2

I'm hoping someone maybe able to help by either helping identify what I'm missing, or confirming if indeed it's possible.

Background

We have a new Azure VM with Windows 2019 Datacenter on and IIS installed.

  • The machine is Azure AD Joined.
  • I can log into the VM via RDP with my Azure AD account.
  • We do not have a local AD.
  • We do not have AAD Domain Services.
  • The VM is accessible only via a VPN connection.
  • On IIS, the default website has been switched to Integrated Windows Authentication only.

The VM has a DNS 'A' record that points to it's IP address. e.g catchyname.ourdomain.com resolves to the VM. This is set up both in our Private Azure DNS for the internal Azure network and our external DNS provider.

Problem

When logged into the VM directly, I can access the default IIS Welcome page, by browsing to http://machinename/ or via http://localhost and it is served correctly.

If I try to navigate to the same page via http://127.0.0.1, via http://catchyname.ourdomain.com or via the machines IP address the user is challenged for a user name and password. Interestingly, the challenge box recognises my AD user (as I'm signed into the VM with) and requests the PIN that accompanies it but fails to accept any input and responds with a 401.2.5 error and the message:

You are not authorised to view this page due to invalid authentication headers.

When I check the logs, for successful requests I can see that the source IP Address in the IIS logs is shown as ::1

If I log into web another application on the box (SSRS2017) which relies on Integrated Windows Authentication using the correct URL i.e. http:/machinename/Reports/browse, it also lets me in and displays the user I'm logged in correctly as as AzureAD\MyUserName

If I add machinename to my C:\Windows\System32\drivers\etc\hosts file and try browse to it remotely via http:/machinename/ it also fails.

Question

Is it possible to enable AAD Authentication for sites in IIS that are resolved via a DNS alias that performs in the same manner as when I navigate by the machine name or via localhost? If it is, what steps do I need to take?

If I can resolve this, my next step is to see if we can enable these websites using this method of authentication for our Windows desktops that are also Azure AD joined, so normal users can browse to the sites on the VM and access them successfully.

Things I've Tried

I've googled muchly over the last 24 hours, and investigated articles that recommend registry changes to disable loopback check for local IIS websites, I've read articles on configuring federated auth for .NET apps but with the feeling I'm going too deep at this point.

I keep circling back to the fact that if I browse to http:\\localhost\ everything seems to work and I don't know why this would be different for http:\\dns-alias\

Can anybody help?

Thanks!

Paul
  • 23
  • 1
  • 4

1 Answers1

4

What you're doing will not work, here is why with some alternatives:

You have enabled Windows Integrated Authentication, that really depends on a domain environment to work correctly, which you do not have: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication

IIS does not understand Azure AD accounts authentication, IIS will not talk to Azure AD at all for authentication because it simply lacks that feature, doesn't matter what your DNS record is or where it is pointing: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/

You possible options moving forward is to:

  1. Ask your development team to integrate Azure AD authentication within the app code (if you own the app and have access to the code, not my preferred method if you don't want to invest in changing code): https://docs.microsoft.com/en-us/aspnet/visual-studio/overview/2012/windows-azure-authentication
  2. Use Azure AD to publish your app online without the need to use VPN, using a simple proxy service from Microsoft called Azure AD Application Proxy, you install it on the IIS server, register the app online and do some configuration and that's it, your app can be accessed securely anywhere. Best part is that you can use things like Azure AD Authentication and even Azure AD Conditional Access Policies.

There's a lot to read here, have fun learning:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Noor Khaldi
  • 3,869
  • 3
  • 19
  • 28
  • Noor, Thanks for pointing out a) the problem but also b) very clear way forwards! I must admit I'm not a fan of option 1 as I was hoping to enable this for some apps where we have no control over the code base so option 2 looks to be an obvious winner. Unfortunately, I'm currently can't to test it as our AAD environment isn't a Premium subscription however from my initial reading it looked like exactly what we needed which is a shame. I'll mark this answer as accepted though and hope to secure a trial of premium AAD in the future. Thanks, Paul. – Paul Jun 08 '20 at 15:50
  • Sure thing, glad I was able to help – Noor Khaldi Jun 08 '20 at 21:13