2012 R2 Web Application Proxy returns 400 (Bad Request) for Kerberos IIS App
I've gone through all of the step-by-step examples for publishing applications with the Web App Proxy and I'm getting HTTP 400 when I try to publish an IIS Kerberos application. I'm using ADFS pre-authentication.
The application is SharePoint but I CAN NOT change the authentication method to claims based auth...it has to be windows integrated. I've double checked all of the SPN's and delegation. I get the 400 returned once the user has been authenticated and is forwarded
to the app url with the AUTHTOKEN?=blahblahblah query string. I've installed the ADFS certificate on the proxy and set it to be the external SSL certificate for the application.
PLEASE DONT JUST TELL ME TO POST THIS IN THE GENEVA FORUM FOR ADFS.
The event log has an exception that looks like this:
Web Application Proxy received a nonvalid edge token signature.
Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Verifying token with signature public key failed
Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA
Details:
Transaction ID: {ee05057e-4e9b-0000-da05-05ee9b4ecf01}
Session ID: {ee05057e-4e9b-0000-d905-05ee9b4ecf01}
Published Application Name: FIM Portal
Published Application ID: 48db8de3-96e7-18b6-06d8-5cb6df999b6c
Published Application External URL:
https://portal.sosweetsosoft.com/IdentityManagement/
Published Backend URL:
https://portal.sosweetsosoft.com/IdentityManagement/
User: <Unknown>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: Invalid
Cookie State: NotFound
Client Request URL:
https://portal.sosweetsosoft.com/identitymanagement?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA&client-request-id=ee05057e-4e9b-0000-d905-05ee9b4ecf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode:
State Machine State: Idle
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Hi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thanks for your understanding and support.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Similar Messages
-
Error: 400 "Bad Request" for "deletetree", file "": Unsupported protocol .
Hi
I have an C# application suddenly crashing after months of operation. The application is running on a Windows7 machine and is controlling 2 x NI6602 PCI counter cards through daqmx. The only clues to what when wrong is the following messages in the Windows Application Log.
Message 1 (occurring first):
LabVIEW information: Error: 400 "Bad Request" for "deletetree", file "": Unsupported protocol .
Message 2:
Faulting application name: RecordingStationGUI.exe, version: 1.0.0.0, time stamp: 0x4e3fa214Faulting module name: KERNELBASE.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdaaeException code: 0x80000003
Does anyone know what is causing this error and/or how I prevent this from happening again?
Regards,
molaWhere you ever able to resolve this issue? I have a very similar issue
-
Content-Type is net being set in HTTP header. Server returns 400 Bad Request error.
Hi,
I am trying to access an XML WebService. This service requires the content type of the request to be set to "text/xml". As you can see in the source code, I am setting the req.ContentType property to "text/xml".
However, this content type seems not to be added to the HTTP headers. The server returns a 400 Bad Request error as can be seen in the log.
I've attached a System.Net.trace log and it states:
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 bc 09 30 8a 1e 03 4d 7a ea 16 d3 a8 5e d8 5b 00 c4 8a c5 9f 26 bd 7d d6 cb 8b d0 db bd 93 2d 2b 3b 84 f6 20 79 83 34 67 51 37 21 ea 56 5e 18 d8 a3 db 72 43 0e 14 77 e2 64 cb 07 b6 2a 81 c7 f5 16 dd 19 c7 d9 68 0b 3a 81 5c f0 05 c9 ed 2b 37 00 31 41 37 8b 3a 73 4a 4d ab d7 d8 87 79 35 82 01 97 e3 3c be bb 84 e5 94 bb 87 52 e3 9f b5 fb 3e 33 38 c3 eb 73 42 ee ba 1e c5 4a 33 18 a1 0d 8a d2 10 a8 c5 3....
System.Net Information: 0 : [26780] SecureChannel#31884011 - Remote certificate was verified as valid by the user.
System.Net Information: 0 : [26780] ConnectStream#26966483 - Sending headers
API-VERSION: 1
Host: test.myhost.com
Content-Length: 329
Expect: 100-continue
Connection: Keep-Alive
System.Net Information: 0 : [26780] Connection#3888474 - Received status line: Version=1.1, StatusCode=100, StatusDescription=Continue.
System.Net Information: 0 : [26780] Connection#3888474 - Received headers
System.Net Information: 0 : [26780] Connection#3888474 - Received status line: Version=1.1, StatusCode=400, StatusDescription=Bad Request.
