Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication

Similar Messages

• Web Application Proxy and IIS

  I setup the Web Application Proxy role on Server 2012 R2 a while back and published a few applications. Everything worked great. A few months later I deployed DirectAccess on the same server. Once again, everything worked great.
  All of a sudden users started stating that they were receiving an "Internet Information Services" page while they were clicking links on the intranet. Clicking the refresh button in their browser would resolve the problem. It was puzzling. Eventually
  I figured it out. It was only mobile users having the issue. They were taking their laptops home, clicking HTTP links on our SharePoint site (which were not deployed via Web Application Proxy), which was then hitting the Web Application Proxy server's
  port 80 over HTTP (not HTTPS). Then the page was being cached by IE on their laptop/tablet. When they returned to the office the cached page was opening which is why hitting refresh resolved the issue.
  I understand that one of the issues is the wrong link on the intranet (HTTP vs HTTPS). We'll have these corrected. But the real problem is that they were hitting IIS on our Web Application Proxy server. Why is IIS installed? It's not required by WAP
  and I never installed it... Was it installed as part of DirectAccess? And most importantly, will I break anything by forwarding HTTP to HTTPS within IIS using URL rewrite? Will it affect DirectAccess? Our NLS is not on the DA server.
  Once again, this server is only used for WAP and DA. Nothing else. Any input is greatly appreciated. Thanks!

  Hi Cormang,
  Yes, IIS is a part of DirectAccess.
  Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote
  access services.
  When we try to remove the IIS, we will get the message below,
  I have tried to disable the IIS server on my DirectAccess server. DirectAccess client still works properly. Therefore, it seems that the IIS is not necessary to DirectAccess.
  Best Regards.
  Steven Lee
  TechNet Community Support

• Web Application Proxy and Safari

  Morning, all.
  I've installed and configured the new Windows Server 2012 R2 AD FS and Web Application Proxy, and I've run into some strange problems. I had some initial problems getting it to work, the documentation is a bit thin, but I now have Sharepoint and Webmail
  published to the Internet.
  I'm using x.509 Certificate Authentication for Extranet.
  In IE on a Windows 8.1 Surface Pro everything works. I can log in using ether a softcert or a SmartCard.
  On my OS X Mac I can log in using Chrome, but Safari won't work.
  Same thing on my iPad running iOS 7.0.4, Safari won't work. Interestingly enough, on my 7.0.4 iPhone it DOES work. Even more interestingly, I CAN Workplace Join the iPad using the URL https://<adfs fqdn>/enrollmentserver/otaprofile but
  I can't authenticate using the URL https://<adfs fqdn>/adfs/ls/IdpInitiatedSignon.aspx.
  I get to select my certificate, but after that I'm getting this error message: "Safari cannot open the page because too many redirects occurred." In the Event log on the AD FS server I'm getting this:
  Encountered error during federation passive request. 
  Additional Data 
  Protocol Name: 
  Saml 
  Relying Party: 
  http://<adfs fqdn>/adfs/services/trust 
  Exception details: 
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
     at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
     at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
  Since it does work on an iPhone running the same browser, and Workplace Join does work on the iPad even if nothing else does I'm thinking there's some UserAgent voodoo going on in parts of the Web Application Proxy. It's no big deal that Safari in OS X doesn't
  work, we can always run Chrome, but the iPad is a major problem and a total deal breaker if I can't fix it.
  I would appreciate some good advice.

  Hi,
  As both IE and Chrome work, I think it’s more a client side issue.
  Maybe you need to clear you browser cache and cookies.
  This also worth a try:
  http://stackoverflow.com/questions/2640030/adfs-v2-0-error-msis7042-the-same-client-browser-session-has-made-6-request
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Hope this helps.

