Hey Everyone,
We just published SharePoint 2013 externally using ADFS Kerberos and WAP and all was working fine but all of a sudden we get the HTTP 500 Error page. We have restarted the servers but no luck. Below is how we went about configuring SharePoint Externally
We firstly extended our internal website http://shj-schs to https://shjschs.schs.sharjah.ae:4433to the Internet Zone. The extended website here we have chosen to use Negotiate with Kerberos.
Made sure that an AAM to the main site that it was extended from is present. In the IIS in the bindings the hostname shjschs.schs.sharjah.ae and port number 4433 is present for the extended website. Finally added a 3rd party Digicert Wild Card Certificate.(*.schs.sharjah.ae)Internally there is a Host A record pointing to shjschs.schs.sharjah.ae (Resolving the SharePoint Server). Now when we browse the page https://shjschs.schs.sharjah.ae:4433, we view our SharePoint Portal.
Next we created the SPN for Domain Account that was running SharePoint Pools for the main and extended web applications ashttps/shjschs.schs.sharjah.ae:4433 (Used Attribute Editor)
For the SharePoint Server, in the Delegation Tab, we have chosen 'Trust this computer for Delegation Kerberos Only'
Later we have set up ADFS 3.0 with the same Wild Card Certificate from Digicert. The Federation service name for the ADFS isverf.schs.sharjah.ae We have created 'Non-Claims Aware Relying Party Trust'for the URL https://shjschs.schs.sharjah.ae:4433 and permitted all users in the authorization rules. Meanwhile we have enabled in the Authentication PoliciesForms Authentication and Windows Authentication for Intranet while Extranet has Forms Authentication Set.
After this WAP was setup with the same Wild Card Certificate from Digicert and configured to the ADFS server verf.schs.sharjah.ae. Finally we published the Web Application SharePoint with its URL https://shjschs.schs.sharjah.ae:4433 as External and Back End URL while the Backend SPN is http/shjschs.schs.sharjah.ae:4433. Done via Pre-Auth ADFS and not Pass-Through
Finally for the Web Application Proxy Server we have chosen under delegation tab'Trust this computer for delegation for specified services only' and chosen the Domain Account and from there selected the SPN that was created and pressed ok.
Later we create a Public Record for shjschs.sharjah.ae and for verf.schs.sharjah.ae both pointing to our WAP external NIC. If we browse the website https://shjschs.schs.sharjah.ae:4433 externally, we get directed from the WAP to the ADFS page. If we enter wrong credentials in the log file, we get error message informing about invalid credentials but if we enter the correct credentials, we getHTTP 500. I have tested out the ADFS service URL https://verf.schs.sharjah.ae/adfs/ls/IdpInitiatedSignOn.aspx and on entering correct credentials I get signed into the service.
If I do delete the WAP Published Website Rule and Create one with Pass-Through with same URL https://shjschs.schs.sharjah.ae:4433, I get a IE prompt and after entering correct credentials I can see the SharePoint Portal.
Can anyone help in solving this problem. I have mentioned in detail about the setup and environment.
*PS Both WAP and ADFS are joined to domain schs.sharjah.ae and in the IE locally for all users inside the organization, both https://shjschs.schs.sharjah.ae:4433 and https://verf.schs.sharjah.ae are present in the IE Trusted Sites tab and verf.schs.sharjah.ae present in the local intranet sites.
MVI - Most Valuable Indian