Hi IIS Forums,
I've got a java back-end application that I'm hoping to wrap some security around with IIS, as well as serve web content with IIS. All components are on the same server. The application will then be fire-walled off. 2008 R2, IIS 7.5
Everything works when the Default Web Site is set to basic authentication only (albeit with a sign on prompt). When set to Windows authentication, no sign on is required and the HTML/JS pages are served correctly authenticated, but the routed REST application starts to break initially throwing 502.3 bad gateway, then 400.
Some articles showed issues around double hops - this doesn't quite make sense to me as I would assume basic is also a double hop and that works. When I change my AD role config to fake roles, IIS stops routing the front end and proxied back end as expected.
I have also avoided kerberos, as generally I'm trying to avoid it as well as creating an apache web proxy to handle auth as I believe IIS is a better offering in terms of a web front end server. Simplicity is also reflected in the choice is spring boot to avoid configuring Tomcat.
Feels like I'm missing something, it would be a shame if I couldn't get it working with SSO.
URL rewrite installed, Web URL auth installed, arr installed,
Default Web Site Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="route special application to port 8080" stopProcessing="true">
<match url="MyApplicationRest/(.*)" />
<action type="Rewrite" url="http://localhost:8080/{R:1}" />
</rule>
</rules>
</rewrite>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
<location path="MyApplication">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="myDomain\myBusiness role" />
</authorization>
</security>
</system.webServer>
</location>
<location path="MyApplicationRest">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="myDomain\myBusiness role" />
</authorization>
</security>
</system.webServer>
</location>
</configuration>
Front end
>>Default Web Site port 80, IIS Web App was created containing HTML, JS, angular calling the spring boot back end (http://localhost:80/MyApplication)
Back end
>>Spring boot application exposing port 8080, no auth (http://localhost:8080/MyApplicationRest/some/rest/path )