HTTP server behind IIS: pass authentication headers

Question

I have an IIS instance configured with Windows Authentication and URL Rewrite, so it basically works as a reverse proxy. My backend server (run on Linux) expects a REMOTE_USER header. Is it possible to configure IIS to pass information about the authenticated user to the backend server?

Answer 1

If IIS is configured for Windows Auth, then ARR will challenge and only forward requests once the user is authenticated.

It is possible to forward custom headers with the request using a HTTP naming convention and serverVariables element in the rewrite rules. For instance, in the following example the server variable LOCAL_ADDR is forwarded as a header named X-MY-HEADER.

<rule name="Reverse Proxy to MySite" stopProcessing="true">
   <match url="^MySite/(.*)" />
   <serverVariables>
      <set name="HTTP_X_MY_HEADER" value="{LOCAL_ADDR}" />
    </serverVariables>
    <action type="Rewrite" url="http://www.myothersite.com/{R:1}" />
</rule>

Unfortunately it's not possible to use this technique to forward a REMOTE_USER header. This is because when the Authorization header is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).

You can however set IIS to use Basic Windows Auth, and then extract the username from the Base64 encoded Authorization header on your Linux server.

Answer 2

I've had a similar problem and I thought I would mention how I managed to work around it. I have installed Helicon ISAPI-Rewrite 3 Lite, which is an ISAPI request filter. Since it runs after the authentication stage in the pipeline, it has access to the REMOTE_USER variable and can rewrite the request such that a new HTTP header is added to it with REMOTE_USER as its value. Of course this helps only if you have some control over the backend server so you can make use of the value of this custom header instead of the original REMOTE_USER variable.

The required snippet in ISAPI-Rewrite's global configuration file (httpd.conf) is as follows:

RewriteBase /
RewriteCond %{REQUEST_URI} ^/MySite.*
RewriteHeader X-Remote-User: .* %{REMOTE_USER}

The RewriteCond part limits this rule to URIs starting with /MySite; feel free to adjust it as needed.