We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

ARR Unable to pass through Windows AuthenticationRSS

3 replies

Last post Jun 23, 2016 06:09 AM by Jean Sun

  • ARR Unable to pass through Windows Authentication

    Jun 21, 2016 06:04 PM|wrh|LINK

    I'm using ARR as a reverse proxy only and I am trying to use Windows Authentication to
    authorize access to an internal web service

    The reverse proxy works fine with Basic Authentication but not Windows Authentication.

    My physical setup is a single Windows 2008 R2 server with an externally accessible website,
    an internal Web API service and ARR, all on the same server.  I haven't added anything under
    Server Farm since everything is on the same machine.

    I've set the external website and the internal web API site to windows authentication only 
    and the server and default website to allow anonymous only. I've set use AppPoolCredentials to 
    true where Windows Authentication is set.

    I've tried restricting authentication providers to just NTLM to avoid Kerberos/SPN complications
    and I have also tried including Negotiate so Kerberos will be used.

    I've set up SPNs for the server NetBIOS and FQDN and the Website and Web Service FQDM
    using the single domain account used as app pool identity by the ARR, the external website and
    the internal web service. (setspn -s HTTP/<FQDN> domain/account)

    I can browse directly to the internal web service and my windows authentication is successful 
    but if I use the external website the rewritten request to the web service receives a 401.1 error.
    In Fiddler I can see three requests from my browser to the external website. The last two have
    my windows authentication in the header. On the server the IIS log for the internal web service has 
    no windows account information on the request.

    Why would ARR be failing to pass my windows credentials to the service?

  • Re: ARR Unable to pass through Windows Authentication

    Jun 22, 2016 05:52 AM|Jean Sun|LINK

    Hi,

    You need to configure the ARR to use Windows Authentication.

    Configure Application Request Routing with Windows Authentication, Kerberos

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: ARR Unable to pass through Windows Authentication

    Jun 22, 2016 02:26 PM|wrh|LINK

    Thanks for the suggestion. I had read and followed that post and described what I have done in my post.  Do you see anything I've missed?  I don't.

  • Re: ARR Unable to pass through Windows Authentication

    Jun 23, 2016 06:09 AM|Jean Sun|LINK

    Hi,

    Please check this:

    Configure application pool on ALL IIS servers

    Use a domain account on all the IIS servers and the ARR server to run the application pool that is associated to the web site responding to client requests through ARR and to the Windows Authenticated IIS Server Farm Servers.

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.