2015-05-12

After working with Microsoft for over a month to try to resolve an issue where Open with Explorer does not work when access externally through WAP (Web Application Proxy), we finally have a workaround/resolution.

The issue comes down to a hand off of authentication between protocols/services. This works properly for almost everything once you have configured the session cookies to a value above the default of 0. If you leave the PersistentAccessCookieExpirationTimeSec value at the default, your users will get prompted to log in for opening documents or anything that would pass authentication to another application or service. On top of this, though, is the fact that ADFS requires SNI (Server Name Indication).

The Open with Explorer option uses WebDAV which does not support SNI, however. Once it was determined that this was where things were breaking, a “fallback” certificate was able to be configured on the WAP server so that if a service does not support SNI, it could still authenticate properly. The instructions for this are very well detailed in a TechNet blog: http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx

The only place where this workaround may cause an issue would be if your WAP needed to be accessed by multiple services/protocols that did not support SNI (assuming each may need a different certificate). It is still possible to do this by binding different fallback certs to different IP addresses, but I did not need to go down that road.

About the author 

Christopher Scott