Can I use IIS to do ActiveDirectory single-sign-on for another website?
The simplest solution to this is to use ISA server (or Forefront TMG) as a reverse proxy for the website. You can configure the ISA rule for the website to authenticate user access via AD.
You can also manipulate host headers from the site, and should be able to achieve what you want via the HTTP policy options for the website's rule.
I don't believe the functionality you require is available in IIS.
Related videos on Youtube
brofield
Updated on September 17, 2022Comments
-
brofield over 1 year
I'm trying to add Active Directory single-sign-on support to an existing SOAP server. The server can be configured to accept a trusted reverse-proxy and use the X-Remote-User HTTP header for the authenticated user. I want to configure IIS to be the trusted proxy for this service, so that it handles all of the Active Directory authentication for the SOAP server.
Basically IIS would have to accept HTTP connections on port X and URL Y, do all the authentication, and then proxy the connection to a different server (most likely the same X and Y).
Unfortunately, I have no knowledge of IIS or AD (so I am trying my best to learn enough to build this solution) so please be gentle. I would assume that this is not an uncommon scenario, so is there some easy way to do this?
Is this sort of functionality built into IIS or do I need to build some sort of IIS proxy program myself?
Is there a better option for getting the authentication done and the X-Remote-User HTTP header set than requiring IIS?
Update:
For example, what I am trying to create is:
[CLIENT] [IIS] [AD] [SOAP-SERVER] 1. |---------------->| 2. |<--------------->|<---------->| 3. |--------------------------->| 4. |<---------------------------| 5. |<----------------| 1. POST to http://example.com/foo/bar.cgi 2. Client is not authenticated, so do authentication 3. Once validated, send request to server (X-Remote-User: {userid}) 4. Process request, send response 5. Forward response to client
I need to know how to configure IIS to do the automatic authentication of the user using AD, and then to proxy the request to the actual server, sending the userid in the X-Remote-User HTTP header.
-
brofield over 12 yearsI'll add a followup for this problem: because the customer was running PHP on IIS (to run our app), it was easier to just write a simple PHP proxy. This has turned into our standard solution for the IIS as a reverse proxy (for our service).
-
brofield almost 14 yearsThanks for the reply Chris. The ISA server may provide a good solution, however I can't imagine my customers wanting to pony up the cash for it. From what I read (although a lot of the terminology escapes me), it appears that Apache can do something like this via ntlm and proxy modules. IIS doesn't have something similar?
-
Aashraya Singal almost 14 yearsMy IIS knowledge isn't strong enough to answer authoritatively on that score. Server-Side Forwarding is possible in IIS but I'm not sure it'll provide the authentication you're after as part of the deal. Hopefully someone with more IIS experience will weigh in shortly :)
-
brofield almost 14 yearsThanks Goyuix for your comments. I have played with iisproxy.net but due to zero knowledge of IIS I was getting lost in configuration. I'll recommend the ISA server, and hopefully if they don't want to use it then they will find their own solution.