Remove Web Application Proxy from ADFS 3.0

Similar Messages

• ADFS Web Application Proxy - Automatically authenticate another federation

  I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish
  https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take
  advantage of the SSO facility. This works nicely.
  One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our users. Using this means that users away from the workplace
  are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our internet connection die. However, it also means that when the user clicks on the link on the portal page to Office 365 they
  are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.
  I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a
  publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing
  this right but I'm unsure of where to go from here. Can anyone give me some advice?
  Many thanks,
  Ian

  Hi Lan,
  Thank you for your posting!
  Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy

• ADFS 3.0 - Web Application Proxy configuration Issue

  Hi All,
  We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.
  The setup consists of the following
  - 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)
  - 2 x Windows 2012 R2 Running Web Application Proxy (  only one server presently installed and configured though ).
  There is an F5 Big-IP load-balancer for both internal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.
  So, in short the setup is now a single server hosting ADFS 3.0 using SQL and a single WAP server, however the traffic to these servers are still going through the LB.
  Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is  a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443
  to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip . I can reach https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well
  from the Web APplication proxy server without any issues or certificate prompts at all.
  When i do the configuration for WAP, i use the same account which was used as a service account for the ADFS service internally. If i use a local admin account, it errors out with another message stating the connection was closed.
  The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain
  issue is ruled out and also this is not a wild card certificate.
  When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with  EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration
  and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard. 
  I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.
  There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED
  ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.
  Should i assign the same SSL sertificate (SAN based for enterpriseregistration & Workfolders) to the token-encrypting and token-decrypting services in ADFS console or should i leave them as self signed ? I did read that self-signed is not recommended for
  production environment ? If not the same certificate what are the requirements for the certificate ?
  I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synchronization between the domain machine as well.
  The service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.
  Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]
  Let me know if there are any options that i can try to resolve this and get the configuration working.
  Cheers,

  Does the load balancer pass the certificate session through to the ADFS server or are you offloading SSL. SSL offload does not work with WAP/ADFS integration (at least at the time of writing it does not).
  Can you try through the load balancer with SSL pass through turned off please.
  Also as ADFS 3.0 (Server 2012 R2) uses Server Name Indication (SNI) then any health checks that run on the load balancer must support this, so if they do not then you need to use TCP 443 checks for a listening port, as doing a standard HTTPS check will fail,
  and if the load balancer fails its checks whilst you are configuring ADFS that might be a reason why it has gone offline for you (error 442 is to do with failure to swap client certificates between WAP and ADFS).
  Finally, check the June update to Server 2012 R2 (http://support.microsoft.com/kb/2964735) as that has fixed some certificate issues with multiple servers for WAP and ADFS when you don't have the
  2012 R2 AD schema in place.
  Brian Reid
  Exchange MVP and Exchange and  Office 365 Certified Master
  www.c7solutions.com
  Brian Reid C7 Solutions Ltd (www.c7solutions.com)

• Will adding a second ADFS Web Application Proxy cause service disruption

  Today I have attempted to add a second ADFS WAP server to an existing (working) ADFS solution based on 2012 R2.
  I am able to install and configure the required role/services successfully but then I'm presented with the Remote Access Management console. This shows the two WAP servers but not the existing published application from the original WAP server and only seems
  to let me Publish a new application.
  I'm not sure if I should go ahead and run the Publish Application wizard again in case it impacts on the existing application and causes disruption to the service/users.
  Any suggestions would be much appreciated.
  Cheers for now
  Russell 

  the config for the Web Application Proxy is stored in the ADFS v3 configuration database.
  As soon as you add a new WAP to the farm it will get its config from the database
  WAP can be domain joined or not. The reason for having it be domain joined is if you need to manage the system centrally and you need to leverage Kerberos Constrained Delegation for Windows based apps
  If you have more than one WAP, you should use some kind of load balancing mechanism such as either Windows NLB or a hardware loadbalancer
  adding a new WAP should not impact, you just need to make sure it is actually used
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• 2012 R2 Web Application Proxy returns 400 (Bad Request) for Kerberos IIS App

