How to troubleshoot remote access to Work Folders using Azure AD Application Proxy

  • Article

Introduction

Work Folders now supports using Azure Active Directory Application Proxy to enable remote users to securely access their files on the Work Folders server. For more details, please see the following blog: Enable remote access to Work Folders using Azure Active Directory Application Proxy

This Wiki covers how to troubleshoot Work Folders client errors that you may encounter when using Azure AD Application Proxy to remotely access the Work Folders server.

Note: Work Folders has clients for Android, iOS and Windows. The error message provided for each client varies which is why there are multiple error messages listed for each issue.  

Issue: Invalid URL is provided for the Work Folders proxy application when configuring the Work Folders client

Client errors:

  • Windows: The server name or address could not be resolved (0x80072ee7)
  • Android or iOS: Couldn’t find your organization – try entering a Work Folders URL instead

To verify the URL for the Work Folders proxy application, perform the following steps:

  • Sign in to Azure with your global administrator account.
  • Click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
  • Click Enterprise applications and then click All applications.
  • Select the Work Folders proxy application and then click Application Proxy.
  • The URL for the Work Folders proxy application will be listed as External URL.

Note: This issue can also occur if the msDS-SyncServerURL property in Active Directory is defined for the remote user. If the msDS-SyncServerURL property is defined, the Work Folders client will try to access an internal URL that’s not accessible through Azure AD Application Proxy. When using Azure AD Application Proxy, you need to create unique proxy applications for each Work Folders server.

Issue: User doesn’t have access to the Work Folders proxy application

Client errors:

  • Windows: Access is denied (0x80070005) or An unexpected error occurred (0xcaa20004)
  • Android: Will continually ask for credentials (no error provided)
  • iOS: There was a problem with your user account or with your organization’s Active Directory Federation Services configuration.

To give a user or group access to the Work Folders proxy application, perform the following steps:

  • Sign in to Azure with your global administrator account.
  • Click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
  • Click Enterprise applications and then click All applications.
  • Select the Work Folders proxy application and then click Users and groups.
  • Click Add user, select the users or groups that need access to the Work Folders proxy application and click Assign.

Issue: Permissions for the Work Folders native application are incorrect

Client errors:

  • Windows: We received a bad request or AADSTS70001: Application with identifier '168F3EE4-63FC-4723-A61A-6473F6CB515C' was not found in the directory
  • Android or iOS: There was a problem with your user account or with your organization’s Active Directory Federation Services configuration.

To resolve this issue, perform the following steps:

  • Sign in to Azure with your global administrator account.
  • Click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
  • Click App registrations and then click the Work Folders Native application.
  • Select Required permissions under Settings.
  • Click Windows Azure Active Directory, grant the following permissions and click Save:
    • Sign in and read user profile
    • Access the directory as the signed-in user
  • Under Required permissions, click Add, click Select an API, select Windows Azure Service Management API and click Select.
  • On the Select Permissions for Windows Azure Service Management API page, grant the following permission, click Select and then click Done:
    • Access Azure Service Management as organization users
  • Under Required permissions, click Add, click Select an API, in the search box type Work Folders Proxy (or the name of the Work Folders proxy application).
  • Click Work Folders Proxy and then click Select.
  • On the Select Permissions for Work Folders Proxy page, grant the following permission, click Select and then click Done:
    • Access Work Folders Proxy

Note: If you have multiple Work Folders servers and you created multiple Work Folders proxy applications, please repeat the steps above to give the Work Folders native application access to all Work Folders proxy applications

  • Verify the following applications are listed under the Required Permissions section:

Issue: User doesn’t have access to a Sync Share on the Work Folders server

Client errors:

  • Windows: You're not set up on the server. Email your organization’s tech support and ask them if they can give you access to Work Folders. (0x80c80037)
  • Android or iOS: Share discovery failed

To give a user or group access to a Sync Share, perform the following steps on the Work Folders server:

  • Open Server Manager, click File and Storage Services and then click Work Folders.
  • Right-click the Sync Share and click Properties.
  • Click Sync Access, click Add and enter the user or group that needs access to the Sync Share.
  • Click OK to close the Sync Share properties and verify the user or group is listed under Users.

Example

Note: This issue can also occur if a Work Folders server running Windows Server 2012 R2 is unable to contact a domain controller when the Windows Sync Share (SyncShareSvc) starts. To resolve this issue, restart the Windows Sync Share (SyncShareSvc) once the domain controller is online. This issue has been fixed on Windows Server 2016.

Issue: Azure AD Application Proxy service is unable to communicate with the Application Proxy Connector or the Application Proxy Connector is unable to communicate with the Work Folders server

Client errors:

  • Windows: Unspecified error (0x80004005)
  • Android: Unexpected server error. Please try again.
  • iOS: The server returned HTTP error status: 410

To verify the Application Proxy Connector status, perform the following steps:

  • In the Azure portal, click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
  • Click Application proxy.
  • In the Connector groups and connectors section, verify the connector is listed and the status is Active.
  • If the connector status is Inactive, verify the Application Proxy Connector server is online and the Microsoft AAD Application Proxy Connector (WAPCSvc) service is running.

If the Application Proxy Connector status is Active, verify the Work Folders server is online and the Windows Sync Share (SyncShareSvc) service is running.

Issue: Work Folders proxy application timed out when trying to auto-discover the Work Folders native application

Client errors:

  • Windows: The operation timed out (0x80072ee2)
  • Android or iOS: Don’t have exact error. Timed out should be listed in the error

This issue can occur if you have a lot of applications in Azure AD. The Work Folders proxy application timed out when trying to auto-discover the Work Folders native application. You can bypass the auto-discover process by updating the Work Folders proxy application with the Application ID of the Work Folder client application.

To do this, perform the steps below:

  • Sign in to Azure with your global administrator account.
  • Click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
  • Click App registrations and then click the Work Folders Native application.
  • Copy the Application ID for the Work Folders Native application.

Example: The Application ID is b651daa4-b17f-4333-b8fa-73d4ece197b6

  • Close the Work Folder native application.
  • On the App Registrations page, click the Work Folders proxy application.

Example

  • Click Manifest, scroll down to the knownClientApplications value, and enter the Application ID for the Work Folders Native application.

Example

  • Click Save and then close the Work Folders proxy application.       

**
Return to Top
**