Jump to content

Redundant login prompt when using Azure AD App Proxy single sign-on

Recommended Posts

Hi, I'm using Azure AD Application Proxy to make our internal Passwordstate instance available from outside the LAN without a VPN connection, while also enforcing MFA and other conditional access rules. To implement single sign-on, I've set up the Azure application to use Kerberos Constrained Delegation, which sends an authentication token for the logged-in Azure AD user (synced from the on-prem AD user) through to the on-premises IIS app. This all seems to be working fine as far as IIS is concerned, I can navigate to the App Proxy URL (https://passwordstate.[ourdomain].com), and the IIS logs on our Passwordstate server show my requests with my UPN as the authenticated on-premise AD user.


However, Passwordstate doesn't seem to be recognizing the fact that IIS considers me to be authenticated. Instead of being logged in automatically (since I have Passthrough AD selected in Passwordstate's authentication options), I see Passwordstate's "manual AD" login page (/logins/loginadan.aspx).


Note that I have Anonymous auth disabled in IIS, so if I truly weren't authenticated, I wouldn't be able to see the loginadan.aspx page at all - IIS would request a Windows token from my browser first.


Any advice/suggestions would be much appreciated!

Link to comment
Share on other sites

I managed to work around this issue by selecting "On premises SAM account name" instead of the default "User principal name" in the SSO settings for the AzureAD application. In my case this change took a few hours to propagate down to my app proxy connector, which made it seem like it wasn't working.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...