| 11005 Web Application Proxy couldn't create the cookie encryption key using the secret from the configuration. | The global configuration AccessCookiesEncryptionKey parameter was changed by the PowerShell cmdlet: Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey | No action is required. The problematic cookie was removed and the user was redirected to STS for authentication. |
| 12000 Web Application Proxy couldn't check for configuration changes for at least 60 minutes | Web Application Proxy can't access the Web Application Proxy configuration using the cmdlet Get-WebApplicationProxyConfiguration/Application. This is caused by lack of connectivity with AD FS or the need to renew trust with AD FS. | Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xml. Make sure there's trust established between the AD FS and the Web Application Proxy. If these solutions don't work, run the Install-WebApplicationProxy cmdlet. |
| 12003 Web Application Proxy couldn't parse the access cookie. | This may indicate that the Web Application Proxy and the AD FS aren't connected or that they don't receive the same configuration. | Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xml. Make sure there's trust established between the AD FS and the Web Application Proxy. If these solutions don't work, run the Install-WebApplicationProxy cmdlet. |
| 12004 Web Application Proxy received a request with a nonvalid access cookie. | This event may indicate that the Web Application Proxy and the AD FS aren't connected or that they don't receive the same configuration. If you ran the AccessCookiesEncryptionKey parameter was changed by Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey PowerShell cmdlet, this event is normal and requires no resolution steps. | Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xml. Make sure there's trust established between the AD FS and the Web Application Proxy. If these solutions don't work, run the Install-WebApplicationProxy cmdlet. |
| 12008 Web Application Proxy exceeded the maximum number of permitted Kerberos authentication attempts to the backend server. | This event may indicate incorrect configuration between Web Application Proxy and the backend application server, or a problem in time and date configuration on both machines. | The backend server declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly. Make sure that the time and date configuration on the Web Application Proxy and the backend application server are synchronized. |
| 12011 Web Application Proxy received a request with a non-valid access cookie signature. | This event may indicate that the Web Application Proxy and the AD FS aren't connected or that they don't receive the same configuration. If you ran the AccessCookiesEncryptionKey parameter was changed by Set-WebApplicationProxyConfiguration -RegenerateAccessCookiesEncryptionKey PowerShell cmdlet, this event is normal and requires no resolution steps. | Check connectivity with AD FS. You can do this using the link https://<FQDN_AD_FS_Proxy>/FederationMetadata/2007-06/FederationMetadata.xml. Make sure there's trust established between the AD FS and the Web Application Proxy. If these solutions don't work, run the Install-WebApplicationProxy cmdlet. |
| 12027 Proxy encountered an unexpected error while processing the request. The name provided isn't a properly formed account name. | This event may indicate incorrect configuration between Web Application Proxy and the domain controller server, or a problem in time and date configuration on both machines. | The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy. Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized. |
| 13012 Web Application Proxy received a nonvalid edge token signature | | Make sure you updated Web Application Proxy with Web Application Proxy cannot detect the updated certificate after it automatically updates on Windows Server 2012 R2. |
| 13013 Web Application Proxy received a request that contained an expired edge token. | Web Application Proxy and AD FS don't have synchronized clocks. | Synchronize the clocks between Web Application Proxy and AD FS. |
| 13014 Web Application Proxy received a request with a nonvalid edge token. The token isn't valid because it couldn't be parsed. | This may indicate an issue with the AD FS configuration. | Check your AD FS configuration and, if necessary, restore the default configuration. |
| 13015 Web Application Proxy received a request with an expired access cookie. | This could indicate clocks that aren't synchronized. | If you're working with a cluster of Web Application Proxy machines, make sure that the time and date of the machines is synchronized. |
| 13016 Web Application Proxy can't retrieve a Kerberos ticket on behalf of the user because there's no UPN in the edge token or in the access cookie. | There's a problem with the STS configuration. | Fix the UPN claim configuration in the STS. |
| 13019 Web Application Proxy can't retrieve a Kerberos ticket on behalf of the user because of the following general API error | This event may indicate incorrect configuration between Web Application Proxy and the domain controller server, or a problem in time and date configuration on both machines. | The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy. Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized. |
| 13020 Web Application Proxy can't retrieve a Kerberos ticket on behalf of the user because the backend server SPN isn't defined. | This event may indicate incorrect configuration between Web Application Proxy and the domain controller server, or a problem in time and date configuration on both machines. | The domain controller declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly, especially the SPN configuration. Make sure the Web Application Proxy is domain joined to the same domain as the domain controller to ensure that the domain controller establishes trust with Web Application Proxy. Make sure that the time and date configuration on the Web Application Proxy and the domain controller are synchronized. |
| 13022 Web Application Proxy can't authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error. | This event may indicate incorrect configuration between Web Application Proxy and the backend application server, or a problem in time and date configuration on both machines. | The backend server declined the Kerberos ticket created by Web Application Proxy. Verify that the configuration of the Web Application Proxy and the backend application server are configured correctly. Make sure that the time and date configuration on the Web Application Proxy and the backend application server are synchronized. |
| 13025 The client didn't present an SSL certificate to Web Application Proxy. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
| 13026 The client presented an SSL certificate to Web Application Proxy, but the certificate isn't valid: the certificate doesn't match the thumbprint. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
| 13028 Web Application Proxy received a request that contained an edge token that isn't yet valid. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. |
| 13030 The client presented an SSL certificate to Web Application Proxy, but the trust provider doesn't trust the certificate authority that issued the client certificate. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
| 13031 The client presented an SSL certificate to Web Application Proxy, but the certificate chain terminated in a root certificate that isn't trusted by the trust provider. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
| 13032 The client presented an SSL certificate to Web Application Proxy, but the certificate wasn't valid for the requested usage. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
| 13033 The client presented an SSL certificate to Web Application Proxy, but the certificate wasn't within its validity period when verifying against the current system clock or the timestamp in the signed file. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
| 13034 The client presented an SSL certificate to Web Application Proxy, but the certificate wasn't valid. | This event may indicate a problem in time and date configuration. | Make sure that the certificate infrastructure is valid and that the time and date of the Web Application Proxy and the AD FS are synchronized. Make sure that the thumbprint configured for the Web Application Proxy is the correct one. |