System.Net Information: 0 : [26780] Connection#3888474 - Received headers
0: Content-type
1: text/xml
X-Debug-Token: a810dc
X-Debug-Token-Link: /service/_profiler/a810dc
Connection: keep-alive
Content-Length: 3440
Cache-Control: no-cache
Content-Type: text/html; charset=UTF-8
Date: Tue, 14 Apr 2015 11:07:11 GMT
Server: Apache
...and here's the implementation of the web request:
private void ButtonSend_Click(object sender, EventArgs e)
WebHeaderCollection whCol = new WebHeaderCollection();
whCol.Add("API-VERSION", "1");
//whCol.Add("Content-Type", "text/xml; charset=UTF-8"); <-- That doesn't work in .NET. Content-Type has to be set on the ContentType-Property
string msg = _textBoxReq.Text;
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(_textBoxURL.Text);
byte[] data = Encoding.UTF8.GetBytes(msg);
req.Method = "POST";
req.ContentType = "text/xml; charset=UTF-8";
req.ContentLength = data.Length;
req.Headers = whCol;
req.GetRequestStream().Write(data, 0, data.Length);
string xml = "";
try
using (HttpWebResponse resp = (HttpWebResponse)req.GetResponse())
using (System.IO.StreamReader sr = new System.IO.StreamReader(resp.GetResponseStream()))
xml = sr.ReadToEnd().Trim();
catch (WebException we)
using (System.IO.StreamReader sr = new System.IO.StreamReader(we.Response.GetResponseStream()))
xml = sr.ReadToEnd().Trim();
_textBoxRes.Text = xml;
Can anyone help?
Thanks,
MiRiHi _MiRichter,
Well Done!
Thank you very much for sharing the solution to us.
Best Regards,
Amy Peng
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Azure Web Application Proxy not rendering all assets for RD gateway
Hi All,
I have an on prem RD gateway, internal as http://desktop and internal with https://desktop.mydomain.local and https://desktop.mydomain.com via a forward lookup zone. internally it is working ok.
I installed the azure web application proxy and configured each one of those URL's in an attempt to get this working ok.
The problem is that it renders the header and nothing else in FireFox and Chrome, IE tells me its in protected mode. But when i check the web requests I am getting A status of "aborted" on the assets, be they jpg, css etc. This is very strange.
I have the firewall open as per the sparse documentation on technet. Any demos I have seen were on a simple single asp.net mvc dummy site.
I am using passthrough at the moment and the rd gateway is in forms based auth mode. I got this working last month with regular on prem WAP on another build. Has anyone actually attempted to use this to publish anything significant ?
Rob
RobHi Rob,
It is possible that we do not support Remote Desktop Gateway being published via the Azure Active Directory Web Application Proxy and that is why your running into issues. I shall have to check this out as I have not attempted to do this yet.
I shall investigate and come back to you in regards to this, I shall also reach out to the team whom own this feature and they may choose to reply directly via this thread.
Regards,
James. -
I am trying to get an inputStream to another servlet from a servlet. I am using standard well documented techniques for opening the connection. The getInputStream() call throws an exception as below:
java.io.FileNotFoundException: Response: '400: Bad Request' for url: 'http://localhost:7001/shoppingCart/SOAPServlet'
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:367)
at SendServlet.doGet(SendServlet.java:40)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2495)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
Here is the code snippet:
String payload = "THE PAYLOAD WILL BE HERE";
URL url = new URL("http://Localhost:7001/shoppingCart/SOAPServlet");
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
conn.setRequestProperty("SOAPMethodName","http://www.nicholaschase.com/soap/#InventorySold");
conn.setDoOutput(true);
conn.setRequestMethod("POST");
conn.setDoInput(true);
conn.connect();
OutputStream toSOAP = conn.getOutputStream();
toSOAP.write(payload.getBytes());
toSOAP.close();
InputStream fromSOAP = conn.getInputStream();
The last line throws the exception. The servlet is a part of the web application and I am able to access the servlet if a type the URL in the browser window. The web.xml which deploys the servlet is as below:
<servlet>
<servlet-name>SOAPServlet</servlet-name>
<display-name>SOAPServlet</display-name>
<servlet-class>SOAPServlet</servlet-class>
<description>Sends SOAP Information back</description>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SOAPServlet</servlet-name>
<url-pattern>/SOAPServlet/*</url-pattern>
</servlet-mapping>
Could anybody let me know why the above exception will occurThis was posted back in 2002, but can someone tell me the solution for it. I am up against the wall with a very familier situation.
