Internal load balancer for ADFS, Web Application Proxy join problem

Similar Messages

• Will adding a second ADFS Web Application Proxy cause service disruption

  Today I have attempted to add a second ADFS WAP server to an existing (working) ADFS solution based on 2012 R2.
  I am able to install and configure the required role/services successfully but then I'm presented with the Remote Access Management console. This shows the two WAP servers but not the existing published application from the original WAP server and only seems
  to let me Publish a new application.
  I'm not sure if I should go ahead and run the Publish Application wizard again in case it impacts on the existing application and causes disruption to the service/users.
  Any suggestions would be much appreciated.
  Cheers for now
  Russell 

  the config for the Web Application Proxy is stored in the ADFS v3 configuration database.
  As soon as you add a new WAP to the farm it will get its config from the database
  WAP can be domain joined or not. The reason for having it be domain joined is if you need to manage the system centrally and you need to leverage Kerberos Constrained Delegation for Windows based apps
  If you have more than one WAP, you should use some kind of load balancing mechanism such as either Windows NLB or a hardware loadbalancer
  adding a new WAP should not impact, you just need to make sure it is actually used
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• ADFS Web Application Proxy - Automatically authenticate another federation

  I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish
  https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take
  advantage of the SSO facility. This works nicely.
  One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our users. Using this means that users away from the workplace
  are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our internet connection die. However, it also means that when the user clicks on the link on the portal page to Office 365 they
  are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.
  I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a
  publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing
  this right but I'm unsure of where to go from here. Can anyone give me some advice?
  Many thanks,
  Ian

  Hi Lan,
  Thank you for your posting!
  Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy

• Load Balancing for Microsoft Orchestrator application

  Hi Folks,
  We are trying to configure Load Balancing for Orchestrator Server.
  We have closely 200 users running a workflow.. so in that case, we need to configure the Runbook Server as a application load balancing cluster, so please do share me the configuration guides..
  Regards,
  Venu
  Best regards, Venu.

  I'm in the middle of doing this right now. There is a doc on metalink (233428.1) that details the process. I would highly recommend trying this in dev/test env first. Even though the instructions are very straight forward and not very complicated, I'm still having configuration issues.
  Clint

• Need information on open source testing tools for ADF web applications

  Hi experts,
  I need to investigate on new feasible open source Java testing tools for testing ADF web applications. I have tried to google a lot but getting confused.
  My requirements as as under:
  1. The tool must be open source.
  2. It should be easy to understand and to work upon by the tester and developers.
  Selenium based testing approach is already in place for testing the application but need to search for tools other than Selenium which shall prove suitable for testing ADF applications. Kindly let me know your inputs / suggestions.
  Thanks a lot in advance.
  Neelanand

  Hi,
  Have a look at JMeter http://jakarta.apache.org/jmeter/index.html
  1. The tool must be open source.It is.
  2. It should be easy to understand and to work upon by the tester and developers.I guess it is.
  There are some specifics in configuring it for ADF, but Chris Muir wrote a nice blog about how it's done, check it out http://one-size-doesnt-fit-all.blogspot.com/2010/04/configuring-apache-jmeter-specifically.html
  Pedja

• Geting IP address for Internal Load Balancer

  I've recently been experimenting with internal load balancing for VMs. I'm able to create and delete an internal load balancer (ILB) using the .NET wrapper for the API (https://github.com/Azure/azure-sdk-for-net).  What I cannot do though is actually
  get the internal address for it. Nor does it seem you can get it from the REST API (which, as far as I know, is what .NET wrapper wraps).   The only method I can see that claims to get the address is Powershell.
  Can anyone confirm if there is any way using the REST API or its .NET wrapper to obtain the internal address for the ILB?

