How to rewrite IWA URLs to Forms Authentication in WAP RRS feed

  • Question

  • I want to start using Web Application Proxy to publish ADFS 3.0 and Dynamics CRM (various versions).  I've learned that WAP can't do Integrated Windows Authentication for the CRM Claims based url, i.e. https://crmint.domain.com/orgname.  For various reasons, I want to still be able to use this URL.  If I manually change the ADFS URL to end with &wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword instead of &wauth=urn%3afederation%3aauthentication%3awindows, I can enter my credentials in the Form and log in.  That works for me.

    My question is...  Is there a way to use the URL rewrite module of IIS (or something else) on the WAP server to rewrite the response URL from the form https://url...&wauth=urn%3afederation%3aauthentication%3awindows to https://url...&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword ?

    I think this can be done, but I have no experience using the IIS ReWrite module, so I really don't know where to start.

    Thanks for the help.


    Tuesday, March 15, 2016 2:36 AM

All replies

  • I can't talk whether it is supposed to work for CRM, or if there are better ways for CRM. Maybe check with the CRM forum.

    But from a general perspective, the application decides what method it wants to use. So the change has to be done on the application level (the app is redirected the user to this URL, the app is crafting the URL), not on the URL itself.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 15, 2016 3:24 PM
  • Pierre,

    Thanks for the reply.  You're right, the application is specifying the authentication method and I'm trying to create a hack to get around a limitation in WAP by re-writing the URL.  I could attempt to do something on the CRM servers, but given that we have a lot of them and we rebuild them fairly frequently, I was hoping to do something on the WAP that would cover all of the CRM servers at once.

    I'd still like some URL rewriting help if someone has insight.


    Wednesday, March 16, 2016 2:47 AM