http://forums.iis.net/1154.aspxMaximize server resources, and increase application availability and scalability with Application Request Routing. Use this forum to ask questions, discuss issues, request features, and get support.enCommunityServer 2007 SP1 (Build: 20510.895)http://forums.iis.net/thread/1910471.aspxThu, 16 Jul 2009 01:15:16 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1910471anilr0http://forums.iis.net/thread/1910471.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1154&PostID=1910471<p>No, there is no secure way to do this without actually authenticating on the backend server&nbsp;- you could add the LOGON_USER to a request header which is picked up the backend application server but if the clients can directly hit the backend server, they can spoof it easily.</p>http://forums.iis.net/thread/1906779.aspxFri, 12 Jun 2009 14:40:37 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1906779AMCGremlin0http://forums.iis.net/thread/1906779.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1154&PostID=1906779<p>Thanks for the fast response.</p> <p>We use Windows Authentication. The user must authenticate in IIS on server A using a domain account. Once the user has authenticated, the request gets forwarded to the JBoss app on server B. JBoss uses the LOGON_USER value to identify the user. Since we synchronize via LDAP with AD and store the user names within our db, we simply match the LOGON_USER with the names locally held. Since authentication has been completed we do not require further authentication within the application.</p> <p>This provides us with a simple form of single sign-on. </p> <p>Today we use IIS6 and the mod_jk ISAPI filter for this. We would like to replace IIS6 and the ISAPI filter with IIS7 and ARR. In some cases server A and server B are different machines (e.g. server A is outside the firewall and server B is inside) so as to provide additional isolation between the application and the internet. In other cases (e.g. single sign-on is the primary requirement within a corporate intranet) IIS and mod_jk are located on the same server as JBoss. </p> <p>Given this situation, is there a way to configure IIS7/ARR so the LOGON_USER value contains the authenticated user name when the request is received on server B? Or is there a better way to configure things to achieve the same results we are seeking? </p> <p>Thanks again.</p>http://forums.iis.net/thread/1906768.aspxFri, 12 Jun 2009 14:09:06 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1906768anilr0http://forums.iis.net/thread/1906768.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1154&PostID=1906768<p>You did not specify what kind of authentication you are using, one of the IIS builtin ones or something custom, you probably&nbsp;need to not do authentication on server A so that the authentication information is sent as-is to server B.</p>http://forums.iis.net/thread/1906760.aspxFri, 12 Jun 2009 12:44:53 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1906760AMCGremlin0http://forums.iis.net/thread/1906760.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1154&PostID=1906760I am trying to use IIS Integrated Authentication to authenticate users on server A before forwarding requests via URL Rewrite to a JBoss/Jetty application on server B. Although the users are forced to authenticate on server A, the request header received by Jetty contains a null value for LOGON_USER. Is this expected behavior or have I done something wrong? Thanks.