I recently helped a customer to set up a Web Application Proxy (WAP) service to do pre-authentication to a SAP CRM system. Within the network everything was working well via ADFS and authentication was just fine. Coming through the WAP however I got a 404 error. The SAP CRM debug log showed a difference in the URLs when accessing internally versus externally, as follows:
Internal connection bypassing WAP (working)
10.10.10.10 crm.contoso.com – - [23/Nov/2015:15:15:45 +1300] HTTPS 302 “GET /saml2(bD1lbiZjPTMwMCZkPW1pbg==)/bc/bsp/sap/crm_ui_start/default.htm?sap-sessioncmd=open HTTP/1.1″ 0 83 h[-]
External connection via WAP (failing)
10.10.10.11 crm.contoso.com – - [23/Nov/2015:15:34:15 +1300] HTTPS 404 “GET /saml2%28bD1lbiZjPTMwMCZkPW1pbg%3D%3D%29/bc/bsp/sap/crm_ui_start/default.htm?sap-sessioncmd=open HTTP/1.1″ 1819 52 h[-]
The difference appeared to be simply that the special characters in the URL have been transformed/replaced when coming through the WAP. I couldn’t find a configuration option within WAP that addressed this behaviour.
After posting to a couple of forums, someone from Microsoft came back with a suggestion to apply the hotfix mentioned in the following KB article (KB3042127):
“HTTP 400 – Bad Request” error when you open a shared mailbox through WAP in Windows Server 2012 R2
Apart from not seeming (from the title at least) to be remotely relevant to my issue, this KB wins the award for the most thinly worded article in the world. Ever….
“This issue occurs because Web Application Proxy (WAP) is encoding the reserved characters incorrectly.”
There, that’s the entire “Cause” section of the KB article.
You have to request the hotfix (i.e. it’s not delivered via Windows Update) and also have to have the April 2014 update rollup for Windows Server 2012 R2 (KB2919355) installed as a prerequisite.
Anyway, after installing the hotfix and restarting the WAP server, everything worked like a charm. Issued resolved.
Interestingly, it also appeared to resolve an unrelated issue with another application using the WAP. From my experience at least this seems like an important hotfix and one that should be given more publicity.