This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello,
in Azure there is a VM on which an IIS server with Windows Authenticatiob (NTLM) authentication is installed.
This server has membership in an on-prem domain, which is also a VM in Azure.
Azure has an Application Proxy configured to publish to this local IIS server. Application Proxy has SSO enabled and the Header-Based method. Configured via Microsoft Entra ID and header "user.userprincipalname".
Essentially, of course, SSO does not work, the user enters Entra ID credentials, and then on-prem credentials.
Between Azure Entra ID and on-prem ADDS synchronization is not configured and is not planned, the maximum that can be enabled is pass-through authentication, without synchronizing users.
My own question: I would like to make the application accessible from the outside and use Entra ID authentication, which offers MFA (this is the key reason). But so that you can authenticate once, without having to enter an on-prem login and password.
I understand that:
But perhaps there are other options, to do SSO like this?
For example user Azure Active Directory and trust with on-prem ADDS. I don`t know :(
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue:
Trying to enable SSO for an IIS web server in Azure over Application Proxy and want to use Azure Active Directory (AAD) authentication with MFA, but without having to enter on-premises login credentials. We have already configured Application Proxy with SSO enabled, but it is not working as expected. We are looking for other options to enable SSO.
Solution:
Did configuration for Kerberos Constrained Delegation.
https://learn.microsoft.com/en-us/entra/identity/app-proxy/how-to-configure-sso-with-kcd
If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.
I hope this helps! Thank you again for your time and patience throughout this issue.
Thanks,
Navya.
I did configuration for Kerberos Constrained Delegation.
https://learn.microsoft.com/en-us/entra/identity/app-proxy/how-to-configure-sso-with-kcd
and this works.