2

I'm moving a reverse proxy config from Apache to IIS. A few of these sites need to authenticate at the proxy before going forward. These are on a separate IIS site for simplicity. How do I specify that this site and / or the reverse proxies I have configured within it can be used by a specific AD group?

What I've tried:

The below are done with only windows authentication enabled in IIS. All are Server 2016 / IIS 10.

  1. Setting the NTFS permissions on the folder hosting the reverse proxy site to only the domain\desiredgroup and the proxy\iis_iusrs groups, but this didn't help - it's still allowing any domain\domain users through.

  2. Editing the authentication rules with domain\desiredgroup having access and domain\domain users being denied. This blocks everyone.

Improve this question

2 Answers 2

Reset to default
2

The more accepted method to do this is to use Application Request Routing (ARR) - but this requires setting up an additional AD FS (Active Directory Federation Services) Server.

I was recently looking to do the same as you for an instance of Kibana, and happened to find this help blog: https://www.smbadmin.com/2017/07/securing-kibana-with-iis-reverse-proxy.html

As links are not considered a good answer on stack, I'll summarize:

  1. Install IIS with Web Server role along with URL Authorization, Windows Authentication, and Management Tools.
  2. Configure the IIS Reverse Proxy with the URL Rewrite module. This can require some tinkering, depending on the nature of the website/web app on the backend, and in some cases it can completely fail (more about that later).
  3. Setup SSL (Optional) - The proxy accepts traffic coming in via https - and the backend can use http because it is a private connection. A good way of securing sites/apps that aren't SSL enabled.
  4. Setup Authentication - using the Authentication module for the IIS website, disable anonymous and enable preferred method, in my case "Windows Authentication".
  5. Setup Authorization Rules - Delete the allow all default rule and add an allow rule for the AD users or groups that should have access.

So, this worked great for my Kibana installation, so I decided to deploy it for Jenkins and a number of other websites and web applications, with some tweaks I got most working.

However, caveat - some sites I tried this with, just would not take - Confluence for example, the authorization popup would continually come up on every page refresh. Another obscure, custom web app that is closed source, used some poor web development practices that could continually cause 500 and bad redirects.

I may try setting up ARR in the future to see if that works better in these instances, but ARR is outside the scope of your original question.

Improve this answer
-1

Doesn't appear to be natively supported in IIS.

Improve this answer
4
  • This IS supported in IIS since IIS 7, add basic, digest, or windows authentication using NTML or Kerberos to the reverse proxy in IIS before allowing the user to passthru to the site. Commented Apr 2, 2019 at 18:43
  • @tremor I'd love to see that documented. I spent weeks looking for a solution. Commented Apr 2, 2019 at 22:10
  • I've posted what I've done and the resource I used as an answer. I have this working in about 4/5 instances - some backend sites/apps just aren't compatible - but that's the apps fault and not the IIS reverse proxy with authentication. Commented Apr 3, 2019 at 17:03
  • IIS (ARR) does (sadly) NOT support Proxy-Authenticate / Proxy-Authorization Headers (rfc2616#section-14.33), just WWW-Authenticate and Authorization. Those Headers are regularly used by applications, so a "double auth" scenraio will never work with IIS/ARR. Commented Jun 29, 2023 at 18:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.