I have .NET web application running on IIS behind the firewall.
Application is using Windows authentication (NTLM) to authenticate users.
I need to make this application accessible from Internet so that:
- When user tries to access application, login form is shown, generated by [Reverse Proxy].
- User enters login and password and submits the form.
- [Reverse Proxy] matches external credentials to Windows credentials, we are Ok to store Windows domain logins and passwords in some DB.
- [Reverse Proxy] provides access to web application using provided credentials.
To be clear, I do not want NTLM passthrough to the user, I need [Reverse Proxy] to speak to IIS on user's behalve instead. User may enter different credentials, may use other authentication type (Google, FB etc) and [Reverse Proxy] will match external account to internal one. E.g. employees will configure external accounts they want use to access intranet portal.
What are my options?
Can I use Nginx or Squid to implement such scenario with help of custom module / plugin?
Best Answer
It almost sounds like SAML or oOth would be a good option for you. Have you looked down that path at all? Typically its used for delegating another sites credentials, but it should work for internal sites as well. You'd probably have to build a custom front end in your DMZ though.