I have two asp.net web applications.
One of the applications is main mvc web app and the second is web app acting as reverse proxy containing only one file – web.config.
Reverse proxy doesn’t have any authentication mode enabled but main app has windows authentication.
When accessing app through reverse proxy, in browser appears popup asking for windows credentials.
Is it possible to somehow pass one domain user through all reverse proxy requests? When reverse proxy redirect request it adds custom headers. Is it possible to pass user from iis pool or somehow hard coded so all reverse proxy request can pass through windows auth to main app and then user can authenticate through normal login page?
The goal is access main app through reverse proxy without entering windows credentials.
Disabling windows auth on main app is not possible.
Thanks for answers.
Reverse proxy web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)"/>
<action type="Rewrite" url="https://main-app.com/{R:1}"/>
<serverVariables>
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}"/>
<set name="HTTP_ACCEPT_ENCODING" value=""/>
<set name="HTTP_CUSTOM_ZEW_HEADER" value="True"/>
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://main-app.com/(.*)"/>
<action type="Rewrite" value="http{R:1}://main-app.com/{R:2}"/>
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)"/>
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}"/>
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html"/>
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+"/>
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It is not possible to forward the REMOTE_USER header because when the Authorization header is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).
You could use the custom HTTP module which sends the authenticated user custom header.
another way is you could set SPN:
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0