Thanks -
Hello All
Whenever I try to call this .Net web service through a simple test:
http://dif-standardsite.biz.pentia.net/sitecore%20modules/Web/DIF.LoginRelation.WebService/userAdmin.wsdl
What does this mean I have no idea where to start debugging is it the
URL. Seems it imported wrong?(the sitecore%2520 thing)
Submitted at 30. oktober 2006 07:49:39 GMT
External Service Failure: Response: '400: Bad Request' for url:
'http://dif-standardsite.biz.pentia.net/sitecore%2520modules/Web/DIF.LoginRelation.WebService/useradmin.asmx'
Oliver Billingbah forget about it... I found the error. BEA url-encodes as well and
the URL encoding for % is %25 thus making the URL %2520. I made the
service owner remove the blankspace in the URL
[email protected] skrev:
Hello All
Whenever I try to call this .Net web service through a simple test:
http://dif-standardsite.biz.pentia.net/sitecore%20modules/Web/DIF.LoginRelation.WebService/userAdmin.wsdl
What does this mean I have no idea where to start debugging is it the
URL. Seems it imported wrong?(the sitecore%2520 thing)
Submitted at 30. oktober 2006 07:49:39 GMT
External Service Failure: Response: '400: Bad Request' for url:
'http://dif-standardsite.biz.pentia.net/sitecore%2520modules/Web/DIF.LoginRelation.WebService/useradmin.asmx'
Oliver Billing -
Hi All,
I am seeing the following error for SMS_AWEBSVC_CONTROL_MANAGER component with Message ID: 8100
Application Web Service Control Manager detected AWEBSVC is not responding to HTTP requests. The http status code and text is 400, Bad Request.
awebsctl.log file has below errors:
Call to HttpSendRequestSync failed for port 80 with status code 400, text: Bad Request
SMS_AWEBSVC_CONTROL_MANAGER 12/22/2014 3:37:55 PM
13920 (0x3660)
AWEBSVCs http check returned hr=0, bFailed=1
SMS_AWEBSVC_CONTROL_MANAGER 12/22/2014 3:37:55 PM
13920 (0x3660)
AWEBSVC's previous status was 1 (0 = Online, 1 = Failed, 4 = Undefined)
SMS_AWEBSVC_CONTROL_MANAGER 12/22/2014 3:37:55 PM
13920 (0x3660)
Health check request failed, status code is 400, 'Bad Request'.
SMS_AWEBSVC_CONTROL_MANAGER 12/22/2014 3:37:55 PM
13920 (0x3660)
Management point and Application Catalog Website Point are installed on the same Server where I am seeing the error for Application Catalog Web Service Point role. Management Point and Application Catalog Website Point are functioning properly. Application
Catalog Website is working.
Thanks & Regards, KedarHi Jason,
Application Catalog Web Service Point and Application Catalog Website Point; both are installed as per below configuration on same Server:
IIS Website: Default Web Site
Port Number: 80
with default value for Web Application Name configured.
For SMS_AWEBSVC_CONTROL_MANAGER component, I am getting below error in Component Status:
Application Web Service Control Manager detected AWEBSVC is not responding to HTTP requests. The http status code and text is 400, Bad Request.
Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which AWEBSVC is configured to communicate.
Solution: Verify that the designated Web Site is configured to use the same ports which AWEBSVC is configured to use.
Possible cause: The designated Web Site is disabled in IIS.
Solution: Verify that the designated Web Site is enabled, and functioning properly.
For more information, refer to Microsoft Knowledge Base.
And awebsctl.log has the below error lines:
Call to HttpSendRequestSync failed for port 80 with status code 400, text: Bad Request
SMS_AWEBSVC_CONTROL_MANAGER
12/23/2014 11:04:36 AM 16388 (0x4004)
AWEBSVCs http check returned hr=0, bFailed=1
SMS_AWEBSVC_CONTROL_MANAGER
12/23/2014 11:04:36 AM 16388 (0x4004)
AWEBSVC's previous status was 1 (0 = Online, 1 = Failed, 4 = Undefined)
SMS_AWEBSVC_CONTROL_MANAGER
12/23/2014 11:04:36 AM 16388 (0x4004)
Health check request failed, status code is 400, 'Bad Request'.
SMS_AWEBSVC_CONTROL_MANAGER
12/23/2014 11:04:36 AM 16388 (0x4004)
STATMSG: ID=8100
What should I check from IIS side?
Application Catalog Website is functioning properly.
Thanks & regards,
Kedar
Thanks & Regards, Kedar -
Can't install Windows Server 2012 Web Application Proxy
Hello,
I'm using a Server 2012 R2 evaluation copy of windows. Windows is fully patched. I'm having trouble installing the Web Application Proxy using the Ms recommended method - when I use:
https://technet.microsoft.com/en-gb/library/dn383662.aspx#BKMK_PSstep2
The role service is not listed and if I use PowerShell "Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools" I receive an error regarding an invalid role or feature name.
My server has a certificate installed in the personal computer store with private key.
What am I missing?
Thanks
IT Support/EverythingHi,
Sorry for the delay reply.
For Windows Server 2012R2 standard, we could see the web application proxy.
Please check the image below:
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Apache as reverse proxy - 400 Bad request
Hi all,
I'm configured apache as reverse proxy according to this blog:
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
When I try to navigate http://testcomp/irj I get "400 - Bad request"
See exception;
<i>Message : User Guest, IP address
Cannot parse the http request. Http error response [400 Bad Request] will be returned. Request is [Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
GET /irj HTTP/1.1
Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
com.sap.engine.services.httpserver.exceptions.HttpIllegalArgumentException: Incompatible field content in the MIME header.
at com.sap.engine.services.httpserver.lib.headers.MimeHeaderField.parse(MimeHeaderField.java:364)
at com.sap.engine.services.httpserver.lib.headers.MimeHeaders.init(MimeHeaders.java:504)
at com.sap.engine.services.httpserver.server.RequestAnalizer.initialize(RequestAnalizer.java:196)
at com.sap.engine.services.httpserver.server.Client.initialize(Client.java:84)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:143)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Severity : Error
Category :
Location : com.sap.engine.services.httpserver
Application :
Thread : SAPEngine_Application_Thread[impl:3]_32
Datasource : 9332850:C:usrsapPD9JC00j2eeclusterserver0logdefaultTrace.trc
Message ID : 000C29EFE9A300570000002D00000B9000043A81D3311894
Source Name : com.sap.engine.services.httpserver
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : 5359e85066e411dcbf6b000c29efe9a3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.engine.services.httpserver
ThreadObject : SAPEngine_Application_Thread[impl:3]_32
Transaction :
User : Guest</i>
The lines I added to http.conf
<i>#Enable reverse-proxying
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://testcomp/logon</i>
I tried with apache version 2.2.3 & 2.0.59 with no success.
My J2EE/Portal version is 6.17.
Since this is a testing environment the two computers are under the same workgroup (no domain).
If I naviagte directly to the portal (without the reverse proxy) everything is working.
How can I solve it?
Regards,
OmriHi Jakub,
Thanks for the answer.
It's not working for me...
I'm attaching my httpd.conf file.
Also, what apache version do you use?
Can you send me your post your httpd.conf file?
Thanks,
Omri
httpd.conf
This is the main Apache HTTP server configuration file. It contains the
configuration directives that give the server its instructions.
See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
In particular, see
<URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
for a discussion of each configuration directive.
Do NOT simply read the instructions in here without understanding
what they do. They're here only as hints or reminders. If you are unsure
consult the online docs. You have been warned.
Configuration and logfile names: If the filenames you specify for many
of the server's control files begin with "/" (or "drive:/" for Win32), the
server will use that explicit path. If the filenames do not begin
with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
with ServerRoot set to "c:/apache" will be interpreted by the
server as "c:/apache/logs/foo.log".
NOTE: Where filenames are specified, you must use forward slashes
instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If a drive letter is omitted, the drive on which Apache.exe is located
will be used by default. It is recommended that you always supply
an explicit drive letter in absolute paths, however, to avoid
confusion.
ThreadsPerChild: constant number of worker threads in the server process
MaxRequestsPerChild: maximum number of requests a server process serves
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot: The top of the directory tree under which the server's
configuration, error, and log files are kept.
Do not add a slash at the end of the directory path. If you point
ServerRoot at a non-local disk, be sure to point the LockFile directive
at a local disk. If you wish to share the same ServerRoot for multiple
httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "c:/apache"
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, instead of the default. See also the <VirtualHost>
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#Listen 12.34.56.78:80
Listen 80
Dynamic Shared Object (DSO) Support
To be able to use the functionality of a module which was built as a DSO you
have to place corresponding `LoadModule' lines at this location so the
directives contained in it are actually available before they are used.
Statically compiled modules (those listed by `httpd -l') do not need
to be loaded here.
Example:
LoadModule foo_module modules/mod_foo.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
<b>LoadModule proxy_module modules/mod_proxy.so</b>
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
<b>LoadModule proxy_http_module modules/mod_proxy_http.so</b>
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
'Main' server configuration
The directives in this section set up the values used by the 'main'
server, which responds to any requests that aren't handled by a
<VirtualHost> definition. These values also provide defaults for
any <VirtualHost> containers you may define later in the file.
All of these directives may appear inside <VirtualHost> containers,
in which case these default settings will be overridden for the
virtual host being defined.
ServerAdmin: Your address, where problems with the server should be
e-mailed. This address appears on some server-generated pages, such
as error documents. e.g. [email protected]
ServerAdmin @@ServerAdmin@@
ServerName gives the name and port that the server uses to identify itself.
This can often be determined automatically, but we recommend you specify
it explicitly to prevent problems during startup.
If your host doesn't have a registered DNS name, enter its IP address here.
ServerName localhost:80
DocumentRoot: The directory out of which you will serve your
documents. By default, all requests are taken from this directory, but
symbolic links and aliases may be used to point to other locations.
DocumentRoot "c:/apache/htdocs"
Each directory to which Apache has access can be configured with respect
to which services and features are allowed and/or disabled in that
directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of
features.
