Access internally hosted IIS with Windows authentication from Internet

Question

I have .NET web application running on IIS behind the firewall.
Application is using Windows authentication (NTLM) to authenticate users.
I need to make this application accessible from Internet so that:

When user tries to access application, login form is shown, generated by [Reverse Proxy].
User enters login and password and submits the form.
[Reverse Proxy] matches external credentials to Windows credentials, we are Ok to store Windows domain logins and passwords in some DB.
[Reverse Proxy] provides access to web application using provided credentials.

To be clear, I do not want NTLM passthrough to the user, I need [Reverse Proxy] to speak to IIS on user's behalve instead. User may enter different credentials, may use other authentication type (Google, FB etc) and [Reverse Proxy] will match external account to internal one. E.g. employees will configure external accounts they want use to access intranet portal.

What are my options?
Can I use Nginx or Squid to implement such scenario with help of custom module / plugin?

score 1 · Answer 1 · answered Apr 19 '13 at 16:38

It almost sounds like SAML or oOth would be a good option for you. Have you looked down that path at all? Typically its used for delegating another sites credentials, but it should work for internal sites as well. You'd probably have to build a custom front end in your DMZ though.

score 0 · Answer 2 · answered Apr 15 '13 at 17:01

0

The fact that you want your reverse proxy to do this complicates it a bit. I do not know of any out of the box proxy software that does this, but some of junipers VPN appliances offer a web interface that not only allows users to start a VPN connection, but can also be used as such a proxy indeed after user authenticated to the VPN appliance web interface.

answered Apr 15 '13 at 17:01

Dennis Kaarsemaker

19,277
2
44
70

1

I can think of one - Microsoft Forefront TMG 2010 with forms based authentication... sadly, they discontinued the product just before christmas :\ – Mathias R. Jessen Apr 15 '13 at 17:20
I would classify forefront as 'similar to the above' and not as a proxy server though – Dennis Kaarsemaker Apr 15 '13 at 17:24
Yes, @Mathias, we used to use ISA for a very similar task, but now looking for a Linux based solution, more extendable one. We are also considering writing module/plugin if needed. – Igor Romanov Apr 15 '13 at 20:38
What about Forefront Unified Application Gateway? – Snowburnt Apr 19 '13 at 16:51

score 0 · Answer 3 · answered Apr 22 '13 at 09:51

It's not a good idea to use a reverse proxy for this goal. Windows Authentication is meant to be used only in an intranet application. There are many reasons why you don't want this, some of them can be found here. The most important one is that you're opening a way from your DMZ to you're internal network, which can be abused by hackers.

You should use a VPN to acquire the goal you're looking for. Here is a list of free VPN software. My personal favorite is OpenVPN.

Another possibility is to use Form Authentication is the web application and use separate credentials for your users to log on to the web application.

Access internally hosted IIS with Windows authentication from Internet

3 Answers3