Azure App Proxy - non-domain joined machine prompted by a second time to authenticate by


  • I have published Exchange 2010 OWA via Azure App Proxy for a client.

    I've created a secondary web site on the exchange servers and bound it to a different port - 4443 and prepared a WIA version of OWA per

    The site works perfectly from the internal network.

    Active Directory is syncing with Azure AD and users can log into other Azure resources via SSO to their

    I've installed an Azure App Proxy Connector and validated connectivity via 

    I've configured an on-premises Enterprise application and configured the internal URL in Azure as

    I've set the Internal Application SPN to http/ and the delegated identity as User Principal Name (which is set to match SMTP).

    I've run setspn -A http/ exchangeserver in Active Directory

    When browsing to from a domain-joined machine, SSO works successfully and the user is logged in without password prompt.

    When browsing to from a non-domain joined machine, the user is first prompted for authentication by and then AGAIN by  Then the user is allowed access into OWA.

    Why is the user being prompted a second time by

    -David Smith Cloud Consultant

    Friday, April 14, 2017 2:26 PM

All replies

  • To clarify, could you let us know why do you think ‘’ is asking for authentication?
    Also, provide your real frontend URL of the app so we can take a look for further analysis.
    Sunday, April 16, 2017 5:20 PM
  • Because this is what I get when I use IE or Edge:

    1. First I get Azure forms-based login.
    2. I type in my UPN and get redirected to on-premises ADFS
    3. I type in my credentials and get the MFA Forms-based page.
    4. I type in the code from the text message and then get the following pop-up:

    -David Smith Cloud Consultant

    Monday, April 17, 2017 2:01 PM
  • If you provide your email address I will send you the front-end URL privately.

    -David Smith Cloud Consultant

    Monday, April 17, 2017 2:03 PM
  • For this, you can start a thread with Azure AD Application Proxy feedback <> and  provide your real frontend URL of the app so we can take a look for further analysis.
    Monday, April 17, 2017 2:20 PM
  • Hi David,

    Have you had a response to your issue ?

    I have the same issue as you.



    Friday, September 7, 2018 7:44 PM