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Satisfy all
</Directory>
Note that from this point forward you must specifically allow
particular features to be enabled - so if something's not working as
you might expect, make sure that you have specifically enabled it
below.
This should be changed to whatever you set DocumentRoot to.
<Directory "c:/apache/htdocs">
Possible values for the Options directive are "None", "All",
or any combination of:
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Note that "MultiViews" must be named explicitly --- "Options All"
doesn't give it to you.
The Options directive is both complicated and important. Please see
http://httpd.apache.org/docs/2.2/mod/core.html#options
for more information.
Options Indexes FollowSymLinks
AllowOverride controls what directives may be placed in .htaccess files.
It can be "All", "None", or any combination of the keywords:
Options FileInfo AuthConfig Limit
AllowOverride None
Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
DirectoryIndex: sets the file that Apache will serve if a directory
is requested.
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
The following lines prevent .htaccess and .htpasswd files from being
viewed by Web clients.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a <VirtualHost>
container, error messages relating to that virtual host will be
logged here. If you do define an error logfile for a <VirtualHost>
container, that host's errors will be logged there and not here.
ErrorLog logs/error.log
LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
<IfModule log_config_module>
The following directives define some format nicknames for use with
a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%You need to enable mod_logio.c to use %I and %Oi\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a <VirtualHost>
container, they will be logged here. Contrariwise, if you do
define per-<VirtualHost> access logfiles, transactions will be
logged therein and not in this file.
CustomLog logs/access.log common
If you prefer a logfile with access, agent, and referer information
(Combined Logfile Format) you can use the following directive.
#CustomLog logs/access.log combined
</IfModule>
<IfModule alias_module>
Redirect: Allows you to tell clients about documents that used to
exist in your server's namespace, but do not anymore. The client
will make a new request for the document at its new location.
Example:
Redirect permanent /foo http://www.example.com/bar
Alias: Maps web paths into filesystem paths and is used to
access content that does not live under the DocumentRoot.
Example:
Alias /webpath /full/filesystem/path
If you include a trailing / on /webpath then the server will
require it to be present in the URL. You will also likely
need to provide a <Directory> section to allow access to
the filesystem path.
ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that
documents in the target directory are treated as applications and
run by the server when requested rather than as documents sent to the
client. The same rules about trailing "/" apply to ScriptAlias
directives as to Alias.
ScriptAlias /cgi-bin/ "c:/apache/cgi-bin/"
</IfModule>
"c:/apache/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.
<Directory "c:/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Apache parses all CGI scripts for the shebang line by default.
This comment line, the first line of the script, consists of the symbols
pound (#) and exclamation followed by the path of the program that
can execute this specific script. For a perl script, with perl.exe in
the C:\Program Files\Perl directory, the shebang line should be:
#!c:/program files/perl/perl
Note you mustnot_ indent the actual shebang line, and it must be the
first line of the file. Of course, CGI processing must be enabled by
the appropriate ScriptAlias or Options ExecCGI directives for the files
or directory in question.
However, Apache on Windows allows either the Unix behavior above, or can
use the Registry to match files by extention. The command to execute
a file of this type is retrieved from the registry by the same method as
the Windows Explorer would use to handle double-clicking on a file.
These script actions can be configured from the Windows Explorer View menu,
'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
button allows you to modify the Actions, of which Apache 1.3 attempts to
perform the 'Open' Action, and failing that it will try the shebang line.
This behavior is subject to change in Apache release 2.0.
Each mechanism has it's own specific security weaknesses, from the means
to run a program you didn't intend the website owner to invoke, and the
best method is a matter of great debate.
To enable the this Windows specific behavior (and therefore -disable- the
equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
The directive above can be placed in individual <Directory> blocks or the
.htaccess file, with either the 'registry' (Windows behavior) or 'script'
(Unix behavior) option, and will override this server default option.
DefaultType: the default MIME type the server will use for a document
if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is
a good value. If most of your content is binary, such as applications
or images, you may want to use "application/octet-stream" instead to
keep browsers from trying to display binary files as though they are
text.
DefaultType text/plain
<IfModule mime_module>
TypesConfig points to the file containing the list of mappings from
filename extension to MIME-type.
TypesConfig conf/mime.types
AddType allows you to add to or override the MIME configuration
file specified in TypesConfig for specific file types.
#AddType application/x-gzip .tgz
AddEncoding allows you to have certain browsers uncompress
information on the fly. Note: Not all browsers support this.
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
If the AddEncoding directives above are commented-out, then you
probably should define those extensions to indicate media types:
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler allows you to map certain file extensions to "handlers":
actions unrelated to filetype. These can be either built into the server
or added with the Action directive (see below)
To use CGI scripts outside of ScriptAliased directories:
(You will also need to add "ExecCGI" to the "Options" directive.)
