I'm having an issue with Kerberos authentication behaving differently for external Web Application Proxy users than for internal Internet Explorer users. I
originally asked about this on the Windows Server forums, but it was suggested that I might find more relevant expertise here on the IIS forums.
I have a third-party web application (non-claims-aware) that runs in IIS using Windows Authentication. The only authentication provider enabled in IIS is "Negotiate." IIS box is Server 2012 R2.
Internal domain clients access the IIS box directly from Internet Explorer (automatic signin). External clients access it via Web Application Proxy with Kerberos delegation (after signing in to ADFS).
In both cases, users get authenticated properly. But the application ends up seeing a different username depending on which method the user came in on.
For internal users, the application sees the username as being just the bare username with no prefix or suffix (e.g. "someguy"). For external users, the application sees the username as being the full UPN (e.g. "someguy@example.com"). Unfortunately, this results
in the application's internal logic treating each scenario as a separate user. The third-party developer does not want to change their application. They insist that they just take whatever username string IIS provides them.
How can I configure WAP and/or IE and/or IIS so that the application receives the username in the same format for both WAP users and internal IE users?
↧
Kerberos UPN vs bare username with Web Application Proxy vs IE
↧