/Application. This is usually caused by lack of connectivity with AD FS or the need to renew trust with AD FS. Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xmlMake sure there is trust established between the AD FS and the Web Application Proxy. If these solutions don’t work, run the Install-WebApplicationProxy Cmdlet.
12003

 Web Application Proxy could not parse the access cookie.
This may indicate that the Web Application Proxy and the AD FS are not connected or that they don’t receive the same configuration. Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xmlMake sure there is trust established between the AD FS and the Web Application Proxy. If these solutions don’t work, run the Install-WebApplicationProxy Cmdlet.
12004

 Web Application Proxy received a request with a nonvalid access cookie.
This event may indicate that the Web Application Proxy and the AD FS are not connected or that they don’t receive the same configuration.

If you ran the "AccessCookiesEncryptionKey" parameter was chaged by Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey PowerShell command, this event is normal and requires no resolution steps.
Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xmlMake sure there is trust established between the AD FS and the Web Application Proxy. If these solutions don’t work, run the Install-WebApplicationProxy Cmdlet.
12008

 Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server.
This event may indicate incorrect configuration between Web Application Proxy and the backend application server, or a problem in time and date configuration on both machines. The backend server declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly.

Make sure that the time and date configuration on the Web Application Proxy and the backend application server are synchronized.
12011

 Web Application Proxy received a request with a non-valid access cookie signature.
This event may indicate that the Web Application Proxy and the AD FS are not connected or that they don’t receive the same configuration. If you ran the "AccessCookiesEncryptionKey" parameter was chaged by Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey PowerShell command, this event is normal and requires no resolution steps. Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xmlMake sure there is trust established between the AD FS and the Web Application Proxy. If these solutions don’t work, run the Install-WebApplicationProxy Cmdlet.
12027

Proxy encountered an unexpected error while processing the request. The name provided is not a properly formed account name.
This event may indicate incorrect configuration between Web Application Proxy and the domain controller server, or a problem in time and date configuration on both machines. The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy.Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized.
13012

 Web Application Proxy received a nonvalid edge token signature
Make sure you updated Web Application Proxy with KB 2955164.
13013

 Web Application Proxy received a request that contained an expired edge token.
Web Application Proxy and AD FS do not have synchronized clocks. Synchronize the clocks between Web Application Proxy and AD FS.
13014

 Web Application Proxy received a request with a nonvalid edge token. The token is not valid because it could not be parsed.
This may indicate an issue with the AD FS configuration. Check your AD FS configuration and, if necessary, restore the default configuration.
13015

 Web Application Proxy received a request with an expired access cookie.
This could indicate clocks that are not synchronized. If you are working with a cluster of Web Application Proxy machines, make sure that the time and date of the machines is synchronized.
13016

 Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because there is no UPN in the edge token or in the access cookie.
There is a problem with the STS configuration. Fix the UPN claim configuration in the STS.
13019

 Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error
This event may indicate incorrect configuration between Web Application Proxy and the domain controller server, or a problem in time and date configuration on both machines. The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy.Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized.
13020

 Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because the backend server SPN is not defined.
This event may indicate incorrect configuration between Web Application Proxy and the domain controller server, or a problem in time and date configuration on both machines. The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy.Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized.
13022

 Web Application Proxy cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.
This event may indicate incorrect configuration between Web Application Proxy and the backend application server, or a problem in time and date configuration on both machines. The backend server declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly.Make sure that the time and date configuration on the Web Application Proxy and the backend application server are synchronized.
13025

The client did not present an SSL certificate to Web Application Proxy.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.
13026

The client presented an SSL certificate to Web Application Proxy, but the certificate is not valid: the certificate does not match the thumbprint.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.
13028

 Web Application Proxy received a request that contained an edge token that is not yet valid.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized.
13030

The client presented an SSL certificate to Web Application Proxy, but the trust provider does not trust the certificate authority that issued the client certificate.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.
13031

The client presented an SSL certificate to Web Application Proxy, but the certificate chain terminated in a root certificate which is not trusted by the trust provider.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.
13032

The client presented an SSL certificate to Web Application Proxy, but the certificate was not valid for the requested usage.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.
13033

The client presented an SSL certificate to Web Application Proxy, but the certificate was not within its validity period when verifying against the current system clock or the timestamp in the signed file.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.
13034

The client presented an SSL certificate to Web Application Proxy, but the certificate was not valid.
This event may indicate a problem in time and date configuration. Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one.

The following administrator console events are usually indicative of problems having to do with configuration such as provisioning, request that are not successful, backend servers that are unreachable and buffer overflows.

Event or symptom Possible cause Resolution
12019

 Web Application Proxy could not create a listener for the following URL.
A possible cause for the event is that another service is listening to the same URL. The admin must make sure that no one listens or binds to the same URLs. To check this, run the command: netsh http show urlacl. If this URL is used by another component running on the Web Application Proxy machine, either remove it, or use a different URL to publish the applications through Web Application Proxy.
12020

 Web Application Proxy could not create a reservation for the following URL.
A possible cause for the event is that another service has a reservation on the same URL. The admin must make sure that no one binds to the same URLs. To check this, run the command: netsh http show urlacl. If this URL is used by another component running on the Web Application Proxy machine, either remove it, or use a different URL to publish the applications through Web Application Proxy.
12021

 Web Application Proxy could not bind the SSL server certificate. All other configuration settings were applied.
Unable to create and set a configuration record of SSL certificate data. Make sure that the certificate thumbprints that are configured for Web Application Proxyapplications are installed on all the Web Application Proxy machines with a private key in the local computer store.
13001

The SSL server certificate presented to Web Application Proxy by the backend server is not valid; the certificate is not trusted.
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. This could indicate that the backend server provided an SSL that was not valid or that there is no trust between the Web Application Proxy and the backend server. Validate a backend server SSL certificate. Make sure that that Web Application Proxy machine is configured with the right root CAs to trust the backend server certificate.
13006 When the error code is 0x80072ee7, the failurrre is caused by the inability to resolve the backend server URL. Other error codes are described in https://msdn.microsoft.com/library/windows/desktop/aa384110(v=vs.85) Check that the backend server URL is correct and that its name can be resolved correctly from the Web Application Proxy machine.
13007

The HTTP response from the backend server was not received within the expected interval.
The back end server request timed out or is slow or unresponsive. Check the backend server configuration. If it’s very slow, check the connectivity to the backend server and also consider changing the Web Application Proxy global configuration parameter cmdlet for InactiveTransactionsTimeoutSec.