• Publishing CRM 2011 on Web Applicaiton Proxy Using Kerberos Constrained Delegation

  Hello,
  Couldn't find a sub category that seemed suitable for this discussion so I just dropped it in Windows Server 2012 General.
  So to summarize...
  Web Application Proxy (WAP) on 2012r2, ADFS on 2012r2, and CRM 2011 RU11 is on 2008r2.
  WAP has a pass through rule setup for the ADFS site and a preauth rule setup for the CRM site.  All SPNs and delegation are setup in AD.
  Setup is 1 WAP, 1 NIC, 1 ADFS server and 1 CRM server.
  I have successfully publish my CRM 2011 site on Web application proxy and am successfully doing Kerberos Constrained Delegation.  I am also doing Client certificate authentication on the ADFS server which works fine.  I am doing this over 49443
  just fine.
  Try to access the CRM site, WAP redirects me to ADFS as expect, Client certificate auth happens at the ADFS server,  I am redirected back to my CRM site with my authToken so pre authentication can happen successfully.  KCD ensues after just fine
  and i am reverse proxied back to the CRM site.
  Here in lies the problem though...
  When i am reversed proxied back to the CRM site, i receive the standard "An error has occurred Try this action again.... yada yada yada" message with the Try Again or Close button.  If i click try again, i am able to access the site with no
  problem and the solution works great!  This obviously is not acceptable though.
  The error URL looks like the following (changed it for obvious reasons)
  https://crmsite.contoso.com/ORG1/_common/error/errorhandler.aspx?BackUri=https%3a%2f%2fadfs.contoso.com%2fadfs%2fls%3fversion%3d1.0%26action%3dsignin%26realm%3durn%253AAppProxy%253Acom%26appRealm%3d63ce68f1-3de4-e411-9412-005056a67a8d%26returnUrl%3dhttps%253A%252F%252Fcrmsite.contoso.com%252F%26client-request-id%3d4A1A0958-76F3-0000-5D91-1C4AF376D001&ErrorCode=&Parm0=%0d%0a%0d%0aError%20Details%3a%20An%20unhandled%20exception%20occurred%20during%20the%20execution%20of%20the%20current%20web%20request.%20Please%20review%20the%20stack%20trace%20for%20more%20information%20about%20the%20error%20and%20where%20it%20originated%20in%20the%20code.&RequestUri=%2fdefault.aspx
  The error that correlates to this in CRM is
  Event code: 3005
  Event message: An unhandled exception has occurred.
  Little bit further down
  Exception information:
      Exception type: InvalidOperationException
      Exception message: CRM Parameter Filter - Invalid parameter 'AuthMethod=CertificateAuthentication' in Request.Form on page /default.aspx
  If anybody has any insight or experience publishing CRM on WAP using KCD and has run into this issue, help would be greatly appreciated.
  Also to head of this question, we can not do an IFD setup.  There is a custom developed solution which resides on top of the CRM installation that is not claims friendly.
  Thanks!
  Jonathan

  Hi,
  Please check if anyone of the links below is helpful:
  http://blogs.msdn.com/b/javaller/archive/2014/01/13/publishing-crm-internet-facing-deployment-using-web-application-proxy-and.aspx
  http://blogs.technet.com/b/dynamicspts/archive/2014/10/03/using-web-application-proxy-to-publish-dynamics-crm-2013-to-the-internet.aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SharePoint 2013 - Office Web Apps - Internal and External Use

  I have successfully installed SharePoint 2013 and Office Web Apps on Azure VMs inside an Azure Virtual Network (IaaS model). Everyting is working well. However, my testing has shown that external users and internal users can't use Office Web Apps at the
  same time.
  Office Web Apps, installed on its own vm, accomodates an external and internal URL quite well. However, SharePoint 2013 appears to only allow one setting for WOPI Zone, either internal or external but not both. I've set the WOPI zone to Internal-HTTPS (Set-SPWOPIZone
  –Zone “internal-https”). OWA works just fine if accessed from inside the Azure Virtual Network. However, if I try to access from outside the Virtual Network, from the Internet, Office Web Apps fails. The exact oppisite is also true. I can set WOPI Zone to
  External-HTTPS and accessing from the Internet works fine, but accessing inside the Virtual Network fails.
  Am I missing something? I, obviously, want Office Webs Apps to function properly for both internal and external users simultaneously.
  I appreciate any help anyone can provide here.
  Glenn

