IIS 7 and Above
Application Request Routing (ARR)
ARR Unable to pass through Windows Authentication
Last post Jun 23, 2016 06:09 AM by Jean Sun
Jun 21, 2016 06:04 PM|wrh|LINK
I'm using ARR as a reverse proxy only and I am trying to use Windows Authentication to
authorize access to an internal web service
The reverse proxy works fine with Basic Authentication but not Windows Authentication.
My physical setup is a single Windows 2008 R2 server with an externally accessible website,
an internal Web API service and ARR, all on the same server. I haven't added anything under
Server Farm since everything is on the same machine.
I've set the external website and the internal web API site to windows authentication only
and the server and default website to allow anonymous only. I've set use AppPoolCredentials to
true where Windows Authentication is set.
I've tried restricting authentication providers to just NTLM to avoid Kerberos/SPN complications
and I have also tried including Negotiate so Kerberos will be used.
I've set up SPNs for the server NetBIOS and FQDN and the Website and Web Service FQDM
using the single domain account used as app pool identity by the ARR, the external website and
the internal web service. (setspn -s HTTP/<FQDN> domain/account)
I can browse directly to the internal web service and my windows authentication is successful
but if I use the external website the rewritten request to the web service receives a 401.1 error.
In Fiddler I can see three requests from my browser to the external website. The last two have
my windows authentication in the header. On the server the IIS log for the internal web service has
no windows account information on the request.
Why would ARR be failing to pass my windows credentials to the service?
Jun 22, 2016 05:52 AM|Jean Sun|LINK
You need to configure the ARR to use Windows Authentication.
Configure Application Request Routing with Windows Authentication, Kerberos
Jun 22, 2016 02:26 PM|wrh|LINK
Thanks for the suggestion. I had read and followed that post and described what I have done in my post. Do you see anything I've missed? I don't.
Jun 23, 2016 06:09 AM|Jean Sun|LINK
Please check this:
Use a domain account on all the IIS servers and the ARR server to run the application pool that is associated to the web site responding to client requests through ARR and to the Windows Authenticated IIS Server Farm Servers.