all Technical posts

Pre-authenticating external clients in non-claims-aware applications with the Server 2012 R2 ADFS Web Application Proxy

The Web Application Proxy service in Windows Server 2012 can be used to provide pre-authentication and backend authorization to non-claims aware applications published with Integrated Windows Authentication (IWA) using Kerberos for external clients.

Korneel Vanhie
5 May 2014

One of our customers that is using Master Data Services in an environment provided by us, requested the possibility for the users to log on using their Office 365 credentials. For most web applications this is fairly simple, but the MDS Web service is not a claims-aware application. MDS uses Integrated Windows authentication and authorization based on the user’s Active Directory Account.

For users inside your organization this can be solved by using a reverse proxy. The Web Application Proxy service in Windows Server 2012 can provide pre-authentication for non-claims aware applications published with Integrated Windows Authentication (IWA) using Kerberos

ADFS Proxy Setup

When using an external claims provider this is no longer possible; the claims provided by this AD FS can’t be used for delegation.

AD FS provides us with the tools to fix this. In the AD FS Management console we can map the claims provided by the customer and map those to claims the Proxy Server can use to do the delegation. The only information it actually needs is the UPN Claim.

With the “Add Transform Claim Rule Wizard” we are able to map the incoming UPN claim (firstname.lastname@customersuffix.com), to the UPN claim that we would be able to provide in AD (firstname.lastname@oursuffix.com):

ADFS Claims Mapping

If this doesn’t suit your needs you can configure Custom Claim Rules to do more complex operations and even do look-ups in a custom attribute store!

When a client now logs in, the UPN claim is transformed to a claim the proxy server can use for delegation.

If our AD contains a user with UPN firstname.lastname@oursuffix.com we can do Integrated Windows Authentication using Kerberos on our MDS Web Application.

I would not advise this setup if a large number of users are needed and need to be manually created and managed. But for a small number of user it seems to be a good work-around. Depending on the scenario you can also map a group (or other) claim to a user claim to limit the manual work.

Let us know what you think and what issues you encountered. Also let us know of any alternatives for a scenario like this you might have.

Subscribe to our RSS feed

Related articles

Using Renovate to Maintain NuGet, Docker and Other Dependencies

Renovate automatically checks if there are new versions of your NuGet & Docker dependencies and helps to keep them up to date via automatic pull requests

How to Debug Through External Code ?

This article will guide you through the process of exposing the debug-information for your project using a symbol server on VSTS with private build agents.We'll focus on exposing the symbols using IIS while pointing out some caveats along the way.

Codit's Connected Car - Taking a Look Under the Hood

Recently a few colleagues of us participated in The Barrel Challenge, a 3,500-kilometer relay tour across Europe, riding in a 30-years-old connected car.We wouldn't be Codit if we didn't integrate the car with some sensors to track their data in real-time. The installed sensors in the classic Ford Escort car…

Send blog to my inbox

Invalid email address

Submit

Thanks, we've sent the link to your inbox

Invalid email address

Submit

Your download should start shortly!

Stay in Touch - Subscribe to Our Newsletter

Keep up to date with industry trends, events and the latest customer stories

Invalid email address

Submit

Great you’re on the list!