  I've gone through all of the step-by-step examples for publishing applications with the Web App Proxy and I'm getting HTTP 400 when I try to publish an IIS Kerberos application. I'm using ADFS pre-authentication.
  The application is SharePoint but I CAN NOT change the authentication method to claims based auth...it has to be windows integrated. I've double checked all of the SPN's and delegation. I get the 400 returned once the user has been authenticated and is forwarded
  to the app url with the AUTHTOKEN?=blahblahblah query string. I've installed the ADFS certificate on the proxy and set it to be the external SSL certificate for the application.
  PLEASE DONT JUST TELL ME TO POST THIS IN THE GENEVA FORUM FOR ADFS.
  The event log has an exception that looks like this:
  Web Application Proxy received a nonvalid edge token signature.
  Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Verifying token with signature public key failed
  Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA
  Details:
  Transaction ID: {ee05057e-4e9b-0000-da05-05ee9b4ecf01}
  Session ID: {ee05057e-4e9b-0000-d905-05ee9b4ecf01}
  Published Application Name: FIM Portal
  Published Application ID: 48db8de3-96e7-18b6-06d8-5cb6df999b6c
  Published Application External URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  Published Backend URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  User: <Unknown>
  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
  Device ID: <Not Applicable>
  Token State: Invalid
  Cookie State: NotFound
  Client Request URL:
  https://portal.sosweetsosoft.com/identitymanagement?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA&client-request-id=ee05057e-4e9b-0000-d905-05ee9b4ecf01
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode:
  State Machine State: Idle
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>

  Hi,
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thanks for your understanding and support.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Web Application Proxy and IIS

  I setup the Web Application Proxy role on Server 2012 R2 a while back and published a few applications. Everything worked great. A few months later I deployed DirectAccess on the same server. Once again, everything worked great.
  All of a sudden users started stating that they were receiving an "Internet Information Services" page while they were clicking links on the intranet. Clicking the refresh button in their browser would resolve the problem. It was puzzling. Eventually
  I figured it out. It was only mobile users having the issue. They were taking their laptops home, clicking HTTP links on our SharePoint site (which were not deployed via Web Application Proxy), which was then hitting the Web Application Proxy server's
  port 80 over HTTP (not HTTPS). Then the page was being cached by IE on their laptop/tablet. When they returned to the office the cached page was opening which is why hitting refresh resolved the issue.
  I understand that one of the issues is the wrong link on the intranet (HTTP vs HTTPS). We'll have these corrected. But the real problem is that they were hitting IIS on our Web Application Proxy server. Why is IIS installed? It's not required by WAP
  and I never installed it... Was it installed as part of DirectAccess? And most importantly, will I break anything by forwarding HTTP to HTTPS within IIS using URL rewrite? Will it affect DirectAccess? Our NLS is not on the DA server.
  Once again, this server is only used for WAP and DA. Nothing else. Any input is greatly appreciated. Thanks!

  Hi Cormang,
  Yes, IIS is a part of DirectAccess.
  Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote
  access services.
  When we try to remove the IIS, we will get the message below,
  I have tried to disable the IIS server on my DirectAccess server. DirectAccess client still works properly. Therefore, it seems that the IIS is not necessary to DirectAccess.
  Best Regards.
  Steven Lee
  TechNet Community Support

• Web Application Proxy and Safari

  Morning, all.
  I've installed and configured the new Windows Server 2012 R2 AD FS and Web Application Proxy, and I've run into some strange problems. I had some initial problems getting it to work, the documentation is a bit thin, but I now have Sharepoint and Webmail
  published to the Internet.
  I'm using x.509 Certificate Authentication for Extranet.
  In IE on a Windows 8.1 Surface Pro everything works. I can log in using ether a softcert or a SmartCard.
  On my OS X Mac I can log in using Chrome, but Safari won't work.
  Same thing on my iPad running iOS 7.0.4, Safari won't work. Interestingly enough, on my 7.0.4 iPhone it DOES work. Even more interestingly, I CAN Workplace Join the iPad using the URL https://<adfs fqdn>/enrollmentserver/otaprofile but
  I can't authenticate using the URL https://<adfs fqdn>/adfs/ls/IdpInitiatedSignon.aspx.
  I get to select my certificate, but after that I'm getting this error message: "Safari cannot open the page because too many redirects occurred." In the Event log on the AD FS server I'm getting this:
  Encountered error during federation passive request. 
  Additional Data 
  Protocol Name: 
  Saml 
  Relying Party: 
  http://<adfs fqdn>/adfs/services/trust 
  Exception details: 
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
     at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
     at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
  Since it does work on an iPhone running the same browser, and Workplace Join does work on the iPad even if nothing else does I'm thinking there's some UserAgent voodoo going on in parts of the Web Application Proxy. It's no big deal that Safari in OS X doesn't
  work, we can always run Chrome, but the iPad is a major problem and a total deal breaker if I can't fix it.
  I would appreciate some good advice.