#AddHandler cgi-script .cgi
For type maps (negotiated resources):
#AddHandler type-map var
Filters allow you to process content before it is sent to the client.
To parse .shtml files for server-side includes (SSI):
(You will also need to add "Includes" to the "Options" directive.)
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
The mod_mime_magic module allows the server to use various hints from the
contents of the file itself to determine its type. The MIMEMagicFile
directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
Customizable error responses come in three flavors:
1) plain text 2) local redirects 3) external redirects
Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
EnableMMAP and EnableSendfile: On systems that support it,
memory-mapping or the sendfile syscall is used to deliver
files. This usually improves server performance, but must
be turned off when serving from networked-mounted
filesystems or if support for these functions is otherwise
broken on your system.
#EnableMMAP off
#EnableSendfile off
Supplemental configuration
The configuration files in the conf/extra/ directory can be
included to add extra features or to modify the default configuration of
the server, or you may simply copy their contents here and change as
necessary.
Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
Language settings
#Include conf/extra/httpd-languages.conf
User home directories
#Include conf/extra/httpd-userdir.conf
Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
Various default settings
#Include conf/extra/httpd-default.conf
Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Note: The following must must be present to support
starting without SSL on platforms with no /dev/random equivalent
but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<b>ProxyPreserveHost On
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://sapportal:50000/irj
#ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://sapportal:50000/logon
#ProxyPassReverse /logon http://testcomp/logon</b> -
I setup the Web Application Proxy role on Server 2012 R2 a while back and published a few applications. Everything worked great. A few months later I deployed DirectAccess on the same server. Once again, everything worked great.
All of a sudden users started stating that they were receiving an "Internet Information Services" page while they were clicking links on the intranet. Clicking the refresh button in their browser would resolve the problem. It was puzzling. Eventually
I figured it out. It was only mobile users having the issue. They were taking their laptops home, clicking HTTP links on our SharePoint site (which were not deployed via Web Application Proxy), which was then hitting the Web Application Proxy server's
port 80 over HTTP (not HTTPS). Then the page was being cached by IE on their laptop/tablet. When they returned to the office the cached page was opening which is why hitting refresh resolved the issue.
I understand that one of the issues is the wrong link on the intranet (HTTP vs HTTPS). We'll have these corrected. But the real problem is that they were hitting IIS on our Web Application Proxy server. Why is IIS installed? It's not required by WAP
and I never installed it... Was it installed as part of DirectAccess? And most importantly, will I break anything by forwarding HTTP to HTTPS within IIS using URL rewrite? Will it affect DirectAccess? Our NLS is not on the DA server.
Once again, this server is only used for WAP and DA. Nothing else. Any input is greatly appreciated. Thanks!Hi Cormang,
Yes, IIS is a part of DirectAccess.
Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote
access services.
When we try to remove the IIS, we will get the message below,
I have tried to disable the IIS server on my DirectAccess server. DirectAccess client still works properly. Therefore, it seems that the IIS is not necessary to DirectAccess.
Best Regards.
Steven Lee
TechNet Community Support -
Hi all,
I'm on the process of transition from Exchange 2003 to 2010, everything is going perfectly alright however ActiveSync is bugging me!
when I try to test activesync I get the following error:
[PS] C:\>Test-ActiveSyncConnectivity -MailboxCredential $user -TrustAnySSLCertificate |FL
RunspaceId : 136b8f68-26ec-4e29-a5bb-cf5ee816e04b
LocalSite : SITE
SecureAccess : True
VirtualDirectoryName :
Url :
UrlType : Unknown
Port : 0
ConnectionType : Plaintext
ClientAccessServerShortName : cas01
LocalSiteShortName : SITE
ClientAccessServer : CASSERVERNAME
Scenario : Options
ScenarioDescription : Issue an HTTP OPTIONS command to retrieve the Exchange ActiveSync protocol version.
PerformanceCounterName :
Result : Success
Error :
UserName : user1
StartTime : 12/12/2012 1:02:23 PM
Latency : 00:00:00.0312496
EventType : Success
LatencyInMillisecondsString : 31.25
Identity :
IsValid : True
RunspaceId : 136b8f68-26ec-4e29-a5bb-cf5ee816e04b
LocalSite : Reckon_NS
SecureAccess : True
VirtualDirectoryName :
Url :
UrlType : Unknown
Port : 0
ConnectionType : Plaintext
ClientAccessServerShortName : CASSERVERNAME
LocalSiteShortName : SITE
ClientAccessServer : CASSERVERNAME
Scenario : FolderSync
ScenarioDescription : Issue a FolderSync command to retrieve the folder hierarchy.
PerformanceCounterName : DirectPush Latency
Result : Failure
Error : [System.Net.WebException]: The remote server returned an error: (400) Bad Request.
