Can I use IIS to do ActiveDirectory single-sign-on for another website?

iis active-directory reverse-proxy single-sign-on
5,107

The simplest solution to this is to use ISA server (or Forefront TMG) as a reverse proxy for the website. You can configure the ISA rule for the website to authenticate user access via AD.

You can also manipulate host headers from the site, and should be able to achieve what you want via the HTTP policy options for the website's rule.

I don't believe the functionality you require is available in IIS.

Share:
5,107

Related videos on Youtube

brofield
Author by

brofield

Updated on September 17, 2022

Comments

  • brofield
    brofield over 1 year

    I'm trying to add Active Directory single-sign-on support to an existing SOAP server. The server can be configured to accept a trusted reverse-proxy and use the X-Remote-User HTTP header for the authenticated user. I want to configure IIS to be the trusted proxy for this service, so that it handles all of the Active Directory authentication for the SOAP server.

    Basically IIS would have to accept HTTP connections on port X and URL Y, do all the authentication, and then proxy the connection to a different server (most likely the same X and Y).

    Unfortunately, I have no knowledge of IIS or AD (so I am trying my best to learn enough to build this solution) so please be gentle. I would assume that this is not an uncommon scenario, so is there some easy way to do this?

    1. Is this sort of functionality built into IIS or do I need to build some sort of IIS proxy program myself?

    2. Is there a better option for getting the authentication done and the X-Remote-User HTTP header set than requiring IIS?

    Update:

    For example, what I am trying to create is:

      [CLIENT]            [IIS]         [AD]        [SOAP-SERVER]
1.    |---------------->| 
2.    |<--------------->|<---------->| 
3.                      |--------------------------->| 
4.                      |<---------------------------| 
5.    |<----------------| 

1. POST to http://example.com/foo/bar.cgi
2. Client is not authenticated, so do authentication
3. Once validated, send request to server (X-Remote-User: {userid})
4. Process request, send response
5. Forward response to client

    I need to know how to configure IIS to do the automatic authentication of the user using AD, and then to proxy the request to the actual server, sending the userid in the X-Remote-User HTTP header.

    • brofield
      brofield over 12 years
      I'll add a followup for this problem: because the customer was running PHP on IIS (to run our app), it was easier to just write a simple PHP proxy. This has turned into our standard solution for the IIS as a reverse proxy (for our service).
  • brofield
    brofield almost 14 years
    Thanks for the reply Chris. The ISA server may provide a good solution, however I can't imagine my customers wanting to pony up the cash for it. From what I read (although a lot of the terminology escapes me), it appears that Apache can do something like this via ntlm and proxy modules. IIS doesn't have something similar?
  • Aashraya Singal
    Aashraya Singal almost 14 years
    My IIS knowledge isn't strong enough to answer authoritatively on that score. Server-Side Forwarding is possible in IIS but I'm not sure it'll provide the authentication you're after as part of the deal. Hopefully someone with more IIS experience will weigh in shortly :)
  • brofield
    brofield almost 14 years
    Thanks Goyuix for your comments. I have played with iisproxy.net but due to zero knowledge of IIS I was getting lost in configuration. I'll recommend the ISA server, and hopefully if they don't want to use it then they will find their own solution.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

401 - Unauthorized in IE7 only with windows authentication.
IIS7 give ApplicationPoolIdentity access to a network location
Single Sign On with apache on windows 7 and mod_auth_sspi
What is a free active directory simulator tool for testing remote single-sign-on auth requests?
Serve websites from multiple servers behind a single IP
Nginx reverse proxy - passthrough basic authenication
nginx upstream not working
What is a non-interactive service account?
IIS reverse proxy to windows authenticated internal site
Risks in raising domain Functional Level from 2003 mixed to 2008 native