locked
Web Application Proxy with Pre Authentication for website access RRS feed

  • Question

  • Hi All,

    We previously used TMG to publish an admin website externally where users had to sign in with valid domain credentials before they were forwarded to the website. The website is hosted by a cloud provider on a non-domain joined server, there is a VPN link between the cloud provider and our domain.

    I have now moved all rules from TMG to Web Application Proxy. The pass-through rules work fine, but I cannot work out how publish the admin website with pre-authentication.

    I have added the non-claims aware relying party trust to ADFS using the URL of the internal resource. Where I come unstuck is with the delegation for the web Application Proxy server object in AD and the SPN for the internal resource. The server that hosts the website is not domain joined so how do I setup the SPN for it?

    I have found many how to's if publishing an exchange object or sharepoint object but nothing that would meet my usage case.

    Any help gratefully received
    Tuesday, June 20, 2017 11:52 AM

All replies

  • I'm also interested in getting this working, as I'm having trouble with it so far.

    My attempts get me an ADFS login page, but then I got an error 500 message in the browser.

    Event logs on the WAP server refer to the acquirement of a kerberos ticket, and as such leads me to delegation for WAP, despite the website not being hosted on a domain machine.

    It's worth mentioning that I have a support call with our supplier tomorrow, so I'll be sure to relay the outcome if we get this working!

    Thursday, June 22, 2017 3:22 PM
  • So far, all my research doesn't seem to suggest we we're after is possible.

    WAP 2016 might have something though, although it doesn't specifically state it'll work the way we want...

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication

    The section regarding Basic auth seems like it MIGHT fit. It's unclear if you can have WAP 2016 with ADFS 3.0 (2012 R2) or not, just that you can't have ADFS 4.0 (2016) with WAP 2012.

    Thursday, June 22, 2017 8:58 PM
  • I am running WAP on 2016, and if you use Basic Auth then it throws an error message that ADFS needs to be running 2016. That is not really practical as ADFS is configured for our Intranet which is externally hosted so really don't want to mess that up!

    TMG would give you a login page which just decided whether the forwarder would work, and not forward the actual authentication to the back end server. This is what we are after and what doesn't seem possible (except maybe with Basic Auth).

    Friday, June 23, 2017 10:34 AM
  • How about creating a claims aware relaying party? If the application would accept claims the flow would be as following. Web application proxy sees you're not signed in. You get a redirect to ADFS there you have to sign in (and optionally be member of a certain group) You get redirected back to the proxy that now sees you are signed in. At this moment the first request to the actual backend server is done. If the backend server wants to know anything about the user it (the backend server) is responsible for doing a WSFED request. That means a redirect to adfs and a validation on the response. In your case the backend server doesn't want to know anything about the user so it stops there.
    Wednesday, July 19, 2017 6:25 PM