  Hi Glenn,
  To have both the use of Internet and Internal available to your end-users, you first need to configure AAM setting. Open Central Administration > Application Management > Configure alternate access mappings. Let's say there is an existing web application
  named http://sharepoint and my end-users from local network are able to access it using the URL http://sharepoint (root site collection). Here you need to add the Internet URL by select the web application and click Edit Public URLs. Add the Internet domain
  to the web application, e.g http://sharepoint.abc.com. You don't necessarily have to edit binding setting in IIS. Before continuing next steps, make sure you are able to access http://sharepoint.abc.com from the Internet while being able to access http://sharepoint
  from local network (aka Internal).
  On the machine where Office Web App (OWA) Server 2013 is installed, open PowerShell to add OWA module and use the following command to re-create a new OWA server farm if you've completed configuring it previously.
  New-OfficeWebAppsFarm -InternalUrl "http://owa" -ExternalUrl "http://owa.abc.com" -EditingEnabled.
  In this case, I'm not using SSL certificate to encrypt data over the Internet. You can use Internet-public IP of the OWA server like -ExternalUrl "http://198.xxx.xxx.xx". Add CertifcateName parameter if you want to use whether CA-issued certificate
  or self-signed certificate.
  On your SharePoint machine, you need to re-bind all WFE machines to WAC farm using the cmdlet New-SPWOPIBinding. Next, you need to set the WOPI zone for both internal and external.
  Set-SPWOPIZone -zone "external-http"
  Note: I'm not all using certificate in my guidance. But the steps to have it configured is just to add more parameter. 
  I've recently successfully deployed OWA multi-server farm for both internal and internet uses for two big clients. In real-world scenario, ideally OWA should be published through firewall (Forefront UAG, TMG, F5...etc). Please let me know if you still have
  issues after following my steps. My email: [email protected]
  Regards,
  -T.s
  Thuan Soldier
  A 23-year-old man loving Microsoft technologies and making crazy ideas on business journey.
  SharePoint Vietnam |
  Blog | Twitter

• AD FS & web application proxy: get error 511 and 364

  I set up ADFS with a service account and I get no errors in the event viewer. Then I set up web application proxy and made all settings (host, delegation, etc.) and also no errors and everything looked good. After publishing a site I wanted to open it and
  then always comes up an error page with the two error events 511 and 364. I did a lot of tipps given in the inet but nothing helped. Maybe you can give me some advices.
  here the error description (some words are in german):
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: Die Anforderung ist fehlerhaft oder ungültig. Wenden Sie sich für weitere Informationen an Ihren Administrator.
     bei Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
     bei Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
     bei Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
     bei Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

  Hi,
  In regard to ADFS related issues, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy Wang

• I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved.

  I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved in server 2012 R2.
  I have configure Ad and ADFS different server and try to configure web application proxy different server. what setting are required for connect web application proxy to Ad and ADFS.

  Hi,
  In addition, please make sure that the port 443 is not blocked by the firewall.
  Web Application Proxy requires internal name resolution to resolve the names of backend servers, and AD FS servers. When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach
  these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer
  placed in front of the Web Application Proxy server.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Azure Web Application Proxy not rendering all assets

  Hi All,
  I have an on prem RD gateway, internal as http://desktop and internal with https://desktop.mydomain.local and https://desktop.mydomain.com via a forward lookup zone. internally it is working ok.
  I installed the azure web application proxy and configured each one of those URL's in an attempt to get this working ok.
  The problem is that it renders the header and nothing else in FireFox and Chrome, IE tells me its in protected mode. But when i check the web requests I am getting A status of "aborted" on the assets, be they jpg, css etc. This is very strange.
  I have the firewall open as per the sparse documentation on technet. Any demos I have seen were on a simple single asp.net mvc dummy site.
  I am using passthrough at the moment and the rd gateway is in forms based auth mode. I got this working last month with regular on prem WAP on another build. Has anyone actually attempted to use this to publish anything significant ?
  Rob
  Rob

  Hi Will
  to make things simpler, I deployed wordpress to an internal URL that I can get to from
  http://machinenameI
  So I can see that internally, so that is ok. The machine with the proxy on it has all the pre-requisites.
  When I publish via the proxy, I first get a https violation error, and IE asks me to accept bot secure and insecure content. But again, from the web development tools , F12 in IE, I can see that the
  http://machinename/foldername/asset.css jpg etc are coming back as "aborted" in the status field.
  I can see basic text on screen. The following items are from my internal test.
  Rob

• Azure Web Application Proxy not rendering all assets for RD gateway

  Hi All,
  I have an on prem RD gateway, internal as http://desktop and internal with https://desktop.mydomain.local and https://desktop.mydomain.com via a forward lookup zone. internally it is working ok.
  I installed the azure web application proxy and configured each one of those URL's in an attempt to get this working ok.
  The problem is that it renders the header and nothing else in FireFox and Chrome, IE tells me its in protected mode. But when i check the web requests I am getting A status of "aborted" on the assets, be they jpg, css etc. This is very strange.
  I have the firewall open as per the sparse documentation on technet. Any demos I have seen were on a simple single asp.net mvc dummy site.
  I am using passthrough at the moment and the rd gateway is in forms based auth mode. I got this working last month with regular on prem WAP on another build. Has anyone actually attempted to use this to publish anything significant ?
  Rob
  Rob

  Hi Rob, 
  It is possible that we do not support Remote Desktop Gateway being published via the Azure Active Directory Web Application Proxy and that is why your running into issues. I shall have to check this out as I have not attempted to do this yet. 
  I shall investigate and come back to you in regards to this, I shall also reach out to the team whom own this feature and they may choose to reply directly via this thread. 
  Regards, 
  James.

• Is Web Application Proxy enough as a secure Reverse Proxy/publishing solution

  Hello,
  What are people's thoughts on using the Web Application Proxy role as a reverse proxy with only a Firewall between it and the internet...?
  We need to replace our ISA 2006 boxes and I have been advocating using WAP with ADFS.
  However other 'Reverse Proxy' solution available seem to have more capabilities then just WAP and a Firewall; without  we leave ourselves exposed. For instance FortiNet's product FortiWeb has the following 'additional' capabilities:
  Protection for application layer attacks (SQL Injection, XSS, PHP/OS/LDAP/RFI/LFI injection and more)
  Automatic layer 7 anomaly-based application baselining and threat detection
  Data Leak Prevention (CC, SSN, server/application leakage)
  IP Reputation
  Are these required? Does WAP provide these capabilities but use different terminology?

  Hi,
  https://technet.microsoft.com/en-us/library/dn383650.aspx
  You will see that Web Application Proxy is designed as a perimeter solution (=running in DMZ)
  FortiWeb's product seems a web application firewall. This is a security solution. Security solutions are seldom required, but can help keeping your environment secure.
  IIS can also server as a reverse proxy and can do some security stuff too (ip and domain restictions, request filtering,...)
  Whether one or the other is the best solution for you, depends on your requirements.
  MCP/MCSA/MCTS/MCITP

• 2012 R2 Web Application Proxy returns 400 (Bad Request) for Kerberos IIS App

  I've gone through all of the step-by-step examples for publishing applications with the Web App Proxy and I'm getting HTTP 400 when I try to publish an IIS Kerberos application. I'm using ADFS pre-authentication.
  The application is SharePoint but I CAN NOT change the authentication method to claims based auth...it has to be windows integrated. I've double checked all of the SPN's and delegation. I get the 400 returned once the user has been authenticated and is forwarded
  to the app url with the AUTHTOKEN?=blahblahblah query string. I've installed the ADFS certificate on the proxy and set it to be the external SSL certificate for the application.
  PLEASE DONT JUST TELL ME TO POST THIS IN THE GENEVA FORUM FOR ADFS.
  The event log has an exception that looks like this:
  Web Application Proxy received a nonvalid edge token signature.
  Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Verifying token with signature public key failed
  Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA
  Details:
  Transaction ID: {ee05057e-4e9b-0000-da05-05ee9b4ecf01}
  Session ID: {ee05057e-4e9b-0000-d905-05ee9b4ecf01}
  Published Application Name: FIM Portal
  Published Application ID: 48db8de3-96e7-18b6-06d8-5cb6df999b6c
  Published Application External URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  Published Backend URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  User: <Unknown>
  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
  Device ID: <Not Applicable>
  Token State: Invalid
  Cookie State: NotFound
  Client Request URL:
  https://portal.sosweetsosoft.com/identitymanagement?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA&client-request-id=ee05057e-4e9b-0000-d905-05ee9b4ecf01
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode:
  State Machine State: Idle
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>

  Hi,
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thanks for your understanding and support.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ADFS 3.0 - Web Application Proxy configuration Issue

  Hi All,
  We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.
  The setup consists of the following
  - 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)
  - 2 x Windows 2012 R2 Running Web Application Proxy (  only one server presently installed and configured though ).
  There is an F5 Big-IP load-balancer for both internal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.
  So, in short the setup is now a single server hosting ADFS 3.0 using SQL and a single WAP server, however the traffic to these servers are still going through the LB.
  Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is  a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443
  to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip . I can reach https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well
  from the Web APplication proxy server without any issues or certificate prompts at all.
  When i do the configuration for WAP, i use the same account which was used as a service account for the ADFS service internally. If i use a local admin account, it errors out with another message stating the connection was closed.
  The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain
  issue is ruled out and also this is not a wild card certificate.
  When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with  EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration
  and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard. 
  I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.
  There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED
  ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.
  Should i assign the same SSL sertificate (SAN based for enterpriseregistration & Workfolders) to the token-encrypting and token-decrypting services in ADFS console or should i leave them as self signed ? I did read that self-signed is not recommended for
  production environment ? If not the same certificate what are the requirements for the certificate ?
  I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synchronization between the domain machine as well.
  The service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.
  Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]
  Let me know if there are any options that i can try to resolve this and get the configuration working.
  Cheers,

  Does the load balancer pass the certificate session through to the ADFS server or are you offloading SSL. SSL offload does not work with WAP/ADFS integration (at least at the time of writing it does not).
  Can you try through the load balancer with SSL pass through turned off please.
  Also as ADFS 3.0 (Server 2012 R2) uses Server Name Indication (SNI) then any health checks that run on the load balancer must support this, so if they do not then you need to use TCP 443 checks for a listening port, as doing a standard HTTPS check will fail,
  and if the load balancer fails its checks whilst you are configuring ADFS that might be a reason why it has gone offline for you (error 442 is to do with failure to swap client certificates between WAP and ADFS).
  Finally, check the June update to Server 2012 R2 (http://support.microsoft.com/kb/2964735) as that has fixed some certificate issues with multiple servers for WAP and ADFS when you don't have the
  2012 R2 AD schema in place.
  Brian Reid
  Exchange MVP and Exchange and  Office 365 Certified Master
  www.c7solutions.com
  Brian Reid C7 Solutions Ltd (www.c7solutions.com)

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• Any reason not to put Lync Edge server on the same server that runs Web Application Proxy?

  We're currently running Lync 2010 standard server, without an edge server or reverse proxy.  I'm working on migrating to lync 2013 standard server, and would like to add the edge functionality in the process.  I have a Server 2012R2 in the dmz,
  with the web application proxy role installed.  I plan to use that to publish the lync web services.  Is there any reason I shouldn't install the lync edge server on the same computer? 

  It just won't work well as everything will want to bind to port 443 (the reverse proxy and the edge services as well).  On top of all that, it's just not supported.  A new virtual server will save you hours upon hours of frustration and leave you
  with a supported configuration. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Use VPN connection as a listen network interface in Web Application proxy

  I have a test environment: domain in hyper-v with Sharepoint and Office Web Apps servers (all under Windows 2012 - Windows 2012 R2).
  Because my home ISP does not permit some inbound ports (80,443) in a gate machine (under Windows 2012 R2) I create a vpn connection (by "setup a new connection or network") to my outside vpn server. On this vpn server the ports forwarding is configured
  and work fine (f.e. default IIS site is visible).
  I try to public my Sharepoint 2013 Foundation in Internet over this vpn connection and faced with the problem - WAPx (Web application proxy) does not bind to this vpn connection, only to traditional network interfaces.
  The question is how to make listening WAPx the VPN interface?

  Hi,
  Thank you for posting in Windows Server Forum.
  Please check beneath thread and article might helpful in your case.
  Configure a reverse proxy device for SharePoint Server 2013 hybrid
  http://technet.microsoft.com/en-us/library/dn607304(v=office.15).aspx
  Forcing VPN users through a proxy
  http://social.technet.microsoft.com/Forums/en-US/5a6a502d-4583-4c51-8486-3af982ba92da/forcing-vpn-users-through-a-proxy?forum=winserverNIS
  What’s New in 2012 R2: People-centric IT in Action - End-to-end Scenarios Across Products
  http://blogs.technet.com/b/in_the_cloud/archive/2013/07/17/people-centric-it-in-action-end-to-end-scenarios-across-products.aspx
  Hope it helps!
  Thanks,
  Dharmesh