Subsequent to publishing a SharePoint 2010 Kerberos web application using the step-by-step guide on TechNet, I'm getting HTTP 400 (Bad Request) errors with the following event logged on the domain-joined Web Application Proxy server. I can see Kerberos authentication working correctly when I authenticate directly to the web application. In addition, I've also published this web application using Kerberos constrained delegation with Forefront UAG previously, so am confident that the Kerberos delegation to the WAP servers is set up correctly in ADUC.
Accordingly, as the error suggests, I know this is something specific to the Web Application Proxy failing to validate the edge token received from the ADFS 3.0 server. Has anyone else seen this before and can point me in the right direction?
Web Application Proxy received a nonvalid edge token signature.
Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Exception while validating token: Cannot find the requested object.
Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imo4UE5iVmVrMnNmaXZkSGQ0Y0JFeUxOYUVMWSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5icm9va2xhdy5lZHUvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTM5Nzk1MzA5NiwiZXhwIjoxMzk3OTU2Njk2LCJyZWx5aW5ncGFydHl0cnVzdGlkIjoiYzQ2ZTU4Y2EtNTdjNi1lMzExLWI2ZGEtMDA1MDU2ODgyNjE3IiwidXBuIjoiZ2FicmllbC56aW5uQGJyb29rbGF3LmVkdSIsImNsaWVudHJlcWlkIjoiNjUyNGVlOWMtNWMyOS0wMDAxLTFlZjEtMjQ2NTI5NWNjZjAxIiwiYXV0aF90aW1lIjoiMjAxNC0wNC0yMFQwMDoxODoxNi4wODVaIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwidmVyIjoiMS4wIn0.HRRl3vDbUQokRXMny5tPGZQCsSFfzo8UKYqH2C19MgtVxyhEOBAjVxdKvypEbEq1KMX2Kzcw2Rb07O5S9ozcopvjalmkMchBX-fU8JWG0vEcojgf5m9Wijgb3nyKnhUrsdG0_cXTMB75kaGdvNVPJX6i1IfnjePFHdrdm2hLsxbC66BITXU-7neI0dKSlZQMxvPMRlEn81JGqR_iBLmn_WxjXpBDxGFNzlXR719oFUQyIgpOoxpjh7z2xGjuA9IhXfJXGhNiXJuYppXr5B0Mf1pc0it3mgkujwRP8Uen9Y_w79A3q188sV_0BR8g34lw6uZjuM0zqN4kPHTmvzZPyA
Details:
Transaction ID: {6524EE9C-5C29-0001-1FF1-2465295CCF01}
Session ID: {6524EE9C-5C29-0001-1EF1-2465295CCF01}
Published Application Name: <redacted>
Published Application ID: 5C32A580-57D8-BBC3-0496-C7B6A4F60AF2
Published Application External URL: <redacted>
Published Backend URL: <redacted>
User: <Unknown>
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3)
Device ID: <Not Applicable>
Token State: Invalid
Cookie State: NotFound
Client Request URL: <redacted>?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imo4UE5iVmVrMnNmaXZkSGQ0Y0JFeUxOYUVMWSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5icm9va2xhdy5lZHUvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTM5Nzk1MzA5NiwiZXhwIjoxMzk3OTU2Njk2LCJyZWx5aW5ncGFydHl0cnVzdGlkIjoiYzQ2ZTU4Y2EtNTdjNi1lMzExLWI2ZGEtMDA1MDU2ODgyNjE3IiwidXBuIjoiZ2FicmllbC56aW5uQGJyb29rbGF3LmVkdSIsImNsaWVudHJlcWlkIjoiNjUyNGVlOWMtNWMyOS0wMDAxLTFlZjEtMjQ2NTI5NWNjZjAxIiwiYXV0aF90aW1lIjoiMjAxNC0wNC0yMFQwMDoxODoxNi4wODVaIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwidmVyIjoiMS4wIn0.7neI0dKSlZQMxvPMRlEn81JGqR_iBLmn_WxjXpBDxGFNzlXR719oFUQyIgpOoxpjh7z2xGjuA9IhXfJXGhNiXJuYppXr5B0Mf1pc0it3mgkujwRP8Uen9Y_w79A3q188sV_0BR8g34lw6uZjuM0zqN4kPHTmvzZPyA&client-request-id=6524ee9c-5c29-0001-1ef1-2465295ccf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode:
State Machine State: Idle
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>