HTTP response headers:
MS-Server-ActiveSync: 6.5.7638.1
Content-Length: 46
Cache-Control: private
Content-Type: text/html
Date: Wed, 12 Dec 2012 02:02:23 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
UserName : user1
StartTime : 12/12/2012 1:02:23 PM
Latency : -00:00:01
EventType : Error
LatencyInMillisecondsString :
Identity :
IsValid : True
environment:
Ex 2003 'Exchange' virtual directory permission: Integrated Windows Authentication, Basic
Ex 2003 'OMA' permission: Basic Authentication
Ex 2003 'ActiveSync' permission: Integrated, Basic
Ex 2010 successfully redirects users from 2010 to 2003 webmail if you login to OWA with a mailbox on 2003Yes Martina,
It has been done through ESM
I cannot test using testexchangeconnectivity.com since I cannot put the 2010 one into production, I will get into trouble if I change the DNS record to the new mail server!
Yes, EAS works perfectly fine with 2010 mailboxes.
OK.
It might be that it's not possible to run Test-ActiveSyncConnectivity against a mailbox stored in Exchange 2003.
Installing KB937031 and enabling Windows Authentication is really all that needs to be done in EX03, in order for Exchange 2010 to proxy the EAS requests.
Martina Miskovic -
ESB Portal : The remote server returned an error: (400) Bad Request
Hi,
I am getting the below error message while trying to access ESB Portal:
========================
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 12/18/2013 12:07:10 PM
Event time (UTC): 12/18/2013 12:07:10 PM
Event ID: 2a429911fb69455ab3b77348c8b259ce
Event sequence: 10
Event occurrence: 2
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/ESB.Portal-1-130318418493427545
Trust level: Full
Application Virtual Path: /ESB.Portal
Application Path: C:\Projects\Microsoft.Practices.ESB\Source\Samples\Management Portal\ESB.Portal\
Machine name: WIN-HG1MJEC7KJS
Process information:
Process ID: 3220
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: WebException
Exception message: The remote server returned an error: (400) Bad Request.
Request information:
Request URL: http://localhost/esb.portal/default.aspx
Request path: /esb.portal/default.aspx
User host address: ::1
User: WIN-HG1MJEC7KJS\ESBUser
Is authenticated: True
Authentication Type: Negotiate
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 4
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
Custom event details:
====================
I also looked at thread : http://social.msdn.microsoft.com/Forums/en-US/1fb510a8-9f4b-4e1e-9261-3273b037786c/esbportal-bad-request-400?forum=biztalkesb
However didn't able to find the workaround for the same.
Best Regards,
HarkiratHi,
On a local server you don't have to change the web.config if you use local Windows Groups. Check if the User is added to the "BizTalk Server Administrators" Group. Also check if the Group or the User has rights to access EsbExceptionDb & ESBAdmin
database. You also have to enable "Windows Authentication" in IIS for the ESB.Portal.
Local Machine settings:
ESB.Exceptions.Service\Web.config
<connectionStrings><add providerName="System.Data.SqlClient" connectionString="Integrated Security=SSPI;Data Source=.;Initial Catalog=EsbExceptionDb" name="EsbExceptionDbConnectionString"/></connectionStrings>
C:\Projects\Microsoft.Practices.ESB\Source\Samples\Management Portal\ESB.Portal\Web.config
<connectionStrings>
<add name="AdminDatabaseServer" providerName="System.Data.SqlClient" connectionString="Network Library=dbmssocn;Data Source=(local);Integrated Security=True;Initial Catalog=ESBAdmin;"/>
</connectionStrings>
<authentication mode="Windows"/>
<authorization><allow roles="BizTalk Application Users"/>
<allow roles="BizTalk Server Administrators"/>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
Kind regards,
Tomasso Groenendijk
Blog
| Twitter
MCTS BizTalk Server 2006, 2010
If this answers your question please mark it accordingly -
ADFS 3.0 - Web Application Proxy configuration Issue
Hi All,
We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.
The setup consists of the following
- 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)
- 2 x Windows 2012 R2 Running Web Application Proxy ( only one server presently installed and configured though ).
There is an F5 Big-IP load-balancer for both internal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.
So, in short the setup is now a single server hosting ADFS 3.0 using SQL and a single WAP server, however the traffic to these servers are still going through the LB.
Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443
to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip . I can reach https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well
from the Web APplication proxy server without any issues or certificate prompts at all.
When i do the configuration for WAP, i use the same account which was used as a service account for the ADFS service internally. If i use a local admin account, it errors out with another message stating the connection was closed.
The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain
issue is ruled out and also this is not a wild card certificate.
When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration
and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard.
I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.
There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED
ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.
Should i assign the same SSL sertificate (SAN based for enterpriseregistration & Workfolders) to the token-encrypting and token-decrypting services in ADFS console or should i leave them as self signed ? I did read that self-signed is not recommended for
production environment ? If not the same certificate what are the requirements for the certificate ?
