Web Application Proxy SPN Delegation

0

Hopefully this will be a quick one but I keep drawing a blank on how to do this even after some frantic searching online.

I have recently been tasked with adding resiliency to our WAP (Web Application Proxy) farm as we are publishing more apps internally and using ADFS for SAML based SSO for a number of web apps.

The first WAP box works absolutely fine (setup before I joined the organisation) but the second one fails to work correctly. Digging in the logs on this WAP server I keep getting this error:

Web Application Proxy encountered an unexpected error while processing the request.
Error: No credentials are available in the security package
 (0x8009030e)

Searching around this error leads me to believe that this second WAP doesn't have the required delegation for several of internal apps I am trying to publish.

Looking in AD this certainly looks to be the case with SPN delegation shown on WAP1 but WAP2 not being trusted (see image below).

WAP Delegation Comparison

My question is simply how to add all the services list on WAP1 onto WAP2 as the GUI doesn't let you search for SPN services.

windows-server-2016
adfs
spn
web-application-proxy
asked on Server Fault May 31, 2018 by TheGrew • edited May 31, 2018 by Nakini

1 Answer

0

You can use any LDAP based admin tool like ldifde.exe, ldp.exe, adsiedit.msc to edit the WAP computer account and add the msDS-AllowedToDelegateTo attribute to have the SPNs as desired. This obviously requires the relevant permissions in AD to modify the computer object.

Make sure you also update useraccountcontrol flags to include TRUSTED_TO_AUTH_FOR_DELEGATION as per https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

answered on Server Fault Jun 13, 2018 by maweeras

User contributions licensed under CC BY-SA 3.0