We are trying to federate our application, so that our customers can gain to our application using their respective corporate identities (Ping Identity or their ADFS server).
The web application is non-claims aware and we are trying to find out a solution to federate it without changing the code.
I built an ADFS 3.0 environment with windows server 2012 R2 simulating a future scenario, following my lab environment:
I followed these steps to build my lab environment:
The “domainB\user1” has no problem to access to the application, in my WAP server there are the following events:
Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.
Web Application Proxy received an HTTP request with a valid edge token.
The “domainA\user2” cannot access and appears a server error on the screen and in the WAP Event Viewer there are the following errors:
Warning: EventID 13019 Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect. (0x8007052e).
Error: EventID 12027 Web Application Proxy encountered an unexpected error while processing the request. Error: The user name or password is incorrect. (0x8007052e).
Seems to be an issue with the Kerberos authentication but the domainB\user1 has no problem to access to the application.
Need to understand:
I’m spending many days to find out the cause. Appreciate any direction here. Thanks
Given that "non claims-aware" apps make WAP+ADFS use WIA, and WIA requires Kerberos, you need to issue a Kerberos token on WAP-B for "domainA\user2", this in turn requires setting domain/forest trusts between domainA and domainB (domainB should trust domainA, at least). I don't see domain-level trusts present, only ADFS-level, therefore Kerberos domain domainB says "unknown user domainA\user2". Check if enabling trusts between domainA and domainB would resolve the issue.
You need Kerberos shadow principals in domain B for users in domain A who will be accessing the application. It is a similar situation to azure B2B guest users accessing an application through azure application proxy. This is a walkthrough for setting that up with sync from Azure (https://docs.microsoft.com/en-us/azure/active-directory/b2b/hybrid-cloud-to-on-premises). It would be similar for your case, except you'd need to replicate the users from their directory.
User contributions licensed under CC BY-SA 3.0