Azure Application Proxy Single-SignOn with On Premises AD via KCD

Yosef Shellim 21 Reputation points

My question is about who and how the Azure Application Proxy Connector impersonates on the On Premises AD in order to connect to the On Premises Application.

I have tried to follow the Documentation to setup the Azure Application Proxy here:

When I try to setup Single Sign On I get errors:

  • The user is not authorized to access the backend application.
  • Root cause: User is not defined or not authorized for the application in the On-Premises Active Directory.
  • Event Viewer: Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect. (0x8007052e).

I'm using Integrated Windows Authentication and specifying the SPN of the On Premises Application for SSO with KCD (Kerberos Constrained Delegation).

What user does the Connector try to impersonate, and a bigger question, can it designate a single user to impersonate or does it need to have a corresponding user in the On-Premise Active Directory for every Azure AD user that it tries to authenticate?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,614 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,566 Reputation points

    Hello @Yosef Shellim ,

    Thanks for reaching out.

    You must your backend application's service account to configure KCD (Kerberos Constrained Delegation) on app proxy connector agent however a comparable user identity must present in On-Premise Active Directory and sych to Azure AD that it attempts to authenticate.

    Application Proxy assumes that users have the same identity in the cloud and on-premises. For example, if you try to access a published app externally using a cloud-only account that is not present in on-premises, Azure AD will authenticate the user and pass the user's UPN to the proxy connector agent to obtain a Kerberos ticket on behalf of the user, but connector will receive an AD response stating that the identity does not exist in local AD, which is expected behavior because your backend application will not be authorized without the respective user's Kerberos ticket.

    To learn more more about, refer working with different on-premises and cloud identities. I hope this was helpful.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments