0

Unable To Access OWA Externally Via WAP 2025 – Still Working On It

Posted on by Rhoderick Milne [MSFT]

After upgrading Web Application Proxy (WAP) to Windows Server 2025 you may run into an issue with certain applications that are published via WAP to the Internet.  This issue will also happen if you build a net new environment for both WAP 2019 and newer.  This post discusses WAP 2025, but the same is more than likely going to happen with WAP 2022

In the below example the AD FS upgrade went well with no issues.  The AD FS farm and WAP servers were upgraded to Windows Server 2025 and all appeared to be going well.  Too well that was, as when the external tests were validated against WAP 2025 they did not successfully complete.

The initial logon to OWA was fine and the user could authenticate with no issues.  But after the authentication was complete, the page just sat there with a “Still working on it…” message.

OWA Page Not Loading Through WAP 2025 - “Still working on it…”

Everything was fine internally.  Outlook and OWA would load for this account with no issues.

Since WAP is responsible for publishing OWA to the Internet, what is up on those machines?

Initial Troubleshooting

Some of the initial items that were reviewed:

  • All WAP and AD FS services were running
  • No errors were logged
  • The correct certificates were installed with the necessary private key.  The certificates also chained as expected
  • No issues internally at all.  Only via externally via WAP.  This was confirmed to help isolate the issue
  • Servers fully patched
  • Expected firewall rules in place
  • WAP able to retrieve configuration from AD FS with no issues

WinHttp Issues On Windows Server 2025

After experiencing issues with Windows Server 2019 and WinHttp when deploying Azure AD App Proxy in a separate engagement, suspected that HTTP/2 could also cause issues here as well if the client and server could not negotiate as expected.

By default, the key to disable WinHttp is not present. This is shown below:

WinHTTP2 - Enabled By Default On Windows Server 2019

It can be added manually or by Using PowerShell:

Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\” -Name EnableDefaultHTTP2 -Value 0

Disabling WinHTTP2 On Windows Server 2019

In the above example, we then check that the value was added with a value of zero.

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\" -Name EnableDefaultHTTP2

After adding the registry value, restart the server.

Repeat for the other WAP servers.

Relief Obtained

After restarting the WAP servers, the external clients were then able to access OWA with no issues.

OWA would load as expected.

After Disabling Disabling WinHTTP2 On Windows Server 2025 WAP - OWA Now Works

It is likely that additional products will be affected by this issue.  In this case it was Exchange Subscription Edition.

If we look at the HTTPS site binding, we can see that HTTP/2 was enabled by default on the Exchange SE server.
Exchange SE - HTTP/2 Enabled By Default

 

Cheers,
Rhoderick

Rhoderick Milne [MSFT]

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *