IIS 7 and Above
add x-forwarded-for to downstream headers
Last post Feb 07, 2019 04:06 PM by amfa2
Jan 17, 2019 06:06 PM|amfa2|LINK
I have a local LAN setup. Client 10.5.x.1 ===> IIS 10.5.x.2 ===> ADFS 10.5.x.3. After login, (ADFS redirects user back to IIS)
The client uses a web browser to access a website (https://websrv.domain.com/claimapp) running on IIS.
IIS then performs an SSO and redirects the user to (https://adfs.domain.com/.......)
I would like to add the x-forwarded-for (real client IP 10.5.x.1) into the headers when IIS redirects the client to ADFS.
(We have a custom ADFS adapter and we need to get the real local lan client IP from the headers.)
Jan 18, 2019 08:27 AM|Jalpa Panchal|LINK
If you want to add the real client IP address behind proxy to your request header via ARR. You need to add X-Forwarded-For. You could set this header via IIS manager->sever farm->Proxy-> Preseve client IP in the following header: X-Forwarded-For.
If you want to see in log you can follow below link:
Jan 18, 2019 12:49 PM|amfa2|LINK
Thank you for your reply. I'll have a look at your solution.
But we are not actually running a proxy per se.
The client connects to IIS, and IIS "forwards" the connection to ADFS, where the client interacts with the ADFS directly.
It's during this "Fowarding" that we need IIS to push the client IP into the headers of the "Forwading".
Jan 19, 2019 07:46 AM|mahamr|LINK
If the client is connecting directly to the ADFS server(s) then why do you need IIS to add the XFF header since the server already has it?
Jan 24, 2019 11:35 AM|amfa2|LINK
Client ===> IIS Application.
IIS Application fwds Client to ====> ADFS
Our ADFS MFA Adapter is showing the Header IP of the ADFS Server, not the Client.
I think I must need to go to an ADFS forum for assistance on this.
Jan 25, 2019 02:30 AM|Jalpa Panchal|LINK
You could post your question here:
Jan 25, 2019 03:59 AM|mahamr|LINK
Sounds like the IIS application is a reverse proxy. If you're using URL Rewrite + ARR then Jalpa's first post has the info you need. ARR can be configured to add the X-Forwarded-For HTTP header to the forwarded request. Then, when ADFS gets it the header
can be parsed (if ADFS supports that) and the client IP extracted.
Feb 07, 2019 04:06 PM|amfa2|LINK
In the end we solved this by creating our own IP Discovery service and just called it from an invisible I-FRAME in our ADFS Adapter.
There was no clear way inside MSFT's ADFS Adapter "Jail House" to reliably get to the client IP Address, even though ADFS clearly had it in the claims.
This solution works for public or private requests through ADFS.
Marking this as solved by me.