AzureAD Application Proxy and the PATCH-verb

%3CLINGO-SUB%20id%3D%22lingo-sub-1684059%22%20slang%3D%22en-US%22%3EAzureAD%20Application%20Proxy%20and%20the%20PATCH-verb%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1684059%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20did%20setup%20an%20AzureAD%20Application%20Proxy%20to%20make%20one%20of%20our%20applications%20available%20from%20the%20internet.%3C%2FP%3E%3CP%3EFor%20the%20outside-user%2C%20we%20use%20an%20MS%20365-login.%20The%20proxy%20does%20then%20use%20this%20information%20to%20query%20our%20AD%20in%20order%20to%20get%20kerberos-credentials%20that%20are%20then%20used%20to%20access%20the%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20working%20just%20fine.%20With%20one%20exception%3A%20Each%20time%2C%20the%20client%20sends%20a%20request%20using%20the%20http-verb%20PATCH%2C%20the%20request%20is%20not%20coming%20through.%3C%2FP%3E%3CP%3EThe%20client%20receives%20a%20502%20(bad%20gateway)%20and%20the%20message%20%22This%20corporate%20app%20can't%20be%20accessed.%22.%20The%20proxy%20does%20record%20a%20warning-event%20in%20the%20eventlog.%3C%2FP%3E%3CP%3EIn%20the%20IIS-Log%20of%20the%20target-application%2C%20we%20do%20see%20all%20of%20the%20user's%20requests%2C%20except%20the%20ones%20using%20PATCH.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20ideas%20on%20how%20to%20solve%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1684059%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1684723%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20Application%20Proxy%20and%20the%20PATCH-verb%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1684723%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20solved%20it%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-faq%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EApplication%20Proxy%20requires%20Windows%20Server%202012%20R2%20or%20later.%20There%20is%20currently%20a%20limitation%20on%20HTTP2%20for%20Windows%20Server%202019.%20In%20order%20to%20successfully%20use%20the%20connector%20on%20Windows%20Server%202019%2C%20you%20will%20need%20to%20add%20the%20following%20registry%20key%20and%20restart%20the%20server%3A%26nbsp%3B%3C%2FSPAN%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CInternet%20Settings%5CWinHttp%5CEnableDefaultHttp2%20(DWORD)%20Value%3A%200%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

we did setup an AzureAD Application Proxy to make one of our applications available from the internet.

For the outside-user, we use an MS 365-login. The proxy does then use this information to query our AD in order to get kerberos-credentials that are then used to access the application.

 

This is working just fine. With one exception: Each time, the client sends a request using the http-verb PATCH, the request is not coming through.

The client receives a 502 (bad gateway) and the message "This corporate app can't be accessed.". The proxy does record a warning-event in the eventlog.

In the IIS-Log of the target-application, we do see all of the user's requests, except the ones using PATCH.

 

Do you have any ideas on how to solve that?

 

Thank you very much!

1 Reply
Highlighted

We solved it:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-faq

 

Application Proxy requires Windows Server 2012 R2 or later. There is currently a limitation on HTTP2 for Windows Server 2019. In order to successfully use the connector on Windows Server 2019, you will need to add the following registry key and restart the server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\EnableDefaultHttp2 (DWORD) Value: 0