Azure Hybrid using Application Proxy for SSO

MACVAD_SA 1 Reputation point
2021-04-07T04:23:06.417+00:00

When trying to access the application I get prompted for credentials and then get a page with the below on it

Bad Gateway:
Incorrect Kerberos constrained delegation configuration on the Active Directory.

If I then run Test application and the report gives the below results, which fails on step 5 Application Authentication

App report - Application Proxy

External Url Configuration

The external URL is reachable via the internet and correctly configured.

Azure AD Authentication

The current user is assigned to the application and can login to Azure AD or passthrough mode is used.

Connector Setup

The connector is installed on your server and registered correctly with the Application Proxy service.

Application Server

The connector can reach the backend application and recieve a response.

Application Authentication

The user cannot authenticate to the single sign-on mode configured for the application.
Incorrect Kerberos constrained delegation configuration on the on-premises Active Directory.
To fix this problem you can:

Review your Single Sign-On settings in the portal and verify that the SPN is defined correctly in the portal as well as on the host machine.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,464 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-04-07T08:05:46.993+00:00

    Hello @MACVAD_SA ,

    Thanks for reaching out.

    Here are prerequisites for single sign-on with KCD:

    Single sign-on for IWA (Integrated Windows Authentication) applications, make sure your environment is ready with the following settings and configurations:

    • Your apps, like Web apps, are set to use Integrated Windows Authentication. For more
      information, see Enable Support for Kerberos Authentication.
    • All your apps have Service Principal Names.
      • The server running the Connector and the server running the app are domain joined and part of the
        same domain or trusting domains. For more information on domain join, see Join a Computer to a
        Domain        .
      • The server running the Connector has access to read the TokenGroupsGlobalAndUniversal attribute
        for users. This default setting might have been impacted by security hardening the environment.

    For more information, read:
    Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy
    Troubleshoot Kerberos constrained delegation configurations for Application Proxy

    Hope this helps

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments