SSO for IIS web server in Azure over Application Proxy

Mountain Pond 1,371 Reputation points


in Azure there is a VM on which an IIS server with Windows Authenticatiob (NTLM) authentication is installed.

This server has membership in an on-prem domain, which is also a VM in Azure.

Azure has an Application Proxy configured to publish to this local IIS server. Application Proxy has SSO enabled and the Header-Based method. Configured via Microsoft Entra ID and header "user.userprincipalname".

Essentially, of course, SSO does not work, the user enters Entra ID credentials, and then on-prem credentials.

Between Azure Entra ID and on-prem ADDS synchronization is not configured and is not planned, the maximum that can be enabled is pass-through authentication, without synchronizing users.

My own question: I would like to make the application accessible from the outside and use Entra ID authentication, which offers MFA (this is the key reason). But so that you can authenticate once, without having to enter an on-prem login and password.

I understand that:

  1. Different Indentity providers, of course there is no synchronization yet, these are all different users in different databases (EntraID and on-prem).
  2. IIS is not designed to work with EntraID and it does not have a provider to work with EntraID.
  3. The best way is to transfer the application to Azure Application Service and enable Entra ID authentication there, install AD Connect with the SSO option so that on-prem users can gain access (if required).

But perhaps there are other options, to do SSO like this?

For example user Azure Active Directory and trust with on-prem ADDS. I don`t know :(

Thank you.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,213 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,077 questions
0 comments No comments
{count} votes

Accepted answer
  1. Navya 5,325 Reputation points Microsoft Vendor

    Hi @Mountain Pond

    Thank you for posting this in Microsoft Q&A.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.


    Trying to enable SSO for an IIS web server in Azure over Application Proxy and want to use Azure Active Directory (AAD) authentication with MFA, but without having to enter on-premises login credentials. We have already configured Application Proxy with SSO enabled, but it is not working as expected. We are looking for other options to enable SSO.


    Did configuration for Kerberos Constrained Delegation.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps! Thank you again for your time and patience throughout this issue.



    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Mountain Pond 1,371 Reputation points

    I did configuration for Kerberos Constrained Delegation.

    and this works.

    0 comments No comments