none
Error 500 on Web Application Proxy for Non-claims based application RRS feed

  • Question

  • Hi all,

     

    I built a Lab according to the tutorial here : technet.microsoft.com/en-us/library/dn280943.aspx

     

    After setting the lab, I am connecting from an external client using internet explorer:

    -          The claims-based webapp is working perfectly fine

    -          I have a problem with the non-claims-based webpage (IIS startpage with windows authentication)

     

    The authentication page appears, and after login, I am redirected to a HTTP 500 error page.

    The URL worked fine from internal network, without using the Web App Proxy.

      

    Is there someone that could help me to solve this issue ?

     

    Wishing you pleasant day,

    P.S more info :

    Windows 2012 R2 Domain controller + DNS Server: - IP: 192.168.22.1 - Domain : contoso.com - Trusting computer WAP for authentication delegation (192.168.22.15) for specified SPNs : HTTP/WAP and HTTP/WAP.contoso.com Windows 2012 R2 Active Directory Federation Service : - IP : 192.168.22.2 - Domain : contoso.com - Federation URL : adfs1.contoso.com - Relying Party trust : Non Claim aware, iddentifier : webapp2.contoso.com, issuance authorization "Permit Access to all users" Windows 2012 R2 IIS Server: - IP : 192.168.22.20 - Non-claims aware application - URL : webapp2.contoso.com - Domain : contoso.com - SPNs : HTTP/WEBAPP2 and HTTP/WEBAPP2.contoso.com Windows 2012 R2 Web Application proxy: - IP : 192.168.22.15 - IP External : 10.0.0.1 - SPN : HTTP/WAP and HTTP/WAP.contoso.com - Using the Non claim aware relying party trust - Frontend and Backend URL : webapp2.contoso.com - Backend SPN : HTTP/WEBAPP2.contoso.com External Client: - IP : 10.0.0.2 - Host file : 10.0.0.1 webapp2.contoso.com 10.0.0.1 adfs1.contoso.com 10.0.0.1 enterpriseregistration.contoso.com

    Friday, April 17, 2015 12:25 PM

Answers

All replies

  • I would like to upload pictures to illustrate my issue, but my account is not verified.
    Friday, April 17, 2015 12:25 PM
  • Hi,

    According to the MS article,to publish an application that uses Integrated Windows authentication you must add a non-claims-aware relying party trust for the application to the Federation Service.

    https://technet.microsoft.com/en-us/library/dn383640.aspx

    In addition, the 500 HTTP status code may occur for many server-side reasons.

    Please refer to the following KB article for troubleshooting.

    https://support.microsoft.com/en-us/kb/942031

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, April 20, 2015 9:51 AM
    Moderator
  • Hello Lifenz,

    Does your Web Application Proxy has direct access to your domain controllers ? See my recent thread about it.

    Does your firewall allows your Web Application Proxy to communicate with domain controllers on port 389 just to begin ?

    Is your Web Application Proxy domain joined ? Absolutely necessary for non-claims aware apps.

    Are you in a multi-forest scenario ? If yes, could be caused by selective trusts between forests, the ADFS service account must allow authenticated users the right "Allow to authenticate". You also may need to add the right "Allow to authenticate" on the other forest DCs for the ADFS service account.

    Thanks !

    Konnan


    Understanding ADFS 3.0, the key to success


    • Edited by Konnan Monday, July 13, 2015 8:59 PM added precision
    Monday, July 13, 2015 8:55 PM
  • According to the MS article,to publish an application that uses Integrated Windows authentication you must add a non-claims-aware relying party trust for the application to the Federation Service.

    Hello Mrs. Wang,

    Not sure that will help him because he has already stated that in his ADFS server and his WAP server that he's using a non-claims aware relying party trust.

    Thanks !

    Konnan


    Understanding ADFS 3.0, the key to success

    Monday, July 13, 2015 8:57 PM