Share via

How to use App proxy onboarded On Prem api from Azure Functions

JoseNeethuDE-0644 45 Reputation points
Aug 1, 2023, 3:41 PM

We are trying to use an OnbehalfOf user token to access app proxy onboarded web application from Azure Function.

From browser,we are able to access the onprem application and its api.

When we try to access the same api from azure function it returns 401.

onprem api is using IWA.

We could see that app proxy sends a bearer token instead of Negotiate in the authentication header.

How to configure app proxy to send kerberos tickets to access on prem api.

SSO is already configured on app proxy.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,241 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,613 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,891 Reputation points Microsoft Employee
    Aug 3, 2023, 10:27 AM

    @JoseNeethuDE-0644

    Thank you for posting your query on Microsoft Q&A. From above description I am assuming you are looking for Azure AD application proxy Kerberos delegation to SSO onprim application.

    Please do help me by responding in the comments if my understanding is not correct.

    You may follow: Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy for configuration. Once done the SSO flow would look like below:

    User's image

    1. The user enters the URL to access the on premises application through Application Proxy.
    2. Application Proxy redirects the request to Azure AD authentication services to preauthenticate. At this point, Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Azure AD creates a token and sends it to the user.
    3. The user passes the token to Application Proxy.
    4. Application Proxy validates the token and retrieves the User Principal Name (UPN) from it, and then the Connector pulls the UPN, and the Service Principal Name (SPN) through a dually authenticated secure channel.
    5. The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.
    6. Active Directory sends the Kerberos token for the application to the Connector.
    7. The Connector sends the original request to the application server, using the Kerberos token it received from AD.
    8. The application sends the response to the Connector, which is then returned to the Application Proxy service and finally to the user.

    Please do let me know if you have any queries.

    Thanks

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.