I have a very odd problem. I've setup a Web Application proxy and am using ADFS pre-authentication to pre-authenticate users from the outside to an internal web application that is using integrated Windows authentication (non-claims). I've configured all constrained kerberos delegation properly (even had Microsoft support confirm the configuration was proper). If I log into the web application through the web application proxy and I log in as a domain admin, the WAP computer account is able to create the kerberos ticket on the user behalf and pass it along properly to the web application. However, if I'm not a domain admin, the kerberos ticket is not created and I get a HTTP error 500. From network captures I've seen the following error: KDC_ERR_C_PRINCIPAL_UNKNOWN
From the event log, we see:
Web Application Proxy encountered an unexpected error while processing the request.
Error: The user name or password is incorrect.
(0x8007052e).
We've obviously confirmed the username and passwords works just fine and the users are able to access the web application internally (bypassing the WAP) with no issues.
Any thoughts? Thanks in advance.