I'm hoping someone maybe able to help by either helping identify what I'm missing, or confirming if indeed it's possible.
Background
We have a new Azure VM with Windows 2019 Datacenter on and IIS installed.
- The machine is Azure AD Joined.
- I can log into the VM via RDP with my Azure AD account.
- We do not have a local AD.
- We do not have AAD Domain Services.
- The VM is accessible only via a VPN connection.
- On IIS, the default website has been switched to Integrated Windows Authentication only.
The VM has a DNS 'A' record that points to it's IP address. e.g catchyname.ourdomain.com resolves to the VM. This is set up both in our Private Azure DNS for the internal Azure network and our external DNS provider.
Problem
When logged into the VM directly, I can access the default IIS Welcome page, by browsing to http://machinename/ or via http://localhost and it is served correctly.
If I try to navigate to the same page via http://127.0.0.1, via http://catchyname.ourdomain.com or via the machines IP address the user is challenged for a user name and password. Interestingly, the challenge box recognises my AD user (as I'm signed into the VM with) and requests the PIN that accompanies it but fails to accept any input and responds with a 401.2.5 error and the message:
You are not authorised to view this page due to invalid authentication headers.
When I check the logs, for successful requests I can see that the source IP Address in the IIS logs is shown as ::1
If I log into web another application on the box (SSRS2017) which relies on Integrated Windows Authentication using the correct URL i.e. http:/machinename/Reports/browse, it also lets me in and displays the user I'm logged in correctly as as AzureAD\MyUserName
If I add machinename to my C:\Windows\System32\drivers\etc\hosts file and try browse to it remotely via http:/machinename/ it also fails.
Question
Is it possible to enable AAD Authentication for sites in IIS that are resolved via a DNS alias that performs in the same manner as when I navigate by the machine name or via localhost? If it is, what steps do I need to take?
If I can resolve this, my next step is to see if we can enable these websites using this method of authentication for our Windows desktops that are also Azure AD joined, so normal users can browse to the sites on the VM and access them successfully.
Things I've Tried
I've googled muchly over the last 24 hours, and investigated articles that recommend registry changes to disable loopback check for local IIS websites, I've read articles on configuring federated auth for .NET apps but with the feeling I'm going too deep at this point.
I keep circling back to the fact that if I browse to http:\\localhost\ everything seems to work and I don't know why this would be different for http:\\dns-alias\
Can anybody help?
Thanks!
Best Answer
What you're doing will not work, here is why with some alternatives:
You have enabled Windows Integrated Authentication, that really depends on a domain environment to work correctly, which you do not have: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication
IIS does not understand Azure AD accounts authentication, IIS will not talk to Azure AD at all for authentication because it simply lacks that feature, doesn't matter what your DNS record is or where it is pointing: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/
You possible options moving forward is to:
There's a lot to read here, have fun learning:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview