0

Issue

We are trying to retrofit a legacy application (TFS) with 2FA auth. It's a lot to explain in detail but the setup is the following:

                           Host A                      Host B
End user - https ->       IIS Proxy      - https ->    IIS App
       - 2FA/kerberos -> Impersonation - kerberos ->

On the IIS Proxy side we developed an .net app which acts as reverse proxy (classic pipeline) and handles the auth and passes the impersonated kerberos credentials to the app. For this the IIS Proxy is configured to use Windows Auth (with 401 Challenge). Now the legacy app has two special cases where no authentication is requested:

  1. /_static/* path
  2. JWT token in Authorization header

in these two cases the IIS Proxy should not send a 401 challenge and simply pass through anonymous.

Tries

I assumed it would be possible to write a custom http module which sets skip authorization=true in these conditions:

private void Context_BeginRequest(object sender, EventArgs e)
{
    var req = HttpContext.Current.Request;
    var authHeader = req.Headers.Get("Authorization");
    var path = HttpContext.Current.Request.Url.AbsolutePath;
    if (path.Contains("/_static/") ||
        path.Contains("/_public/") ||
        (authHeader != null && authHeader.StartsWith("Bearer ")))
    {
        HttpContext.Current.SkipAuthorization = true;
    }
}

but sadly it doesn't work, the IIS proxy still sends a 401 and the proxy app doesn't get called. I'm by far no IIS expert but so far I haven't found a precise answer if it is even possible to conditional skip the windows authentication and continue anonymously.

So if anyone has some hints or a clear "you can't do that" I would appreciate it.

Refs

Various references I've looked at

  1. ARR on IIS to skip windows authentication
  2. https://social.msdn.microsoft.com/Forums/en-US/f42dd667-817d-40bf-8939-dfb619b95462/bypass-login-with-iis-integrated-windows-authentication?forum=aspconfiganddeploy
  3. https://serverfault.com/questions/392606/iis-windows-authentication-except-for-local-machine
davidgiga1993
  • 2,695
  • 18
  • 30
  • See managing Roles : https://learn.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/roles/creating-and-managing-roles-cs?force_isolation=true – jdweng Nov 24 '21 at 17:19
  • To my understanding the role manager only applies after the IIS authentication module, since to have a role you need to know who the user is – davidgiga1993 Nov 24 '21 at 17:30
  • You can have GUEST roles. By default a connection is a GUEST. – jdweng Nov 24 '21 at 17:38
  • 1
    Use a reversed approach. 1. Set up anonymous authentication on IIS for your reverse proxy, so that your module can check if Bearer token is available first. 2. If Bearer token not available, return 401 response with "WWW-Authenticate: Negotiate" header, just like IIS does by default, https://techcommunity.microsoft.com/t5/iis-support-blog/windows-authentication-http-request-flow-in-iis/ba-p/324645 – Lex Li Nov 24 '21 at 18:20
  • @Lex Li That's actuall a good idea. Sometimes the obvious is right in front of you.. Thanks! You can post it as an answer if you like – davidgiga1993 Nov 25 '21 at 07:42

0 Answers0