WAP 2016 Published Application Not Working – HTTP Error 503


Imagine the situation.  You just finished deploying AD FS 2016 and Web Application Proxy (WAP) servers in a highly available environment with the AD FS namespace load balanced internally and externally.  There are multiple AD FS servers and WAP servers.  This is an interesting deployment project and all is going well.   After verifying that core AD FS and WAP functionality works as expected you then move onto using WAP to publish Exchange to the Internet using pass through authentication.

Unfortunately no plan survives contact with the enemy....

Instead of being able to see your lovely OWA splash screen when at Starbucks you instead are greeted with the below rather sad page:

WAP 2016 Service Unavailable HTTP Error 503. The service is unavailable.

For make most glorious search engine benefit:

Service Unavailable HTTP Error 503. The service is unavailable.

Hmm.  Maybe OWA is not running on the published Exchange server – let's try ECP instead.

WAP 2016 Service Unavailable HTTP Error 503. The service is unavailable.

Nope same issue.

Internally everything is just fine and all is working as expected.  From the WAP servers themselves, DNS resolves to the correct endpoints.  OWA and ECP can also be rendered as expected on the WAP server.

The issue is only with the external publishing.  Something is wrong with WAP.

Reviewing WAP Configuration

All of the required Exchange CAS namespaces were published using WAP.  Below is the Remote Access management console on server WAP-2016-1.  The OWA published application is highlighted, and then a zoomed view is shown for OWA.

WAP 2016 - List of Published Applications

WAP 2016 - Details of OWA Published Application

We can use the Remote Access Management console to open the properties of the published application, or use PowerShell.  The PowerShell method is shown below.

 

Get-WebApplicationProxyApplication "mail.wingtiptoys.ca/owa" | Format-List

WAP 2016 Using PowerShell to Review Published Application

All of this looks OK.  The correct certificate is selected and the certificate is valid in all respects.

Since that all seems to be fine, let's review the WAP diagnostics to see what is happening

WAP Troubleshooting

Upon initial inspection it would seem that all is well in the WAP world.  There are no errors logged in:

Applications and Services Logs\AD FS\Admin

Applications and Services Logs\AD FS\Admin

All of these entries indicate nirvana, and they state:

"The federation server proxy successfully retrieved and updated its configuration from the Federation Service 'sts.wingtiptoys.ca'."

As noted earlier, the idpinitiatedSignon page was working as expected with no issues.  In this case the URL used was:

https://sts.wingtiptoys.ca/adfs/ls/idpinitiatedsignon.htm

idpinitiatedSignon Page Working As Expected

 However, WAP logs to a different event log which is:

Applications and Services Logs\Microsoft-Windows-Web Application Proxy/Admin

When this log is reviewed note that there are errors.

WAP 2016 Application Event Log - Applications and Services Logs\Microsoft-Windows-Web Application Proxy/Admin

Specifically we can see EventID 12019 where there is an error with creating the WAP listener.

WAP EventID 12019

The details of the error are:

Web Application Proxy could not create a listener for the following URL: https://mail.wingtiptoys.ca/owa/.
Cause: The filename, directory name, or volume label syntax is incorrect.
(0x8007007b).

 

Well that would be a problem, no?

 

Addressing WAP 2016 Application Publishing Error

The name that the error is referring to as invalid is highlighted below.

WAP 2016 Publishing Settings

It is quite common to copy the published URL and then paste it into all of the relevant fields.  This is efficient and also prevents making typos.

However, if the URL is pasted into the Name field as shown above you will find yourself in a pickle and probably reading this post.....

 

The issue is due to the "/" invalid character in the name field.  Simply remove the offending special character to address the issue. To do this we can right click the WAP published application, and chose EDIT.

Note in the below example, the Name field was edited and now contains "OWA"

Editing WAP 2016 Published Application To Correct name Field

Complete the wizard to save changes.  Allow for WAP to save and update its configuration.

This could also be done in PowerShell using the Set-WebApplicationProxyApplication cmdlet.  As an example:

Set-WebApplicationProxyApplication -BackendServerUrl "https://mail.wingtiptoys.ca/owa/" -ExternalCertificateThumbprint 'BD4074969105149328DBA6BC8F7F0FFC9509C74F' -ExternalUrl "https://mail.wingtiptoys.ca/owa/" -Name 'OWA' -ID '8D8344E0-52A9-ED1D-692C-81BF039813B5'

 

This was repeated for all published applications.  Note the highlighted Name column - all of the published applications now have simplified names.

Updated WAP 2016 Published Applications

 

Now it is time to test, and you should be back in business!

OWA Successfully Published Using WAP 2016

 

Note that this issue seems to be specific to WAP 2016, and was not present on WAP 2012 R2.
Cheers,

Rhoderick

Comments (2)

  1. J.R. Phillips says:

    Just got done converting to WAP/ADFS 2016 and had one published app that wasn’t working and it was driving me nuts. Was chasing the firewall and LB just looking for whatever gremlin was the culprit, and eventually a blog led me here. I can’t believe it’s a special character in the label…

    1. And all is good after you edited the name JR ?

      Cheers,
      Rhoderick

Skip to main content