question

MACVADSA-2267 avatar image
0 Votes"
MACVADSA-2267 asked sikumars-msft commented

Azure Hybrid using Application Proxy for SSO

When trying to access the application I get prompted for credentials and then get a page with the below on it

Bad Gateway:
Incorrect Kerberos constrained delegation configuration on the Active Directory.

If I then run Test application and the report gives the below results, which fails on step 5 Application Authentication

App report - Application Proxy

External Url Configuration

The external URL is reachable via the internet and correctly configured.

Azure AD Authentication

The current user is assigned to the application and can login to Azure AD or passthrough mode is used.

Connector Setup

The connector is installed on your server and registered correctly with the Application Proxy service.

Application Server

The connector can reach the backend application and recieve a response.

Application Authentication

The user cannot authenticate to the single sign-on mode configured for the application.
Incorrect Kerberos constrained delegation configuration on the on-premises Active Directory.
To fix this problem you can:

Review your Single Sign-On settings in the portal and verify that the SPN is defined correctly in the portal as well as on the host machine.

azure-ad-application-proxy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @MACVADSA-2267,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·

1 Answer

sikumars-msft avatar image
0 Votes"
sikumars-msft answered

Hello @MACVADSA-2267,

Thanks for reaching out.

Here are prerequisites for single sign-on with KCD:

Single sign-on for IWA (Integrated Windows Authentication) applications, make sure your environment is ready with the following settings and configurations:

  • Your apps, like Web apps, are set to use Integrated Windows Authentication. For more
    information, see Enable Support for Kerberos Authentication).

  • All your apps have Service Principal Names.

  • The server running the Connector and the server running the app are domain joined and part of the
    same domain or trusting domains. For more information on domain join, see Join a Computer to a Domain.

  • The server running the Connector has access to read the TokenGroupsGlobalAndUniversal attribute
    for users. This default setting might have been impacted by security hardening the environment.

For more information, read:
Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy
Troubleshoot Kerberos constrained delegation configurations for Application Proxy

Hope this helps


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.