Web Application Proxy – Pre-authentication feature

This article talk about Web Application Proxy but only on Windows Server 2012 R2, please review TechNet pages for other version.

ADFS Pre-authentication

  1. User access to a proxyfied application
  2. The web proxy contact ADFS to check Relying Part trust rules
  3. ADFS Server send back the validation
  4. The Web Application Proxy ask on behalf of the user to KDC a Kerberos Ticket
  5. The KDC sent back a Kerberos ticket if the user was validated
  6. The WAP forward the Kerberos Ticket to the web application
  7. The web server verify the Kerberos token and send the web page
  8. Proxy Forward the http flow to the user

ADFS Configuration

To do a pre-authentication, you need to add a Non-Claims-Aware application relying party trust.

To do that :

  1. Connect to ADFS Server
  2. Open ADFS Management Console
  3. Go to Relying Party Trust
  4. Then click on Add a Non-Claims-Aware Relying Party Trust
  5. Give a display name
  6. Give a URL Identifier, can put anything but must be unique in your ADFS (not used when doing preauthentication)
  7. You can add Multi-Factor authentication, if needed
  8. Tick open the edit Issuance Authorization Rules
  9. Click Add Rule
  10. Select Permit All Users
  11. Then Next and Finish
  12. You’re done

Kerberos Delegation Configuration

For the Kerberos Delegation you have to add some SPN and configure Kerberos Delegation on Web Application Proxy Active Directory account

N.B: Once the application is configured to use Kerberos, user can still authenticate and use the application using the internal application name


You need to had a SPN of type HTTP on the Active Directory account which running the web application (Machine Account or Service Account) with the internal URL, you can use the machine name as an URL.

Exemple: HTTP/myinternalapplication.mydomain.tld

Configure Kerberos Delegation

  1. Go in Active Directory User an Computers console
  2. Open the Web Application Proxy account
  3. Go in the Delegation tab
  4. Click on Trust this computer for delegation to specified services only
  5. Click on Use Kerberos Only
  6. Click Add
  7. Click on User or Computer
  8. Type the Active Directory account where you have added the SPN
  9. Select the corresponding SPN of type HTTP
  10. Validate everything

Web Application Proxy Configuration

  1. Go in Remote Access Management console
  2. Click on Publish
  3. Select ADFS
  4. Select the Non-Claims-Aware Relying party trust
  5. Give a unique name
  6. Add the external URL
  7. Select the Certificate
    1. Wildcard certificate can be used, subject name must match external URL
  8. Add the internal URL
  9. Add the SPN added previously
  10. Click Publish