We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 errorRSS

5 replies

Last post Aug 17, 2018 05:36 AM by DevPreSupport_MSFT

  • NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    Jul 25, 2018 06:51 AM|bhavay11|LINK

    Setup:

    Server 1: ARR Reverse Proxy

    Server 2: App Server

    Server 3: Identity Server (Identity Server 3).

    Both the App Server and Identity Server are behind DMZ and accessible only via Reverse Proxy.

    App Server redirects unauthenticated requests to Identity Server for AuthN.

    Identity Server uses Active Directory as Identity Provider. Application uses OpenIDConnect as the AuthN Middleware.

    All the URL Rewrite rules are working properly and the redirections happen correctly.

    Browser popup asks for credentials after redirection to Identity Server (401 challenge). After entering the credentials ARR returns 502.3 (Server returned invalid response) error. Response to 401 challenge is not even sent to the Identity Server. ARR throws the above error.

    Error in ARR IIS Log: 502.3 sc-win32-status: 12018 (The type of handle supplied is incorrect for this operation).

    Any pointers will really help.

    Thank you

  • Re: NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    Jul 26, 2018 02:24 AM|deepakpanchal10|LINK

    Hi Bhavay11,

    I try to check the thread and try to find information regarding error 502.3 sc-win32-status: 12018 (The type of handle supplied is incorrect for this operation).

    I find that not much information are available in the documentation that can inform us the possible reasons for a cause or steps to troubleshoot the issue.

    So for better response and solution for your issue, I escalate this thread to some senior engineers.

    Further, They will try to look into this issue and try to provide you the helpful suggestions to solve the issue.

    Thanks for your understanding.

    Regards

    Deepak

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    Jul 26, 2018 06:46 AM|gtscdsi|LINK

    For ARR 502.3 error, you can capture failed request tracing for more info, https://docs.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis

    for ARR works with windows authentication, it's kind of complicated, you can refer this blog to see if you have configured correctly: https://blogs.msdn.microsoft.com/benjaminperkins/2015/08/03/configure-application-request-routing-with-windows-authentication-Kerberos/

    We focus on various troubleshooting plan and solution on IIS web platform and distributed applications. Please contact us at:

    http://blogs.msdn.com/b/asiatech/
  • Re: NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    Jul 27, 2018 07:19 AM|bhavay11|LINK

    Hello gtscdsi,

    I had already verified "failed request logs" but there is no information. It only say 502.3, the web server returned invalid response.

    I have already gone through the Benjamin Perkins article to setup Windows AuthN with ARR. But I am still facing the same issue. My setup is a bit different then suggested in his blog.

    Thank you

  • Re: NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    Jul 27, 2018 12:19 PM|bhavay11|LINK

    Hello Deepak,

    Please let me know if you or your team needs any more information.

    Thank you

  • Re: NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    Aug 17, 2018 05:36 AM|DevPreSupport_MSFT|LINK

    Hello bhavay11,

    Thanks for your posting!

    According to your description about the error message, it seems that ARR server didn't handle the request response. 

    About this question, please confirm these issues:

    1. 1. If you directly access the Application Server, could you login on the application? If you can login on application, we need troubleshoot the ARR configuration.
    2. 2. What do you set the Identity Server callback URL? You could use the Application Server address directly bypass ARR server. 
    3. 3.Please enable Failed request tracing feature(https://docs.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis-85#enable-failed-request-tracing ) on ARR server( default site), Application Server and  Identity Server. You can set the status code as 401-999 to collect the failed requests logs.  These FREB XML files was very useful and helpful for ARR issue. 

    Best Regards,