I'm moving a reverse proxy config from Apache to IIS. A few of these sites need to authenticate at the proxy before going forward. These are on a separate IIS site for simplicity. How do I specify that this site and / or the reverse proxies I have configured within it can be used by a specific AD group?
What I've tried:
The below are done with only windows authentication enabled in IIS. All are Server 2016 / IIS 10.
-
Setting the NTFS permissions on the folder hosting the reverse proxy site to only the
domain\desiredgroup
and theproxy\iis_iusrs
groups, but this didn't help – it's still allowing anydomain\domain users
through. -
Editing the authentication rules with
domain\desiredgroup
having access anddomain\domain users
being denied. This blocks everyone.
Best Answer
The more accepted method to do this is to use Application Request Routing (ARR) - but this requires setting up an additional AD FS (Active Directory Federation Services) Server.
I was recently looking to do the same as you for an instance of Kibana, and happened to find this help blog: https://www.smbadmin.com/2017/07/securing-kibana-with-iis-reverse-proxy.html
As links are not considered a good answer on stack, I'll summarize:
So, this worked great for my Kibana installation, so I decided to deploy it for Jenkins and a number of other websites and web applications, with some tweaks I got most working.
However, caveat - some sites I tried this with, just would not take - Confluence for example, the authorization popup would continually come up on every page refresh. Another obscure, custom web app that is closed source, used some poor web development practices that could continually cause 500 and bad redirects.
I may try setting up ARR in the future to see if that works better in these instances, but ARR is outside the scope of your original question.