Iis – .NET Issue on ADFS SSO behind a Reverse Proxy

adfsiisreverse-proxysamlsingle-sign-on

I have a .NET application that uses ADFS for SSO. It works when I test it on my local machine and test environment but it fails when deployed to the client environment.

The client environment is like this:
HTTPS Public IP:443 -> NAT Internal IP -> Accelerator:80 -> Load Balancer:80 -> Reverse Proxy Server:80 -> APP Server:80

The reverse proxy will URL rewrite from app.url.com to app-internal.url.com

The application should work like this:

User will access http s://app.url.com/appname. Then .NET Application on first load will redirect the user to an ADFS server: http s://adfsurl.domain.com/adfs/ls?
Upon successful authentication, the ADFS will redirect back to the application URL.

My issue is that the application is redirecting to http://app.url.com/adfs/ls/? instead of http s://adfsurl.domain.com/adfs/ls?

Is there any other configuration I need to do like outbound rule?

Best Answer

You may need to deselect Reverse rewrite host in response headers in the ARR settings and additionally set preserveHostHeader="true" in applicationhost.config

Open Internet Information Services (IIS) Manager.
In the Connections pane, select the server.
In the server pane, double-click Application Request Routing Cache.
In the Actions pane, click Server Proxy Settings.
On the Application Request Routing page, deselect Reverse rewrite host in response headers.

To set preserveHostHeader="true" in applicationhost.config:

Run Command Prompt as Administrator
%WINDIR%\System32\inetsrv\appcmd.exe set config -section:system.webServer/proxy /preserveHostHeader:"True" /commit:apphost

See:

https://stackoverflow.com/questions/4243959/iis-reverse-proxy-with-rewrites-cant-handle-a-redirect-from-the-server-we-proxy

https://stackoverflow.com/questions/43433352/sso-adfs-redirection-issue-with-reverse-proxy-with-arr

Related Solutions

Nginx reverse proxy + URL rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Reverse proxy http to tomcat

Instead of plain http proxy, use proxy_ajp. Adapt the example below to match your needs, i.e. it is up to you to proxy everything to the container or only a namespace:

ProxyRequests off
ProxyPassMatch ^/(your_app)(.*) ajp://localhost:8009/$1$2 ttl=120 ping=1

Ensure that server.xml in your tomcat configuration includes an AJP listener. The executor is optional.

<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
          maxThreads="150" minSpareThreads="4"/>

<Connector executor="tomcatThreadPool"
           port="8009" protocol="AJP/1.3"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

Best Answer

Related Solutions

Nginx reverse proxy + URL rewrite

Reverse proxy http to tomcat

Related Topic