{"id":38,"date":"2015-01-30T18:10:05","date_gmt":"2015-01-30T18:10:05","guid":{"rendered":"http:\/\/172.23.1.43\/?p=38"},"modified":"2022-06-07T22:26:30","modified_gmt":"2022-06-07T22:26:30","slug":"web-application-proxy-pre-authentication-feature","status":"publish","type":"post","link":"https:\/\/blog.n-dol.org\/2015\/01\/30\/web-application-proxy-pre-authentication-feature\/","title":{"rendered":"Web Application Proxy \u2013 Pre-authentication feature"},"content":{"rendered":"\n

This article talk about Web Application Proxy but only on Windows Server 2012 R2, please review TechNet pages for other version.<\/p>\n\n\n\n

ADFS Pre-authentication<\/h1>\n\n\n\n
\"WebApplicationProxyCommunication\"<\/figure>\n\n\n\n
  1. User access to a proxyfied application<\/li>
  2. The web proxy contact ADFS to check Relying Part trust rules<\/li>
  3. ADFS Server send back the validation<\/li>
  4. The Web Application Proxy ask on behalf of the user to KDC a Kerberos Ticket<\/li>
  5. The KDC sent back a Kerberos ticket if the user was validated<\/li>
  6. The WAP forward the Kerberos Ticket to the web application<\/li>
  7. The web server verify the Kerberos token and send the web page<\/li>
  8. Proxy Forward the http flow to the user<\/li><\/ol>\n\n\n\n\n\n\n\n

    ADFS Configuration<\/h1>\n\n\n\n

    To do a pre-authentication, you need to add a Non-Claims-Aware application relying party trust.<\/p>\n\n\n\n

    To do that :<\/p>\n\n\n\n

    1. Connect to ADFS Server<\/li>
    2. Open ADFS Management Console<\/li>
    3. Go to Relying Party Trust<\/li>
    4. Then click on Add a Non-Claims-Aware Relying Party Trust<\/li>
    5. Give a display name<\/li>
    6. Give a URL Identifier, can put anything but must be unique in your ADFS (not used when doing preauthentication)<\/li>
    7. You can add Multi-Factor authentication, if needed<\/li>
    8. Tick open the edit Issuance Authorization Rules<\/li>
    9. Click Add Rule<\/li>
    10. Select Permit All Users<\/li>
    11. Then Next and Finish<\/li>
    12. You’re done<\/li><\/ol>\n\n\n\n

      Kerberos Delegation Configuration<\/h1>\n\n\n\n

      For the Kerberos Delegation you have to add some SPN and configure Kerberos Delegation on Web Application Proxy Active Directory account
      <\/span><\/p>\n\n\n\n

      N.B: <\/strong><\/em>Once the application is configured to use Kerberos, user can still authenticate and use the application using the internal application name<\/p>\n\n\n\n

      Add SPN<\/h2>\n\n\n\n

      You need to had a SPN of type HTTP on the Active Directory account which running the web application (Machine Account or Service Account) with the internal URL, you can use the machine name as an URL.<\/p>\n\n\n\n

      Exemple: HTTP\/myinternalapplication.mydomain.tld<\/code><\/p>\n\n\n\n

      Configure Kerberos Delegation<\/h2>\n\n\n\n
      1. Go in Active Directory User an Computers console<\/li>
      2. Open the Web Application Proxy account<\/li>
      3. Go in the Delegation tab<\/li>
      4. Click on Trust this computer for delegation to specified services only<\/li>
      5. Click on Use Kerberos Only<\/li>
      6. Click Add<\/li>
      7. Click on User or Computer<\/li>
      8. Type the Active Directory account where you have added the SPN<\/li>
      9. Select the corresponding SPN of type HTTP<\/li>
      10. Validate everything<\/li><\/ol>\n\n\n\n

        Web Application Proxy Configuration<\/h1>\n\n\n\n
        1. Go in Remote Access Management console<\/li>
        2. Click on Publish<\/li>
        3. Select ADFS<\/li>
        4. Select the Non-Claims-Aware Relying party trust<\/li>
        5. Give a unique name<\/li>
        6. Add the external URL<\/li>
        7. Select the Certificate\n
            \n
          1. Wildcard certificate can be used, subject name must match external URL<\/li>\n<\/ol>\n<\/li>
          2. Add the internal URL<\/li>
          3. Add the SPN added previously<\/li>
          4. Click Publish<\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"

            This article talk about Web Application Proxy but only on Windows Server 2012 R2, please review TechNet pages for other…<\/p>\n","protected":false},"author":5614970,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2478882,39106140,159543117],"tags":[672890818,672890819,672890817],"_links":{"self":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/38"}],"collection":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/users\/5614970"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/comments?post=38"}],"version-history":[{"count":8,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/38\/revisions"}],"predecessor-version":[{"id":758,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/38\/revisions\/758"}],"wp:attachment":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/media?parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/categories?post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/tags?post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}