250 Hello - AD FS

0

Unable To Access OWA Externally Via WAP 2025 – Still Working On It

Posted on 6th October 2025 by Rhoderick Milne [MSFT]

Unable to Access OWA via WAP 2025 - Still Working On It

After upgrading Web Application Proxy (WAP) to Windows Server 2015 you may run into an issue with certain applications that are published via WAP to the Internet. This issue will also happen if you build a net new environment for both WAP 2019 and newer. This post discusses WAP 2025, but the same is more than likely going to happen with WAP 2022

In the below example the AD FS upgrade went well wi… Read the rest “Unable To Access OWA Externally Via WAP 2025 – Still Working On It”

1

Unable To Access OWA Externally Via WAP 2019

Posted on 9th September 2023 by Rhoderick Milne [MSFT]

Unable To Access OWA - Still Working On It

After upgrading Web Application Proxy (WAP) to Windows Server 2019 you may run into an issue with certain applications that are published via WAP to the Internet.

In the below example the AD FS upgrade went well with no issues. The AD FS farm and WAP servers were upgraded to Windows Server 2019 and all appeared to be going well. Too well that was, as when the external tests were validated against… Read the rest “Unable To Access OWA Externally Via WAP 2019”

0

Kerberos Issues November 2022

Posted on 8th December 2022 by Rhoderick Milne [MSFT]

The November 8, 2022 and later Windows updates address a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.

This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already.

To help secure your environment, install the Windows update that is dated … Read the rest “Kerberos Issues November 2022”

0

Check If AD FS WSTrust Endpoint Enabled

Posted on 14th November 2022 by Rhoderick Milne [MSFT]

Active Directory Federation Services (AD FS) uses endpoints to provide access to features. There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols. It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”

10

Sign-In Error 5000811 — Unable to verify token signature. The signing key Identifier Does Not Match Any Valid Registered Keys

Posted on 29th November 2021 by Rhoderick Milne [MSFT]

The error message "Sorry, that didn’t work. Please go back to office.com and try again” is probably one of the most vague that I've seen. It's up there with "please contact your administrator", which is fine unless you are the administrator...

The below is a repro of a case where all users were unable to sign into Office 365. They would receive the aforementioned "Sorry, that didn't work" message… Read the rest “Sign-In Error 5000811 — Unable to verify token signature. The signing key Identifier Does Not Match Any Valid Registered Keys”

10

AD FS Web Application Proxy Re-Establish Proxy Trust

Posted on 16th November 2021 by Rhoderick Milne [MSFT]

In the Tailspintoys environment the AD FS Proxy was offline for month. It was unable to contact the AD FS server on the internal network, and this allowed the short lived authentication certificate to expire. At this point the AD FS Proxy was "dead to me" as far as the AD FS server was concerned. The internal AD FS server was OK, the issue was just with the proxy.

Bummer....

How do we fix this? … Read the rest “AD FS Web Application Proxy Re-Establish Proxy Trust”

2

Defender For Identity Sensor Service Fails To Start on AD FS – Sequence Contains No Elements

Posted on 17th February 2021 by Rhoderick Milne [MSFT]

After installing Defender for Identity sensor onto AD FS, you may experience an issue where the service does not enter the running state.

In the Microsoft Defender for Identity portal the sensor is reported as "Not Configured"

Lab Starting Reference Point

Since the AD FS sensor is new (January 2021), you initially installed sensors onto all of your AD Domain Controllers.

The below indicates that all o… Read the rest “Defender For Identity Sensor Service Fails To Start on AD FS – Sequence Contains No Elements”

0

AD FS Extranet Smart Account Lockout Protection

Posted on 27th October 2020 by Rhoderick Milne [MSFT]

Windows Server 2012 R2 AD FS added the Extranet Account Lockout protection feature. The intent of Extranet Account Lockout protection is to add an additional feature to password authentication which traverses Web Application Proxy (WAP). Note that the feature is not available for authentication directly targeting AD FS. The reason for this is that the Extranet Account Lockout protection was des… Read the rest “AD FS Extranet Smart Account Lockout Protection”

0

Quick Tip – Manually Removing WAP Server

Posted on 7th August 2020 by Rhoderick Milne [MSFT]

Installing a Web Application Proxy (WAP) server consists of two distinct actions. The first is installing the Remote Access role, and the second is to then configure the role. The act of configuring Remote Access enables WAP to function as an AD FS proxy, and optionally enables you to also publish other applications.

Over time some of those servers may have been replaced without fully uninstallin… Read the rest “Quick Tip – Manually Removing WAP Server”

2

Unable to Edit WAP Published Application in Mixed Mode Farm

Posted on 24th July 2020 by Rhoderick Milne [MSFT]

During the upgrade process it is expected that there will be multiple versions of AD FS and WAP servers operating in a farm at a given time. This is actually a good option as it allows us to easily upgrade from AD FS 2012 R2 to a newer version such as 2016 or 2019. We can do this without having to build a brand new farm from scratch and then cutting over applications to the new farm wi… Read the rest “Unable to Edit WAP Published Application in Mixed Mode Farm”