Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect.

Hi,

I've been setting up Azure App Proxy to our onpremises sharepoint farm and it works fine, for some users, but for others we get this issue. 

If i login to SharePoint with the onpremises account it works fine and i can access sharepoint. However when i try and connect in through App Proxy we get this error message being shown in the connector logs

Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect.

and this error is generated on the sign in page to the user. 

Forbidden: This corporate app can't be accessed. 

Next Steps

The user could not be authorized. Make sure the user is defined in your on-premises AD and that the user has access to the app in your on-premises AD. 

Within the app proxy sign in i've tried using on-premises AD username and OnPremises user principalname, but get the same error. 

The on-premises AD is syncronised to Azure AD and using pass through authentication. The onpremises UPN is the same as the AAD UPN. 

Any advice on what would cause this error? 

Thanks

Denis

Regards,

Denis Cooper

MCITP EA - MCT

Help keep the forums tidy, if this has helped please mark it as an answer