Mike Powell Posted December 14, 2020 Share Posted December 14, 2020 Hi, I'm using Azure AD Application Proxy to make our internal Passwordstate instance available from outside the LAN without a VPN connection, while also enforcing MFA and other conditional access rules. To implement single sign-on, I've set up the Azure application to use Kerberos Constrained Delegation, which sends an authentication token for the logged-in Azure AD user (synced from the on-prem AD user) through to the on-premises IIS app. This all seems to be working fine as far as IIS is concerned, I can navigate to the App Proxy URL (https://passwordstate.[ourdomain].com), and the IIS logs on our Passwordstate server show my requests with my UPN as the authenticated on-premise AD user. However, Passwordstate doesn't seem to be recognizing the fact that IIS considers me to be authenticated. Instead of being logged in automatically (since I have Passthrough AD selected in Passwordstate's authentication options), I see Passwordstate's "manual AD" login page (/logins/loginadan.aspx). Note that I have Anonymous auth disabled in IIS, so if I truly weren't authenticated, I wouldn't be able to see the loginadan.aspx page at all - IIS would request a Windows token from my browser first. Any advice/suggestions would be much appreciated! Link to comment Share on other sites More sharing options...
Mike Powell Posted December 15, 2020 Author Share Posted December 15, 2020 I managed to work around this issue by selecting "On premises SAM account name" instead of the default "User principal name" in the SSO settings for the AzureAD application. In my case this change took a few hours to propagate down to my app proxy connector, which made it seem like it wasn't working. Link to comment Share on other sites More sharing options...
support Posted December 15, 2020 Share Posted December 15, 2020 Hi Mike, We're glad you have this all working now. It is a bit odd that app proxy takes that long to propagate changes though, making it quite difficult for you to do testing with. Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now