  Hi,
  As both IE and Chrome work, I think it’s more a client side issue.
  Maybe you need to clear you browser cache and cookies.
  This also worth a try:
  http://stackoverflow.com/questions/2640030/adfs-v2-0-error-msis7042-the-same-client-browser-session-has-made-6-request
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Hope this helps.

• AD FS & web application proxy: get error 511 and 364

  I set up ADFS with a service account and I get no errors in the event viewer. Then I set up web application proxy and made all settings (host, delegation, etc.) and also no errors and everything looked good. After publishing a site I wanted to open it and
  then always comes up an error page with the two error events 511 and 364. I did a lot of tipps given in the inet but nothing helped. Maybe you can give me some advices.
  here the error description (some words are in german):
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: Die Anforderung ist fehlerhaft oder ungültig. Wenden Sie sich für weitere Informationen an Ihren Administrator.
     bei Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
     bei Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
     bei Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
     bei Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

  Hi,
  In regard to ADFS related issues, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy Wang

• I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved.

  I have configure remote access feature web application proxy but not configure give the error. The remote name could not be resolved in server 2012 R2.
  I have configure Ad and ADFS different server and try to configure web application proxy different server. what setting are required for connect web application proxy to Ad and ADFS.

  Hi,
  In addition, please make sure that the port 443 is not blocked by the firewall.
  Web Application Proxy requires internal name resolution to resolve the names of backend servers, and AD FS servers. When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach
  these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer
  placed in front of the Web Application Proxy server.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Azure Web Application Proxy not rendering all assets

  Hi All,
  I have an on prem RD gateway, internal as http://desktop and internal with https://desktop.mydomain.local and https://desktop.mydomain.com via a forward lookup zone. internally it is working ok.
  I installed the azure web application proxy and configured each one of those URL's in an attempt to get this working ok.
  The problem is that it renders the header and nothing else in FireFox and Chrome, IE tells me its in protected mode. But when i check the web requests I am getting A status of "aborted" on the assets, be they jpg, css etc. This is very strange.
  I have the firewall open as per the sparse documentation on technet. Any demos I have seen were on a simple single asp.net mvc dummy site.
  I am using passthrough at the moment and the rd gateway is in forms based auth mode. I got this working last month with regular on prem WAP on another build. Has anyone actually attempted to use this to publish anything significant ?
  Rob
  Rob

  Hi Will
  to make things simpler, I deployed wordpress to an internal URL that I can get to from
  http://machinenameI
  So I can see that internally, so that is ok. The machine with the proxy on it has all the pre-requisites.
  When I publish via the proxy, I first get a https violation error, and IE asks me to accept bot secure and insecure content. But again, from the web development tools , F12 in IE, I can see that the
  http://machinename/foldername/asset.css jpg etc are coming back as "aborted" in the status field.
  I can see basic text on screen. The following items are from my internal test.
  Rob

• Is Web Application Proxy enough as a secure Reverse Proxy/publishing solution

  Hello,
  What are people's thoughts on using the Web Application Proxy role as a reverse proxy with only a Firewall between it and the internet...?
  We need to replace our ISA 2006 boxes and I have been advocating using WAP with ADFS.
  However other 'Reverse Proxy' solution available seem to have more capabilities then just WAP and a Firewall; without  we leave ourselves exposed. For instance FortiNet's product FortiWeb has the following 'additional' capabilities:
  Protection for application layer attacks (SQL Injection, XSS, PHP/OS/LDAP/RFI/LFI injection and more)
  Automatic layer 7 anomaly-based application baselining and threat detection
  Data Leak Prevention (CC, SSN, server/application leakage)
  IP Reputation
  Are these required? Does WAP provide these capabilities but use different terminology?

