Screenshot of the Event Viewer shows events related to Web Application Proxy." />This article is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Microsoft Entra Application Proxy content.
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
This section provides troubleshooting procedures for Web Application Proxy including event explanations and solutions. There are three places where errors are displayed:
Screenshot of the Event Viewer shows events related to Web Application Proxy." />
| Event or symptom | Possible cause | Resolution |
|---|---|---|
| The trust certificate ("ADFS ProxyTrust - ") isn't valid | This could be caused by any of the following: |
- The Application Proxy machine was down for too long.
- Disconnections between the Web Application Proxy and AD FS
- Certificate infrastructure issues
- Changes on the AD FS machine, or the renew process between the Web Application Proxy and the AD FS didn't run as planned every 8 hours, then they need to renew trust
- The clock of the Web Application Proxy machine and the AD FS aren't synchronized.
Web Application Proxy was unable to retrieve the list of Relying Parties from AD FS.
The following administrator console events are indicative of authentication errors, invalid tokens or expired cookies.
Web Application Proxy couldn't create the cookie encryption key using the secret from the configuration.
Web Application Proxy couldn't check for configuration changes for at least 60 minutes
Web Application Proxy couldn't parse the access cookie.
Web Application Proxy received a request with a nonvalid access cookie.
If you ran the AccessCookiesEncryptionKey parameter was changed by Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey PowerShell cmdlet, this event is normal and requires no resolution steps.
Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server.
Make sure that the time and date configuration on the Web Application Proxy and the backend application server are synchronized.
Web Application Proxy received a request with a non-valid access cookie signature.
Proxy encountered an unexpected error while processing the request. The name provided isn't a properly formed account name.
Web Application Proxy received a nonvalid edge token signature
Web Application Proxy received a request that contained an expired edge token.
Web Application Proxy received a request with a nonvalid edge token. The token isn't valid because it couldn't be parsed.
Web Application Proxy received a request with an expired access cookie.
Web Application Proxy can't retrieve a Kerberos ticket on behalf of the user because there's no UPN in the edge token or in the access cookie.
Web Application Proxy can't retrieve a Kerberos ticket on behalf of the user because of the following general API error
Web Application Proxy can't retrieve a Kerberos ticket on behalf of the user because the backend server SPN isn't defined.
Web Application Proxy can't authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.
The client didn't present an SSL certificate to Web Application Proxy.
The client presented an SSL certificate to Web Application Proxy, but the certificate isn't valid: the certificate doesn't match the thumbprint.
Web Application Proxy received a request that contained an edge token that isn't yet valid.
The client presented an SSL certificate to Web Application Proxy, but the trust provider doesn't trust the certificate authority that issued the client certificate.
The client presented an SSL certificate to Web Application Proxy, but the certificate chain terminated in a root certificate that isn't trusted by the trust provider.
The client presented an SSL certificate to Web Application Proxy, but the certificate wasn't valid for the requested usage.
The client presented an SSL certificate to Web Application Proxy, but the certificate wasn't within its validity period when verifying against the current system clock or the timestamp in the signed file.
The client presented an SSL certificate to Web Application Proxy, but the certificate wasn't valid.
The following administrator console events are indicative of problems having to do with configuration such as provisioning, requests that aren't successful, backend servers that are unreachable and buffer overflows.
Web Application Proxy couldn't create a listener for the following URL.
Web Application Proxy couldn't create a reservation for the following URL.
Web Application Proxy couldn't bind the SSL server certificate. All other configuration settings were applied.
The SSL server certificate presented to Web Application Proxy by the backend server isn't valid; the certificate isn't trusted.
The HTTP response from the backend server wasn't received within the expected interval.
