« Previous Next »

• 04-24-2009, 6:14 PM

  psidari Joined on 04-24-2009, 10:11 PM Posts 2

  ARR Reverse Proxy and Authentication Reply Contact We are using ARR as a reverse proxy and want to add Forms Authentication and I am having a few issues:  1) It seems to do the reverse proxy before the forms auth even though ARR is lower in the module priority list. I need the Forms Authentication to occur first. 2) I want to pass a cookie between the server hosting ARR and the content server, I can't seem to find a good way to do this.  Any help would be appreciated.  Thanks.   - Phil

  Tags: ARR Forms Authentication Cookies

• 04-26-2009, 11:59 PM

  In reply to

  JaroDunajsky Joined on 04-19-2005, 10:23 PM Redmond Posts 168

  Re: ARR Reverse Proxy and Authentication Reply Contact Maybe you could setup your ARR rules the way that logon page for your application would be handled on the front-end ARR which would result in cookie sent to client. Client would be then adding cookies for the rest of the requests for your application and those would be sent to the back-end. But why do you need the authentication be handled on the front-end? You want to prevent unauthorized requests to get to back-end. Jaroslav Dunajsky (MSFT, IIS)

• 04-27-2009, 12:17 PM

  In reply to

  psidari Joined on 04-24-2009, 10:11 PM Posts 2

  Re: ARR Reverse Proxy and Authentication Reply Contact So I actually have the rewrite rules setup to ignore my login page. However, the problem is that I want to prevent the rewrite from occuring until users are authenticated on the front end server. I thought having the forms authentication module higher in the module order list would make this happen but it seems to have no effect. Any ideas? The reason we want authentication here and not on the actual application web servers is two-fold:  1) The Auth servers (running ARR) will be setup outside our firewall and the app web servers will be inside the firewall, so we don't want any unauthenticated traffic getting through. 2) We are actually integrating with a federated security solution so the final authentication is actually delegated.  Any help would be appreciated.  - Phil

• 04-27-2009, 12:31 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343

  Re: ARR Reverse Proxy and Authentication Reply Contact The IIS url-rewriter only works in pre-begin/begin stage of the pipeline - so you cannot have a rule based on whether the request was authenticated or not. However, if you turn off anonymous authentication on the ARR server - even though the url for the anonymous request is rewritten, the request will be rejected and client will be issued a challenge and not forwarded to the 2nd tier server until authentication is done. However, unless you have some method of decoding your forms auth cookie on the 2nd tier server, the resulting authentication would be useless on the 2nd tier server. Anil Ruia Senior Software Design Engineer IIS Core Server