  Hi,
  https://technet.microsoft.com/en-us/library/dn383650.aspx
  You will see that Web Application Proxy is designed as a perimeter solution (=running in DMZ)
  FortiWeb's product seems a web application firewall. This is a security solution. Security solutions are seldom required, but can help keeping your environment secure.
  IIS can also server as a reverse proxy and can do some security stuff too (ip and domain restictions, request filtering,...)
  Whether one or the other is the best solution for you, depends on your requirements.
  MCP/MCSA/MCTS/MCITP

• Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication

  This is similar to
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/66c23aae-8774-4257-b9f9-b796e69b0318/action?threadDisplayName=publishing-sharepoint-2010-using-web-application-proxy
  However I have tried his resolution to no avail.
  I am trying to publish a SharePoint 2013 website via web application proxy. SharePoint 2013 is using negotiate (Kerberos) as its authentication provider. When trying to browse to the site externally via the WAP I get an http error 500 internal server error.
  In the web application proxy's event viewer I find the following two entries every time I try to browse the site.
  event ID 13019
  level: warning
  Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
  (0x8009030e).
  Details:
  Transaction ID: {5672be45-a4b8-0005-58ff-7256b8a4cf01}
  Session ID: {5672be45-a4b8-0000-3909-7356b8a4cf01}
  Published Application Name: sharepoint
  Published Application ID: ****
  Published Application External URL: https://sharepoint.domain.com
  Published Backend URL: https://sharepoint.domain.com
  User: [email protected]
  User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
  Device ID: <Not Applicable>
  Token State: OK
  Cookie State: NotFound
  Client Request URL:
  https://sharepoint.domain.com/home?authToken=****client-request-id=****
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode: WIA
  State Machine State: BackendRequestProcessing_Pending
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>"
  And
  event ID 12027
  level: error
  Web Application Proxy encountered an unexpected error while processing the request.
  Error: No credentials are available in the security package
  (0x8009030e).
  Details:
  Transaction ID: ****
  Session ID: ****
  Published Application Name: Sharepoint
  Published Application ID: ****
  Published Application External URL: https://sharepoint.domain.com/
  Published Backend URL: https://sharepoint.domain.com/
  User: [email protected]
  User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
  Device ID: <Not Applicable>
  Token State: OK
  Cookie State: NotFound
  Client Request URL:
  https://gateway.dcsch.co.uk/home?authToken=****client-request-id=****
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode: WIA
  State Machine State: OuOfOrderFEHeadersWriting
  Response Code to Client: 500
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>"
  I have tried everything I have seen in many posts and the one linked above but cannot get this working. It does work fine internally.

  And within the next 10 minutes I found this
  http://technet.microsoft.com/en-us/library/dn308246.aspx#Kerberos
  Needed to set up delegation to ANY service in the Web application proxy

• How to create a file under web application root from java program

  how to create a file under web application root from java program like an action class?

  like an action class?Huh? What exactly is your requirement?
  Creating a file is usually done with java.io API. Read the java.io tutorials how to play with files.

• Can I remove some applications permanently from my PowerBook?

  When I don't play or use some applications on my iPhone, I just uncheck the application on iPhone > Applications of iTune, and syncing to remove from iPhone. But is there a way to remove the applications permanently from my iPhone > Applications of iTune on my PowerBook?
  Thanks in advance for help.

  Select the app, tap the delete key on your keyboard or use the iTunes Edit menu -> delete. Select the "keep files" button if you want to keep the app in your iTunes mobile applications folder, otherwise select "Move to Trash".

• Azure Web Application Proxy not rendering all assets for RD gateway

  Hi All,
  I have an on prem RD gateway, internal as http://desktop and internal with https://desktop.mydomain.local and https://desktop.mydomain.com via a forward lookup zone. internally it is working ok.
  I installed the azure web application proxy and configured each one of those URL's in an attempt to get this working ok.
  The problem is that it renders the header and nothing else in FireFox and Chrome, IE tells me its in protected mode. But when i check the web requests I am getting A status of "aborted" on the assets, be they jpg, css etc. This is very strange.
  I have the firewall open as per the sparse documentation on technet. Any demos I have seen were on a simple single asp.net mvc dummy site.
  I am using passthrough at the moment and the rd gateway is in forms based auth mode. I got this working last month with regular on prem WAP on another build. Has anyone actually attempted to use this to publish anything significant ?
  Rob
  Rob

  Hi Rob, 
  It is possible that we do not support Remote Desktop Gateway being published via the Azure Active Directory Web Application Proxy and that is why your running into issues. I shall have to check this out as I have not attempted to do this yet. 
  I shall investigate and come back to you in regards to this, I shall also reach out to the team whom own this feature and they may choose to reply directly via this thread. 
  Regards, 
  James.