SOLVED

AAD application proxy : access from external issue

Copper Contributor

Hello,

I have published an application with SAML SSO. from internal, it works fine.

When I connect to https://myapp, all is ok.

 

I have set up an external Url  : https://myapp.my_custom_external.com

When i try to access, i get error AADSTS50011.

I added https://myapp.my_custom_external.com on redirected URI as this article mentionned : https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/app-integration/error-code-aadst...

 

But now when i try to access https://myapp.my_custom_external.com, i get a timeout. 

 

Can you help me?

Thanks.

Regards.

 

14 Replies

@micheleariis 

Thank you for your answer but unfortunately I already did this trick and like I said, I get a timeout.

appproxy3.PNG

Regards.

When internal, try and ping the web address that worked (https://myapp) does it resolve an internal address? If so, SAML SSO may still work because it might not be using the App Proxy.

Have you verified you can can communicate between your server hosting the agent and the application? Have you verified that the Server hosting the proxy agent has outbound Internet access and can communicate with Entra ID?

Hi,
Yes, in internal, when I ping "myapp" host, it resolve an internal address.
Yes, server hosting agent can communicate with server hosting application.
Proxy agent server can communicate with entra. this server is the same as AAD synchronisation service server.
I have installed wireshark on proxy agent server, and when I log in with SAML, there is no communication between app server and proxy agent.
I don't know what i miss. 😕

Yeah, that makes sense as it's using internal DNS to resolve the app and just using SAML.

What happens if you remove the custom domain for the app proxy address and use one of Microsofts app proxy addresses. In the Entra portal, is the agent showing as online?

@Jamesscarr 

I cannot change custom domain to msappproxy.net domain, i have to create another application.
I will test.

 

approxy5.PNG

 

Yes proxy agent is online.

appproxy4.PNG

I have tested with an msappproxy.net domain.
I get error AADSTS50011 and if i update application registration, i get a timeout.
So, it's the same.
That makes sense, seems like your app needs that external DNS name. It might be worth checking your internal DNS record to see what the target destination is. if it is different from what you set in Entra, it might be worth changing the one in Entra to match the on-prem one. It might be worth changing the timeout in the Entra ID app to long timeout.

Also, have you checked the event logs on your server hosting the agent?

HEllo,
My firewall has an IP, supposed 10.11.12.13. this is the connector external IP BUT port 443 is redirected to vpnssl webpage. Could it be an explanation?

I have tested with DNS resolution for the external URL, timeout too.
There is no error message in agent log.
Seems that MS entra can't connect to agent, even when agent can connect to MS entra.

Sorry, i have recheck and i can see thios error.

approxy6.PNG

I have tested, it is a firewall issue.
Web filter issue to for precision.
I followed this page but it miss some websites : https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-connectors
have you got the new prerequisites?
thanks.
best response confirmed by ARAIMBAULT (Copper Contributor)
Solution

Ok it works now
I ve got a fortigate, with webfilter or other security profile, it does not work, i had to open Internet services.

Like this : 

approxy7.PNG

thanks for help.

1 best response

Accepted Solutions
best response confirmed by ARAIMBAULT (Copper Contributor)
Solution

Ok it works now
I ve got a fortigate, with webfilter or other security profile, it does not work, i had to open Internet services.

Like this : 

approxy7.PNG

thanks for help.

View solution in original post