@Greg Arnold
Thank you for your post! To better understand your situation, I'll summarize what I gathered below to make sure I didn't miss any key details.
Resources:
- On-prem apps are leveraging Windows Integrated Auth.
- Apps sit behind an AWS Load Balancer
- Always on VPN
- AAD Joined Windows 10 devices
- On-prem Domain Joined devices
- Azure AD Join SSO
Summary:
- When connected directly to your Corp Network, you can authenticate normally, and navigate to your on-prem app's websites with no credential/log-in prompt being displayed.
- Once your devices connect to your Always On VPN, you'll see a credential/log-in prompt when trying to navigate to your on-prem app's websites.
Issue:
Once your devices are connected to the VPN, and you navigate to one of your on-prem app's websites, only
your Azure AD Joined devices will receive a credential/log-in prompt while your on-prem domain joined devices aren't receiving this prompt.
- Apps that are
not behind
the Load Balancer, won't display a login-in prompt when accessed by Azure AD Joined devices or on-prem domain joined devices.
Troubleshooting:
Azure AD joined devices:
I found some limitations when it comes to Integrated Windows Authentication and SSO with Azure AD joined devices to access on-prem apps, which I'll share below.
- Apps and resources that depend on Active Directory machine authentication don't work because Azure AD joined devices don't have a computer object in AD. And Applications running on your Azure AD joined device may authenticate users. For more info.
- Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect. For more info.
- IWA doesn't bypass multi-factor authentication (MFA), if MFA is configured. For more info.
However, as you mentioned in your post, if the app isn't behind the Load Balancer everything is working as expected.
Always On VPN:
As you mentioned, a possible root cause could be related to whenever the client/user is on the VPN and is trying to resolve somewebapp.domain.local
to --> AWSelb-GUID.elb.eu-central-1.amazonaws.com
, which gets routed over the internet, then prompts the user for credentials and doesn't use Windows Integrated Auth.
Since the issue doesn't start until you connect to the VPN, I'll reach out to our Networking team and add the azure-vpn-gateway
tag to this thread, so our Networking community and MVPs can take a look into this. Additionally, since you're using an AWS Load Balancer I'd recommend reaching out to the AWS Community - AWS re:Post, so their experts can look into this as well.
If you have any other questions or would like to work closer with our support team on this, please let me know.
Thank you for your time and patience throughout this issue.