question

martindca avatar image
martindca asked ·

Web application proxy for an internal web application with pre-authentication

Hi,
maybe someone has a clue for me on this issue.
So I have a WAP set up with ADFS and it works fine for exposing an ADFS server to the internet.
Now I got the quest to replace the TMG server which could do pre-authentication, and a for me obvious idea is to use the WAP environment.
- I have a web application that is just a plain web application with no authentication and this needs to be secured
- I added a relying party non-claims aware
- I added a web application to the WAP pointing to the website in question
- I expected to get an authentication dialogue from the ADFS server (forms based)

Interestingly, instead of getting that dialogue, I get a 404 from a /adfs/ls?version signin url from the exposed external dns.
So a first redirect goes through, but then the login is not shown. Note that the /adfs/ls thing is not pointing to the adfs server, but to the external address of the web application.
Any ideas why I get a 404?
Best
Martin



adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
piaudonn answered ·

You can trick the system by creating a dummy relying party trust (not anon-claim aware RP but an actual RP with dummy URI and name). They you can opt to publish it with ADFS pre-authentication on your WAP and it will do the trick.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

martindca avatar image
martindca answered ·

Hi,
I was exactly going for that and implemented that. Yet the problem is, I get a reply, then a redirect, and then that /adfs/ls?version signin url which returns 404. I would expect the web app proxy to serve that page so that people can log in, but it doesn't.
So my question would be, is it expected to redirect to the ADFS authentication URL (which is different to the app url), or if the app is registered, all requests to the "subfolder"/application path /adfs/ would be handled by the proxy and not by the web application anymore?
Best
Martin

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"I added a relying party non-claims aware" this will do Kerberos constraint delegation and will not work if the backend site is not using Kerberos. That's why I mentioned this.

I am not sure what you meant with the other comments. You just need to create 1 publication with the URL used by the clients. That's it. And make sure that the DNS entry points to the WAP address instead of the actual site. It just works in my lab. Can you describe in details what you've done?

0 Votes 0 · ·

Hi,
I see now, I did not correctly read your comment regarding the relying party. Indeed I created a non-claims aware, and not a dummy claims aware relying party.
I will try that one out and let you know.
Basically I did not set up the environment, I just make use of it and the setup fails. Basically I try to leverage the FBA of our current TMG with WAP (as the TMG needs to go). The web application exposed used FBA (now with TMG) to authenticate users before showing the contents (the webapp itself has no authentication). I thought that a dummy ADFS authentication would fence off non-authorized people, just like the TMG does now.
Best
Martin

0 Votes 0 · ·