[MSDN Redirect] Azure Application proxy for web api

SnehaAgrawal-MSFT 12,546 Reputation points Microsoft Employee

Hi all,
I have a case where there is a Web API on premises that requires Windows integrated authentication. I also have an Azure web application and Azure Web API. The azure web application authenticates users using Azure AD credentials. I need the following:

  1. I need the front end application to pass the Azure AD credentials to the Azure Web API.
  2. The azure web API will need at some time to communicate with the on-premise web API and my question is if Azure Application proxy can work in this case to do a Kerberos constrained delegation to impersonate the corresponding user with windows integrated authentication.

would the above work?


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,660 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 17,366 Reputation points Microsoft Employee

    Yes, it is possible to call a on-premises webapi (using Integrated Windows Authentication) by an Azure AD Application Proxy. You may however need some additional configurations where your server running your application and the server running your Connector needs to be domain joined, the server running the connector needs to have read access to the TokenGroupsGlobalAndUniversal attribute for users. Please refer to the Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy for necessary prerequisites.
    You can also refer to Secure access to on-premises APIs with Azure AD Application Proxy documentation which provide details around accessing an on-premises API using Azure AD Application Proxy.

    0 comments No comments