I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synchronization between the domain machine as well.
The service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.
Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]
Let me know if there are any options that i can try to resolve this and get the configuration working.
Cheers,Does the load balancer pass the certificate session through to the ADFS server or are you offloading SSL. SSL offload does not work with WAP/ADFS integration (at least at the time of writing it does not).
Can you try through the load balancer with SSL pass through turned off please.
Also as ADFS 3.0 (Server 2012 R2) uses Server Name Indication (SNI) then any health checks that run on the load balancer must support this, so if they do not then you need to use TCP 443 checks for a listening port, as doing a standard HTTPS check will fail,
and if the load balancer fails its checks whilst you are configuring ADFS that might be a reason why it has gone offline for you (error 442 is to do with failure to swap client certificates between WAP and ADFS).
Finally, check the June update to Server 2012 R2 (http://support.microsoft.com/kb/2964735) as that has fixed some certificate issues with multiple servers for WAP and ADFS when you don't have the
2012 R2 AD schema in place.
Brian Reid
Exchange MVP and Exchange and Office 365 Certified Master
www.c7solutions.com
Brian Reid C7 Solutions Ltd (www.c7solutions.com) -
Web Application Proxy and Safari
Morning, all.
I've installed and configured the new Windows Server 2012 R2 AD FS and Web Application Proxy, and I've run into some strange problems. I had some initial problems getting it to work, the documentation is a bit thin, but I now have Sharepoint and Webmail
published to the Internet.
I'm using x.509 Certificate Authentication for Extranet.
In IE on a Windows 8.1 Surface Pro everything works. I can log in using ether a softcert or a SmartCard.
On my OS X Mac I can log in using Chrome, but Safari won't work.
Same thing on my iPad running iOS 7.0.4, Safari won't work. Interestingly enough, on my 7.0.4 iPhone it DOES work. Even more interestingly, I CAN Workplace Join the iPad using the URL https://<adfs fqdn>/enrollmentserver/otaprofile but
I can't authenticate using the URL https://<adfs fqdn>/adfs/ls/IdpInitiatedSignon.aspx.
I get to select my certificate, but after that I'm getting this error message: "Safari cannot open the page because too many redirects occurred." In the Event log on the AD FS server I'm getting this:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
http://<adfs fqdn>/adfs/services/trust
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Since it does work on an iPhone running the same browser, and Workplace Join does work on the iPad even if nothing else does I'm thinking there's some UserAgent voodoo going on in parts of the Web Application Proxy. It's no big deal that Safari in OS X doesn't
work, we can always run Chrome, but the iPad is a major problem and a total deal breaker if I can't fix it.
I would appreciate some good advice.Hi,
As both IE and Chrome work, I think it’s more a client side issue.
Maybe you need to clear you browser cache and cookies.
This also worth a try:
http://stackoverflow.com/questions/2640030/adfs-v2-0-error-msis7042-the-same-client-browser-session-has-made-6-request
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope this helps. -
I cant able to upload the file size >1 MB its showing error."the remote server returned an error (400) bad request."
any one kindly help to fix the issue.Hi,
Are you trying thru OOB or how..
Please check the "maximum file size for sharepoint".
refer below links for the same.
https://angler.wordpress.com/2012/03/21/increase-the-sharepoint-2010-upload-file-size-limit/
https://msdn.microsoft.com/en-us/library/ff487972.aspx
Don't forget to mark it as an Answer if it resolves your problem or Vote Me if it useful.
Mahesh
Maybe you are looking for
-
External hard drive file transfer
How do I transfer video files from one external hard drive to another external hard drive? OS X 10.9.5. I opened up each device in a finder window and tried to drag and drop from one device to the other. No luck. Next, I R-clicked on the file and
-
Error (ORA-01403) saveing data form a report with apex_item items
Hi all, I've a problem saveing data that's inserted into a report which I created using apex_item items. Reproducing the exact issue on apex.oracle.com will take me a lot of time, and I don't know if I really can reproduce this matter... So I hope I
-
PDF Maker Problems in All Office Applications
The PDF Maker add-in shows in the add-in add-in manager as ACTIVE in Word and Excel 2013 but I see no Acrobat toolbar nor anything related to Acrobat under the generic add-in toolbar. I am using Acrobat XI with Office 2013. Both Acrobat and Word were
-
Will leaving your iPhone 6+ plugged in all the time damage the battery or shorten its life? Can you overcharge the iPhone 6+ battery? Thanks in advance, Bill
-
CS6 - Screen goes black when trying to crop & clone stamp screen goes polorized when using
I run Photoshop CS6 on a windows 7 machine. It has started having two problems: First, when trying to crop, as soon as I release the mouse button after blocking the frame to crop, the screen goes black - No controls, no picture, nothing. I have to