Aad Application Proxy Connector Uninstall the Connector and Install It Again
Troubleshoot Application Proxy
[AZURE.Important] Awarding Proxy is a feature that is available only if you upgraded to the Premium or Bones edition of Azure Active Directory. For more information, run into Azure Active Directory editions.
If errors occur in accessing a published application or in publishing applications, check the following options to run across if Microsoft Azure Advert Application Proxy is working correctly:
- Open the Windows Services console and verify that the "Microsoft AAD Application Proxy Connector" service is enabled and running. Yous may besides want to look at the Awarding Proxy service properties folio, as shown in the post-obit image:
- Open Upshot Viewer and await for events related to the Awarding Proxy connector located under Applications and Services Logs > Microsoft > AadApplicationProxy > Connector > Admin.
- If needed, more than detailed logs are available by turning on analytics and debugging logs and turning on the Application Proxy connector session log.
General errors
| Mistake | Description | Resolution |
|---|---|---|
| This corporate app tin't exist accessed. Y'all are not authorized to access this application. Authorization failed. Make sure to assign the user with access to this application. | You may not have assigned the user for this application. | Go to the Application tab, and nether Users and Groups, assign this user or user group to this application. |
| This corporate app can't be accessed. You are not authorized to access this application. Authorization failed. Make sure that the user has a license for Azure Active Directory Premium or Basic. | Your user may get this error when trying to admission the app yous published if the user who tried to admission the application was not explicitly assigned with a Premium/Bones license by the subscriber's administrator. | Go to the subscriber's Agile Directory Licenses tab and make sure that this user or user grouping is assigned a Premium or Basic license. |
Connector troubleshooting
If registration fails during the Connector sorcerer installation, yous tin can view the reason for the failure either past looking in the consequence log under Windows Logs > Application, or by running the post-obit Windows PowerShell command.
Get-EventLog application –source "Microsoft AAD Application Proxy Connector" –EntryType "Error" –Newest 1 | Error | Description | Resolution |
|---|---|---|
| Connector registration failed: Make sure you lot enabled Application Proxy in the Azure Direction Portal and that y'all entered your Active Directory user name and password correctly. Error: 'One or more errors occurred.' | You closed the registration window without performing login to Azure AD. | Run the Connector sorcerer again and annals the Connector. |
Connector registration failed: Make sure you enabled Awarding Proxy in the Azure Direction Portal and that you entered your Active Directory user proper name and password correctly. Error: 'AADSTS50001: Resource https://proxy.cloudwebappproxy.internet/registerapp is disabled.' | Awarding Proxy is disabled. | Brand certain you enable Application Proxy in the Azure Advertising portal before trying to register the Connector. For more information on enabling Application Proxy, see Enable Application Proxy services. |
| Connector registration failed: Make sure you enabled Application Proxy in the Azure Management Portal and that you entered your Active Directory user name and password correctly. Fault: '1 or more errors occurred.' | If the registration window opens and and then immediately closes without allowing you to log in, you will probably get this mistake. This error occurs when in that location is some sort of networking error on your system. | Make sure that information technology is possible to connect from a browser to a public website and that the ports are open equally specified in Application Proxy prerequisites. |
Connector registration failed: Brand sure your reckoner is connected to the Cyberspace. Fault: 'There was no endpoint listening at https://connector.msappproxy.internet:9090/annals/RegisterConnector that could accept the message. This is frequently caused by an wrong address or Soap action. See InnerException, if present, for more details.' | If you log in using your Azure Ad username and password only then you receive this error, information technology may be that all ports above 8081 are blocked. | Make sure that the necessary ports are open. For more information see Application Proxy prerequisites. |
| Clear fault is presented in the registration window. Cannot go on – only to shut the window | You entered the wrong username or password. | Try again. |
| Connector registration failed: Make sure you enabled Application Proxy in the Azure Management Portal and that y'all entered your Active Directory user name and password correctly. Fault: 'AADSTS50059: No tenant-identifying information constitute in either the request or unsaid by whatsoever provided credentials and search by service principle URI has failed. | You are trying to log in using a Microsoft Account and not a domain that is office of the system ID of the directory you are trying to access. | Make certain that the admin is part of the same domain name as the tenant domain, for instance, if the Azure Advert domain is contoso.com, the admin should be admin@contoso.com. |
| Failed to retrieve the current execution policy for running PowerShell scripts | If the Connector installation fails, check to make sure that PowerShell execution policy is non disabled. | Open the Group Policy Editor. Go to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell and double click on Turn on Script Execution. This tin can be prepare to either Non Configured or Enabled. If set to Enabled, brand certain that under Options, the Execution Policy is fix to either Allow local scripts and remote signed scripts or to Allow all scripts. |
| Connector failed to download the configuration | The Connector's client certificate, which is used for authentication, expired. This may also occur if you have the Connector installed behind a proxy. In this example the Connector cannot access the Internet and volition not exist able to provide applications to remote users. | Renew trust manually using the Register-AppProxyConnector cmdlet in Windows PowerShell. If your Connector is behind a proxy, it is necessary to grant Internet access to the Connector accounts "network services" and "local system". This can be achieved either by granting them access to the Proxy or past setting them to bypass the proxy. |
| Connector registration failed: Make sure you are a Global Administrator of your Active Directory to register the Connector. Error: 'The registration request was denied.' | The allonym y'all're trying to log in with isn't an admin on this domain. Your Connector is ever installed for the directory that owns the user'southward domain. | Brand sure that the admin you are trying to log in as has global permissions to the Azure Advert tenant. |
