Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forwarding NTLM credentials from IIS with ARR and URL Rewrite

Thanks in advance for your help.

In my environment, I configured IIS to act as a reverse proxy and forward requests to certain paths to an application server on another host. In order to do this, I used Application Request Routing (ARR) and URL Rewrite modules, I create my rule and everything's working fine.

IIS is responsible to authenticate clients using NTLM, so my question is: is it possible to pass the authentication credentials (at least the username) to my application server after authenticating the user?

I tried to do this adding a custom header to my requests, writing a rule like this:

<rule name="ForwardToApplicationServer">
<match url=".*" />
<serverVariables>
<set name="HTTP_AUTH_USER" value="{AUTH_USER}" />
</serverVariables>
<action type="Rewrite" url="http://myappserver/myapp/{R:0}" logRewrittenUrl="true" />
</rule>

But it doesn't work: when I read it on my application my header is alwasy empty. I also tried with and but none of these worked.

So, what am I doing wrong? Should I use another server variable? Am I missing something?

More in general: is it possible to do what i'd like to do?

Again, thanks in advance for your help, and please forgive me if I'm asking something obvious but I'm new to using IIS and I couldn't find anything that helped me.

like image 357
rkl3ss Avatar asked Jun 04 '14 08:06

rkl3ss


People also ask

How does IIS NTLM authentication work?

NTLM Authentication ProcessThe client passes a plain text version of the username to the relevant server. The server replies to the client with a challenge, which is a 16-byte random number. In response, the client sends the challenge encrypted by the hash of the user's password.

How do I enable NTLM authentication in IIS?

On the IIS Manager application, access your website and select the directory that you want to protect. On the right part of the screen, access the option named: Authentication. Disable the Anonymous authentication on the selected directory. Enable the Windows authentication on the selected directory.

What is Arr load balancing?

Application Request Routing (ARR) is a Microsoft Internet Information Services (IIS) feature that you can use to enable SnapCenter load balancing across multiple servers with a user interface. Network Load Balancing (NLB) is a Microsoft feature that SnapCenter uses to provide server high availability.


1 Answers

http://weblogs.asp.net/owscott/an-intro-to-iis-url-rewrite-plus-redirecting-urls-to-www-web-pro-week-8-of-52

{REMOTE_USER}, {LOGON_USER} & {AUTH_USER} do not work with URL-REWRITE, ... 

You can use www.isapirewrite.com which runs later in the stack and has a handle on the auth data.

like image 52
Tody.Lu Avatar answered Oct 20 '22 22:10

Tody.Lu