  I have not looked into the .NET wrapper that you mentioned here, but according to this powershell script:
  http://msdn.microsoft.com/en-us/library/azure/dn690125.aspx
  $svc="<Cloud Service Name>"
  $ilb="<Name of your ILB instance>"
  $subnet="<Name of the subnet within your virtual network-optional>"
  $IP="<The IPv4 address to use on the subnet-optional>"
  Add-AzureInternalLoadBalancer -ServiceName $svc -InternalLoadBalancerName $ilb –SubnetName $subnet –StaticVNetIPAddress $IP
  IP address is optional, so maybe the wrapper hasn't implemented this, which is kind of undesirable. But maybe it allows you to specify the IP?
  Frank

• I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved.

  I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved in server 2012 R2.
  I have configure Ad and ADFS different server and try to configure web application proxy different server. what setting are required for connect web application proxy to Ad and ADFS.

  Hi,
  In addition, please make sure that the port 443 is not blocked by the firewall.
  Web Application Proxy requires internal name resolution to resolve the names of backend servers, and AD FS servers. When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach
  these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer
  placed in front of the Web Application Proxy server.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Reverse Proxy and Load Balancer for SMP 2.3 and Agentry Application

  Hi Expert,
  I'm putting in place a mobile solution composed by SMP 2.3 SPS 4 and SAP ECC 6.0. In the SMP 2.3 I created the agentry server and I have deployed my agentry application.
  My SMP/Agentry infrastructure is composed by two servers therefore I need a load balancer for balance the load into the several servers. Furthermore I need to use a reverse proxy in my DMZ zone.
  Based on what indicated in the SAP note "1904213 - SAP Mobile Platform Server Release Information" the Apache Reverse Proxy is not supported for Agentry clients. Agentry uses nginx for Reverse Proxy.
  I also found the following document How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x that explain how to set-up a reverse proxy and load balancer with nginx and apache.
  Both the SAP note and the HOW to document are refereed to SMP 3.0 and not to SMP 2.3.
  I would know if the NGINX must be used also for SMP 2.3.
  Any suggestion/information is appreciated.
  Thanks in advance
  g.

  Please see Agentry Network Landscapes

• ADFS 3.0 - Web Application Proxy configuration Issue

  Hi All,
  We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.
  The setup consists of the following
  - 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)
  - 2 x Windows 2012 R2 Running Web Application Proxy (  only one server presently installed and configured though ).
  There is an F5 Big-IP load-balancer for both internal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.
  So, in short the setup is now a single server hosting ADFS 3.0 using SQL and a single WAP server, however the traffic to these servers are still going through the LB.
  Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is  a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443
  to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip . I can reach https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well
  from the Web APplication proxy server without any issues or certificate prompts at all.
  When i do the configuration for WAP, i use the same account which was used as a service account for the ADFS service internally. If i use a local admin account, it errors out with another message stating the connection was closed.
  The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain
  issue is ruled out and also this is not a wild card certificate.
  When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with  EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration
  and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard. 
  I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.
  There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED
  ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.
  Should i assign the same SSL sertificate (SAN based for enterpriseregistration & Workfolders) to the token-encrypting and token-decrypting services in ADFS console or should i leave them as self signed ? I did read that self-signed is not recommended for
  production environment ? If not the same certificate what are the requirements for the certificate ?
  I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synchronization between the domain machine as well.
  The service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.
  Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]
  Let me know if there are any options that i can try to resolve this and get the configuration working.
  Cheers,

  Does the load balancer pass the certificate session through to the ADFS server or are you offloading SSL. SSL offload does not work with WAP/ADFS integration (at least at the time of writing it does not).
  Can you try through the load balancer with SSL pass through turned off please.
  Also as ADFS 3.0 (Server 2012 R2) uses Server Name Indication (SNI) then any health checks that run on the load balancer must support this, so if they do not then you need to use TCP 443 checks for a listening port, as doing a standard HTTPS check will fail,
  and if the load balancer fails its checks whilst you are configuring ADFS that might be a reason why it has gone offline for you (error 442 is to do with failure to swap client certificates between WAP and ADFS).
  Finally, check the June update to Server 2012 R2 (http://support.microsoft.com/kb/2964735) as that has fixed some certificate issues with multiple servers for WAP and ADFS when you don't have the
  2012 R2 AD schema in place.
  Brian Reid
  Exchange MVP and Exchange and  Office 365 Certified Master
  www.c7solutions.com
  Brian Reid C7 Solutions Ltd (www.c7solutions.com)

