Very simple setup 2 adfs BE Servers and one proxy. Application name https://adfsapps.abc.local/ADFSApp1/ (basic Claims aware App). STS url is STS2.abc.local. The DCs, ADFS BE and WAP are on the same Network and WAP is joined to Domain. I have a client that is in the same Network but w/o DNS ,it has host file updated to just reach the external URL of the Published app which obviously points to WAP and it has also got the entries to help it reach the ADFS BE but not the Application directly. AFAIK the client would hit the external URL which will take it to WAP , then WAP will take it to ADFS BE for Authentication where ADFS should prompt for FBA (as configured) but this is where it fails...
If Application is published as Pass-Thru it works fine But if Pre-Authentication is used then getting errors 511 which says -
The incoming sign-in request is not allowed due to an invalid Federation Service configuration.
Request url: /adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=39015c2f-5b7e-e511-80be-00155d1b2104&returnUrl=https'%'3A'%'2F'%'2Fadfsapps.abc.local'%'2FADFSApp1'%'2F&client-request-id=356DDEB4-1336-0000-1EE6-6D353613D101
User Action: Examine the Federation Service configuration and take the following actions: Verify that the sign-in request has all the required parameters and is formatted correctly. Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.
AND Error 364 - Encountered error during federation passive request.
Additional Data Protocol Name: Relying Party: Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details. at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
The events get generated at the BE Servers. Any help would be highly appreciated.