I set up ADFS and WAP on server 2012 R2 in order to login into SharePoint 2013. I follow several how-to, and all seems fine except one thing : When I log into ADFS form, its ok, then I land on a blank page.
So I had a look at WAP logs, and it returns these two error messages :
ID=13019 Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The name provided is not a properly formed account name. (0x80070523).
ID=12027 Web Application Proxy encountered an unexpected error while processing the request. Error: The name provided is not a properly formed account name. (0x80070523).
According to technet this is how to solve :
"The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy.Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized."
But I don't really know why they told me to join the WAP server in the domain, as this server should be in D.M.Z and in WORKGROUP.
Date and time on the WAP server were not good, so I modified it, now its ok. I didn't join the server to the domain, and SPN is set with the domain account that is running AppPool of my SP Site.
I double check DNS, HOSTS files, certificates, accounts ... I can't find any error.
I'm wondering : should I need to add any account the right to read private key on my wildcard certificate on the WAP Server ? On ADFS Server, only adfs service account has read right on the certificate (pv key), on SP only domain account that is used to run app pool has right to read on the certificate's pv key.
Ask for more details if needed.
WAP must be domain joined when publishing applications that use Windows Integrated Authentication. This link describes the requirements, http://technet.microsoft.com/en-us/library/8dfd483f-faf5-4a99-a590-0081623cad08#BKMK_AD. To use claims based applications you are not required to domain join the WAP server.
User contributions licensed under CC BY-SA 3.0