Iis – URL rewriting between different pools with different authentication in IIS

iisiis-7.5load balancingredirectrewrite

I have an IIS application and three sub-applications as follows:

CMT (Windows and Anonymously authenticated)
- CI
- EM
- Website (Windows authenticated)

CI and EM are helper web services and Website is -obviously- the website. Now, if the application is hosted under cmt.mycompany.com, then the user can access the website as follows:


I want to write a URL Rewrite rule so that our users don't have to write 'website' after the DNS, and can simply open cmt.mycompany.com or cmt.mycompany.com/mypage to open the main page or mypage, respectively.

<rule name="WebsiteMapping" stopProcessing="true">
  <match url="^(?!\b(?:ci|em|website)\b).*$" />
  <action type="Rewrite" url="http://{HTTP_HOST}/website/{R:0}" logRewrittenUrl="true" />

What this rule does is simply rewrite any URL that doesn't start with ci, em, or website to have website added after the DNS.

I am having two problems that I don't seem to be able to solve:

  1. For some reason, URL Rewrite doesn't seem to work with authentication so whenever I hit cmt.mycompany.com, I get a dialog ask me to authenticate myself and it doesn't work even if I enter my credentials. Since the main application (CMT) and the website are hosted under different app pools, we needed to install IIS ARR, but that didn't help.

  2. I tried to change the rule to 'redirect' and it did work, but there is another problem. So I have a load balancer connected to 4 individual boxes. The load balancer is hosted under port 80, but the individual boxes are hosted under port 9991. When I hit the individual boxes, the URL redirect works successfully, but when I hit the load balancer dns, the port 9991 (of the individual box) gets appended to the load balancer dns!! For example, if I hit cmt.mycompany.com/mypage, I get redirected to cmt.mycompany.com:9991/website/mypage which is obviously invalid since the load balancer is hosted on port number 80 not 9991.

Any idea to help my solve these problems?


Best Answer

I can see two possibilities, NTLM is not supported with URL rewrite + ARR. For Windows integrated authentication you may have to configure Kerberos to get it working properly.

Here's a page describing the general steps for sharepoint, but it's applicable elsewhere: http://blogs.msdn.com/b/echarran/archive/2010/02/11/howto-configure-sharepoint-2010-for-kerberos.aspx

From a deep dive in the article, you have to create Service Principal Names for the web applications and delegate control to the web application identity. To create the SPN, use a command like this: (HTTP applies for both HTTP and HTTPS)

setspn -s HTTP/[domain name of application] [domain name]\[server name hosting application]

Set an SPN for each domain you will need to authenticate to and for each server the applications are hosted on (if you have a web farm). Next, open up active directory and set the view to advanced mode. Open up the computer object for one of the web servers. Go to the delegation tab. Change the radio button to "Trust this user for delegation to specified services only", make sure the next radio button is "Use any authentication protocol". Click Add. search for the application pool identities (if it's Network Service, you don't have to worry about this part). click ok. On add services, select all of them that this application pool identity is in charge of and click okay.

Alternatively, it may be easier to just make a default page on the root that will redirect traffic to the proper location, something like this:

Response.Redirect("http://" + Request.Url.ServerName + "/WebSite" + Request.Url.PathAndQuery);

Set up the custom errors on the default site to use this page. I'll do some testing, but you may have to make another page for errors that uses the referral URI's PathAndQuery to send it to the right place.

Related Topic