• 2012 R2 Web Application Proxy returns 400 (Bad Request) for Kerberos IIS App

  I've gone through all of the step-by-step examples for publishing applications with the Web App Proxy and I'm getting HTTP 400 when I try to publish an IIS Kerberos application. I'm using ADFS pre-authentication.
  The application is SharePoint but I CAN NOT change the authentication method to claims based auth...it has to be windows integrated. I've double checked all of the SPN's and delegation. I get the 400 returned once the user has been authenticated and is forwarded
  to the app url with the AUTHTOKEN?=blahblahblah query string. I've installed the ADFS certificate on the proxy and set it to be the external SSL certificate for the application.
  PLEASE DONT JUST TELL ME TO POST THIS IN THE GENEVA FORUM FOR ADFS.
  The event log has an exception that looks like this:
  Web Application Proxy received a nonvalid edge token signature.
  Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Verifying token with signature public key failed
  Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA
  Details:
  Transaction ID: {ee05057e-4e9b-0000-da05-05ee9b4ecf01}
  Session ID: {ee05057e-4e9b-0000-d905-05ee9b4ecf01}
  Published Application Name: FIM Portal
  Published Application ID: 48db8de3-96e7-18b6-06d8-5cb6df999b6c
  Published Application External URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  Published Backend URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  User: <Unknown>
  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
  Device ID: <Not Applicable>
  Token State: Invalid
  Cookie State: NotFound
  Client Request URL:
  https://portal.sosweetsosoft.com/identitymanagement?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA&client-request-id=ee05057e-4e9b-0000-d905-05ee9b4ecf01
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode:
  State Machine State: Idle
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>

  Hi,
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thanks for your understanding and support.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Remove Web Application Proxy from ADFS 3.0

  We have two Web Application Proxies deployed with ADFS 3.0, however we'd like to remove one. We uninstalled the role from the server, however on the other Web Application Proxy it still shows the uninstalled server under Clustered Servers on the Remote
  Management mmc. How can I get this completely removed from ADFS?

  Hi,
  According to your description, are these two web application proxy servers clustered?
  By “on the other Web Application Proxy it still shows the uninstalled server under Clustered Servers”, do you mean that the uninstalled proxy server still shows as a node of cluster?
  If that’s the case, then it is normal, because uninstalling web application proxy role doesn’t remove its role as a node of cluster.
  More information for you:
  How to Evict a Node from a Windows Server 2008 Failover Cluster
  http://technet.microsoft.com/en-us/library/bb676524(v=EXCHG.80).aspx
  Best Regards,
  Amy Wang

• Network load balancer for Agentry applications

  Hi Expert,
  I'm going to implement a SAP Mobile Platform solution that will use an agentry application and I need some clarification about the HA configuration and the usage of the network load balancer and relay server. Just for information I'm going to use SMP 2.3 SP4.
  My understanding is that Relay server is a reverse proxy and load balancer for SMP but It can't be used for the agentry applications. Is this correct?
  Based on the standard configuration in order to balance the load of the client devices in the SMP cluster I have to use a Network load balancer, therefore the technical architecture of my solution should be the following:
  |Agentry Client device|   ---->  | Network Load Balancer |  ----> | SMP and Agentry Cluster| -----> |Back end systems|
  Is this correct? I didn't find specifications about the Network load balancer.. Is there a list of the Network load balancer products supported from SAP for agentry application. Is there any best practice on the network load balancer?
  Thank you in advance for you collaboration.
  BR
  g.
  Tags edited by: Michael Appleby

  Because we don't test any directly with our QA we don't have have a preferred products.  Talking to our consulting group they normally just use what the customer already has installed in their network.   Both Software or hardware load balancers has been used.
  The key part needed for the load balancer for Agentry 6.0.x and SMP 2.3 (not SMP 3) that it is set to TCP Pass through.
  Stephen

• Installing 2 Application server and 1 DB server and load balancing for 11i

  Hi,
  I need info on how to install and configure load balancing for 11.5.8 on Win2000. The scenario: 1 db server DB, 2 apps/web/forms servers AP1 and AP2. Using rapid install you can only specify one db server A and one form server in multi node installations, right? How do I install the form server on AP2? Can I use the same config.txt? The computer name for AP2 is different.
  Thanks & Regards,
  Jagal

  I have the very same issue. We want to install 4 web/form servers on a hardware load-balancer and the issue is we can only specify one forms server.
  Does anyone know the secret bullet here?
  Thanks
  John

• Azure Web Application Proxy not rendering all assets for RD gateway

  Hi All,
  I have an on prem RD gateway, internal as http://desktop and internal with https://desktop.mydomain.local and https://desktop.mydomain.com via a forward lookup zone. internally it is working ok.
  I installed the azure web application proxy and configured each one of those URL's in an attempt to get this working ok.
  The problem is that it renders the header and nothing else in FireFox and Chrome, IE tells me its in protected mode. But when i check the web requests I am getting A status of "aborted" on the assets, be they jpg, css etc. This is very strange.
  I have the firewall open as per the sparse documentation on technet. Any demos I have seen were on a simple single asp.net mvc dummy site.
  I am using passthrough at the moment and the rd gateway is in forms based auth mode. I got this working last month with regular on prem WAP on another build. Has anyone actually attempted to use this to publish anything significant ?
  Rob
  Rob

  Hi Rob, 
  It is possible that we do not support Remote Desktop Gateway being published via the Azure Active Directory Web Application Proxy and that is why your running into issues. I shall have to check this out as I have not attempted to do this yet. 
  I shall investigate and come back to you in regards to this, I shall also reach out to the team whom own this feature and they may choose to reply directly via this thread. 
  Regards, 
  James.

• Web Application Proxy and Safari

  Morning, all.
  I've installed and configured the new Windows Server 2012 R2 AD FS and Web Application Proxy, and I've run into some strange problems. I had some initial problems getting it to work, the documentation is a bit thin, but I now have Sharepoint and Webmail
  published to the Internet.
  I'm using x.509 Certificate Authentication for Extranet.
  In IE on a Windows 8.1 Surface Pro everything works. I can log in using ether a softcert or a SmartCard.
  On my OS X Mac I can log in using Chrome, but Safari won't work.
  Same thing on my iPad running iOS 7.0.4, Safari won't work. Interestingly enough, on my 7.0.4 iPhone it DOES work. Even more interestingly, I CAN Workplace Join the iPad using the URL https://<adfs fqdn>/enrollmentserver/otaprofile but
  I can't authenticate using the URL https://<adfs fqdn>/adfs/ls/IdpInitiatedSignon.aspx.
  I get to select my certificate, but after that I'm getting this error message: "Safari cannot open the page because too many redirects occurred." In the Event log on the AD FS server I'm getting this:
  Encountered error during federation passive request. 
  Additional Data 
  Protocol Name: 
  Saml 
  Relying Party: 
  http://<adfs fqdn>/adfs/services/trust 
  Exception details: 
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
     at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
     at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
  Since it does work on an iPhone running the same browser, and Workplace Join does work on the iPad even if nothing else does I'm thinking there's some UserAgent voodoo going on in parts of the Web Application Proxy. It's no big deal that Safari in OS X doesn't
  work, we can always run Chrome, but the iPad is a major problem and a total deal breaker if I can't fix it.
  I would appreciate some good advice.

  Hi,
  As both IE and Chrome work, I think it’s more a client side issue.
  Maybe you need to clear you browser cache and cookies.
  This also worth a try:
  http://stackoverflow.com/questions/2640030/adfs-v2-0-error-msis7042-the-same-client-browser-session-has-made-6-request
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Hope this helps.