Kerberos errors
| Fault | Description | Resolution |
|---|---|---|
| Failed to remember the electric current execution policy for running PowerShell scripts | If the Connector installation fails, check to make certain that PowerShell execution policy is not disabled. | Open up the Group Policy Editor. Go to Estimator Configuration > Administrative Templates > Windows Components > Windows PowerShell and double click on Turn on Script Execution. This can be set to either Not Configured or Enabled. If prepare to Enabled, make sure that under Options, the Execution Policy is gear up to either Allow local scripts and remote signed scripts or to Allow all scripts. |
| 12008 - Azure AD exceeded the maximum number of permitted Kerberos authentication attempts to the backend server. | This event may indicate wrong configuration between Azure AD and the backend application server, or a problem in time and date configuration on both machines. | The backend server declined the Kerberos ticket created by Azure Advertizing. Verify that the configuration of the Azure Advertizement and the backend application server are configured correctly. Brand sure that the time and date configuration on the Azure Advertizing and the backend application server are synchronized. |
| 13016 - Azure Advertisement cannot call back a Kerberos ticket on behalf of the user because in that location is no UPN in the edge token or in the access cookie. | There is a problem with the STS configuration. | Fix the UPN claim configuration in the STS. |
| 13019 - Azure Advertizing cannot recall a Kerberos ticket on behalf of the user because of the post-obit general API error. | This upshot may indicate wrong configuration between Azure Advert and the domain controller server, or a trouble in time and appointment configuration on both machines. | The domain controller declined the Kerberos ticket created by Azure Advert. Verify that the configuration of the Azure AD and the backend awarding server are configured correctly, especially the SPN configuration. Make sure the Azure AD is domain joined to the same domain every bit the domain controller to ensure that the domain controller establishes trust with Azure Ad. Brand sure that the time and date configuration on the Azure Ad and the domain controller are synchronized. |
| 13020 - Azure AD cannot retrieve a Kerberos ticket on behalf of the user considering the backend server SPN is not divers. | This event may indicate incorrect configuration between Azure Advert and the domain controller server, or a problem in time and date configuration on both machines. | The domain controller declined the Kerberos ticket created by Azure AD. Verify that the configuration of the Azure Advertising and the backend application server are configured correctly, especially the SPN configuration. Make sure the Azure AD is domain joined to the same domain every bit the domain controller to ensure that the domain controller establishes trust with Azure Advertisement. Brand certain that the fourth dimension and date configuration on the Azure AD and the domain controller are synchronized. |
| 13022 - Azure Advertizement cannot authenticate the user because the backend server responds to Kerberos hallmark attempts with an HTTP 401 error. | This upshot may indicate incorrect configuration betwixt Azure Advert and the backend application server, or a problem in fourth dimension and date configuration on both machines. | The backend server declined the Kerberos ticket created by Azure Advertisement. Verify that the configuration of the Azure Advertizement and the backend awarding server are configured correctly. Make sure that the time and date configuration on the Azure AD and the backend application server are synchronized. |
| The website cannot display the page. | Your user may get this fault when trying to access the app you published if the application is an IWA application, the divers SPN for this application may be incorrect. | For IWA apps: Make sure that the SPN configured for this application is right. |
| The website cannot brandish the folio. | Your user may become this error when trying to access the app you published if the awarding is an OWA application, this could exist caused by one of the post-obit: | The steps to mitigate accordingly: |
| The defined SPN for this application is wrong. | Make certain that the SPN configured for this awarding is correct. | |
| The user who tried to access the application is using a Microsoft business relationship rather than the proper corporate account to sign in, or the user is a guest user. | Brand sure the user signs in using their corporate account that matches the domain of the published awarding. Microsoft Business relationship users and guest cannot admission IWA applications. | |
| The user who tried to access the application is not properly defined for this application on the on-prem side. | Brand sure that this user has the proper permissions every bit defined for this backend awarding on the on-prem machine. | |
| This corporate app can't be accessed. You are not authorized to access this application. Potency failed. Make certain to assign the user with access to this application. | Your user may get this error when trying to admission the app yous published if the user who tried to access the awarding is using a Microsoft Business relationship rather than the proper corporate account to sign in, or the user is a guest user. | Microsoft Account users and guest cannot admission IWA applications. Brand sure the user signs in using their corporate account that matches the domain of the published application. |
| This corporate app can't exist accessed right at present. Please endeavour over again later…The connector timed out. | Your user may get this error when trying to access the app yous published if the user who tried to access the application is not properly defined for this application on the on-prem side. | Make sure that this user has the proper permissions as divers for this backend application on the on-prem machine. |
Meet likewise
There's a lot more you can do with Awarding Proxy:
- Publish applications with Application Proxy
- Publish applications using your ain domain name
- Enable single-sign on
- Enable conditional access
- Working with claims aware applications
Learn more than about Application Proxy
- Take a wait here at our online help
- Bank check out the Application Proxy blog
- Lookout man our videos on Channel 9!
Source: https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-application-proxy-troubleshoot.md
0 Response to "Aad Application Proxy Connector Uninstall the Connector and Install It Again"
Post a Comment