SP 2016 sites are not loading correctly

Question

Hell All,

I have web application which hosts multiple applications with different DNS names. We have intranet.xxxxx.com, teamsite.xxxxx.com, mysite.xxxxx.com, etc. as the main user-facing interfaces. For example photos are coming from mysite regardless of which DNS you are visiting and company specific styles and scripts are coming from intranet to ensure that the user only have to download them once. These are running in our data center on our internal network.

On top of that we have the Azure App Proxy, where we have set up apps for each of the DNS names belonging to these sites in order to expose them to users that are not on our network so that they can access it without VPN when working from home or from phone for example. In the external zone, each DNS points to their respective Azure App proxy app rather than to F5 like they do internally. The way the app proxy works, an app can only have one DNS so we need to set these up as separate apps. They still share the same SSL certificate and it is the same one used internally as well. Now the issue: when users access any site except the intranet site, contents such as user photos, scripts, styles, etc. are not loading up. If we access the intranet site first and then access the other ones then the issue does not occur. In working fiddler i see multiple 302 redirects happening eventually leading to the file and loading it up. In non working fiddler 302 redirects starts but soon we see a 200 response and the file which was supposed to load never loads. Engineers from Azure support has given stating that they cant do anything about it. SP engineers are of the opinion that should redesign the setup which does not make because the current design is based on the recommendations of the PFE.

Answer 1

Quote from this article: application-proxy-add-on-premises-application. Hope it helps you.

When you publish an Application Proxy app,, make sure that it includes all the necessary images, scripts, and style sheets for your application. For example, if your app is at https://yourapp/app and uses images located at https://yourapp/media, then you should publish https://yourapp/ as the path.

Besides, you could refer to this arice to integrate an on-premises SharePoint farm with Azure Active Directory (Azure AD) Application Proxy: application-proxy-integrate-with-sharepoint-server

Answer 2

I got below reply from MS engineer:

As its an expected behavior as both the application are published using app proxy and without authentication the application cannot be accessed. The reason it works the other way is that user has a refresh token that is used and the user can access. So, you could have them publish a wildcard app to cover both applications. *.domain.com, this way you only Preauth once and the access cookie is good for all apps.

Reference : https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-wildcard

We cannot have this as we are not ready to expose our main domain to a wild card application. I think if somehow we can authenticate against the intranet site which hosts all the scripts, css, etc. in the backend while accessing other sites like teamsite then the issue should be fixed. If anyone can help me achieve this that will be helpful.