none
Azure App Proxy - non-domain joined machine prompted by a second time to authenticate by cwap-cu-2.couldapp.net

    Question

  • I have published Exchange 2010 OWA via Azure App Proxy for a client.

    I've created a secondary web site on the exchange servers and bound it to a different port - 4443 and prepared a WIA version of OWA per https://blogs.technet.microsoft.com/exchange/2011/01/17/configuring-multiple-owaecp-virtual-directories-on-exchange-2010-client-access-server/.

    The site works perfectly from the internal network.

    Active Directory is syncing with Azure AD and users can log into other Azure resources via SSO to their adfs.consoto.com.

    I've installed an Azure App Proxy Connector and validated connectivity via https://aadap-portcheck.connectorporttest.msappproxy.net/ 

    I've configured an on-premises Enterprise application and configured the internal URL in Azure as https://mail.contoso.com:4443/owa

    I've set the Internal Application SPN to http/mail.contoso.com and the delegated identity as User Principal Name (which is set to match SMTP).

    I've run setspn -A http/mail.contoso.com exchangeserver in Active Directory

    When browsing to mail-contoso.msappproxy.net from a domain-joined machine, SSO works successfully and the user is logged in without password prompt.

    When browsing to mail-contoso.msappproxy.net from a non-domain joined machine, the user is first prompted for authentication by adfs.contoso.com and then AGAIN by cwap-cu-2.cloudapp.net.  Then the user is allowed access into OWA.

    Why is the user being prompted a second time by cwap-cu-2.cloudapp.net?


    -David Smith Cloud Consultant Quisitive.com

    Friday, April 14, 2017 2:26 PM

All replies

  • To clarify, could you let us know why do you think ‘cwap-cu-2.cloudapp.net’ is asking for authentication?
    Also, provide your real frontend URL of the app so we can take a look for further analysis.
    Sunday, April 16, 2017 5:20 PM
    Moderator
  • Because this is what I get when I use IE or Edge:

    1. First I get Azure forms-based login.
    2. I type in my UPN and get redirected to on-premises ADFS
    3. I type in my credentials and get the MFA Forms-based page.
    4. I type in the code from the text message and then get the following pop-up:

    -David Smith Cloud Consultant Quisitive.com

    Monday, April 17, 2017 2:01 PM
  • If you provide your email address I will send you the front-end URL privately.

    -David Smith Cloud Consultant Quisitive.com

    Monday, April 17, 2017 2:03 PM
  • For this, you can start a thread with Azure AD Application Proxy feedback <aadapfeedback@microsoft.com> and  provide your real frontend URL of the app so we can take a look for further analysis.
    Monday, April 17, 2017 2:20 PM
    Moderator
  • Hi David,

    Have you had a response to your issue ?

    I have the same issue as you.

    Florent


    Florent

    Friday, September 7, 2018 7:44 PM