locked
Single Sign On (SSO) through Web Application Proxy (WAP) RRS feed

  • Question

  • From my understanding SSO is not supported through the extranet because there is no option to enable windows integrated authentication on the extranet. But I found this Microsoft article that states you can publish an integrated windows authenticated-based application for Web Browser clients and SSO would work. And this is done through the WAP. I'm not quite sure I understand. Is it actually possible to do SSO through a WAP using windows integrated authentication or am I misunderstanding the purpose of this article?

    Had to put a space in the link so that I could post it. Remove space before com

    docs.microsoft. com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication#BKMK_1.2


    • Edited by Thom.S Wednesday, June 12, 2019 10:22 PM mistake
    Wednesday, June 12, 2019 8:34 PM

All replies

  • The purpose of WAP publishing Kerberos application externally is not to achieve SSO. It is to publish the application externally :) Sounds like a truism but there is a trick. When an application is using Kerberos, you cannot publish it AS-IS to the internet as the clients don't have a line of sight with a domain controller and therefore cannot ask for a Kerberos ticket. So the WAP is presenting a nice web form and transform that authentication method into Kerberos. The application on the back is fooled, it thinks the users used Kerberos initially and you get access to it like you were on-prem.

    That said, using certificate based authentication, you can achieve SSO externally. The user will not be prompted for password and will instead use (seamlessly or not depending on the browser) its certificate to authenticate.

    You can also use a combination of different technologies to make it work with an SSO experience externally using Azure AD.

    1. Hybrid Azure AD joined your Windows 10 device to obtain an PRT.
    2. Publish the Kerberos application with Azure AD application proxy.

    When the user opens a session on its Windows 10, it also gets a PRT, this PRT will be used to request for an access token to used the Kerberos application. Then you effectively get a SSO experience. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, June 13, 2019 1:42 PM
  • Reading over the article below, I am learning to ask, what sign in protocol does the application support, the token type, and authentication method.

    blogs.technet.microsoft. com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/

    (remove space at com to view)

    Now when you use a WAP, FBA (forms based authentication) and certificates are supported.

    Does the application have to support the certificate authentication method (certificate based) or do you just set up certificate authentication and it should work?

    Thursday, June 13, 2019 7:39 PM
  • The application is agnostic of the authentication protocol. That's kinda the point of federation, the authentication is performed by the STS-Idp and the application just wants a SAML or an Oauth token (depending on the federation protocol it uses).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 14, 2019 12:42 PM