IIS ARR pass-through Windows authentication does not work
I finally found a solution for us:
Since we don't have the requirement for "multi-hop" authentication (=kerberos) I was able to force NTLM. On the web server under auhtentication (site) I changed the providers for Windows Authentication and removed everything but NTLM. So NTLM is the only available way for authentication.
On the ARR I changed everything back to the original settings and enabled anonymous access only. Then ARR is able to pass-through the authentication to the web server.
In my opinion Microsoft has a bug in the Kerberos handling and it does not depend on whether the authentication is proceeded in ther Kernel or by the ARR.
Related videos on Youtube
Arsenio Aguirre
Updated on September 18, 2022Comments
-
Arsenio Aguirre over 1 year
I am creating a web application, I am enabled the login with google openid connect and it is working. Now I want to protect the resources (rest api) with the access_token but I am not finding how to pass a custom audience (https://api.myapp.com) and custom scopes (read:users add:users) to create the access_token, is it possible create custom audience and scope by google openid connect to protect my resources?
If I dont validate the access_token (audience and scopes) I can compromise my web application.
Thanks in advance.
Regards, Arsenio
-
BE77Y about 9 yearsCan you list the things you have tried, please?
-