IIS enable authentication for reverse proxy
Solution 1
Doesn't appear to be natively supported in IIS.
Solution 2
The more accepted method to do this is to use Application Request Routing (ARR) - but this requires setting up an additional AD FS (Active Directory Federation Services) Server.
I was recently looking to do the same as you for an instance of Kibana, and happened to find this help blog: https://www.smbadmin.com/2017/07/securing-kibana-with-iis-reverse-proxy.html
As links are not considered a good answer on stack, I'll summarize:
- Install IIS with Web Server role along with URL Authorization, Windows Authentication, and Management Tools.
- Configure the IIS Reverse Proxy with the URL Rewrite module. This can require some tinkering, depending on the nature of the website/web app on the backend, and in some cases it can completely fail (more about that later).
- Setup SSL (Optional) - The proxy accepts traffic coming in via https - and the backend can use http because it is a private connection. A good way of securing sites/apps that aren't SSL enabled.
- Setup Authentication - using the Authentication module for the IIS website, disable anonymous and enable preferred method, in my case "Windows Authentication".
- Setup Authorization Rules - Delete the allow all default rule and add an allow rule for the AD users or groups that should have access.
So, this worked great for my Kibana installation, so I decided to deploy it for Jenkins and a number of other websites and web applications, with some tweaks I got most working.
However, caveat - some sites I tried this with, just would not take - Confluence for example, the authorization popup would continually come up on every page refresh. Another obscure, custom web app that is closed source, used some poor web development practices that could continually cause 500 and bad redirects.
I may try setting up ARR in the future to see if that works better in these instances, but ARR is outside the scope of your original question.
Related videos on Youtube
31 : 04
19 : 31
10 : 35
11 : 13
06 : 21
02 : 07
Tim Brigham
Updated on September 18, 2022Comments
-
Tim Brigham almost 2 years
I'm moving a reverse proxy config from Apache to IIS. A few of these sites need to authenticate at the proxy before going forward. These are on a separate IIS site for simplicity. How do I specify that this site and / or the reverse proxies I have configured within it can be used by a specific AD group?
What I've tried:
The below are done with only windows authentication enabled in IIS. All are Server 2016 / IIS 10.
Setting the NTFS permissions on the folder hosting the reverse proxy site to only the
domain\desiredgroupand theproxy\iis_iusrsgroups, but this didn't help - it's still allowing anydomain\domain usersthrough.Editing the authentication rules with
domain\desiredgrouphaving access anddomain\domain usersbeing denied. This blocks everyone.
-
Tim Brigham about 5 years@tremor I'd love to see that documented. I spent weeks looking for a solution.
-
tremor about 5 yearsI've posted what I've done and the resource I used as an answer. I have this working in about 4/5 instances - some backend sites/apps just aren't compatible - but that's the apps fault and not the IIS reverse proxy with authentication.