ADFS 3.0 and non-claims aware application, authentication issues


We are trying to federate our application, so that our customers can gain to our application using their respective corporate identities (Ping Identity or their ADFS server).

The web application is non-claims aware and we are trying to find out a solution to federate it without changing the code.

I built an ADFS 3.0 environment with windows server 2012 R2 simulating a future scenario, following my lab environment:

Our side:

  • 1 Active Directory server (domainB)
  • 1 IIS8 web server with our non-claims aware applications (Windows Integrated Authentication supported by Kerberos mechanism) joined on domainB
  • 1 ADFS 3.0 server (service provider) joined on domainB
  • 1 WAP server joined on domainB

Customer side:

  • 1 Active Directory (domainA)
  • 1 ADFS 3.0 server (identity provider) joined on domainA

Application users:

  • domainB\user1
  • domainA\user2

I followed these steps to build my lab environment:

  1. Installation and configuration of ADFS 3.0 on domainB
  2. Installation and configuration of WAP server on domainB
  3. Publish ADFS 3.0 on WAP server on domainB
  4. Create a Non-claims aware Relying party Trust pointing the application on ADFS 3.0 on domainB
  5. Publish the Non-claims aware to WAP on domainB
  6. Installation and configuration of ADFS 3.0 on domainA
  7. Trust ADFS 3.0 on domainB with ADFS 3.0 on domainB
  8. Edit claim rules on each federate server

The “domainB\user1” has no problem to access to the application, in my WAP server there are the following events:

Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.

Web Application Proxy received an HTTP request with a valid edge token.

The “domainA\user2” cannot access and appears a server error on the screen and in the WAP Event Viewer there are the following errors:

Warning: EventID 13019 Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect. (0x8007052e).

Error: EventID 12027 Web Application Proxy encountered an unexpected error while processing the request. Error: The user name or password is incorrect. (0x8007052e).

Seems to be an issue with the Kerberos authentication but the domainB\user1 has no problem to access to the application.

Need to understand:

  • Where is the issue?
  • Accessing to the non-claims aware applications are supported by only the users members of the same domain of the web application server

I’m spending many days to find out the cause. Appreciate any direction here. Thanks

asked on Stack Overflow Apr 21, 2015 by Nicola • edited Apr 21, 2015 by Nicola

2 Answers


Given that "non claims-aware" apps make WAP+ADFS use WIA, and WIA requires Kerberos, you need to issue a Kerberos token on WAP-B for "domainA\user2", this in turn requires setting domain/forest trusts between domainA and domainB (domainB should trust domainA, at least). I don't see domain-level trusts present, only ADFS-level, therefore Kerberos domain domainB says "unknown user domainA\user2". Check if enabling trusts between domainA and domainB would resolve the issue.

answered on Stack Overflow Jun 28, 2017 by Vesper

You need Kerberos shadow principals in domain B for users in domain A who will be accessing the application. It is a similar situation to azure B2B guest users accessing an application through azure application proxy. This is a walkthrough for setting that up with sync from Azure ( It would be similar for your case, except you'd need to replicate the users from their directory.

answered on Stack Overflow Apr 27, 2020 by Jordan Mills

User contributions licensed under CC BY-SA 3.0