Configure a site to use Integrated Windows authentication

  • Article

Updated: July 3, 2013

Applies To: Windows Server 2012 R2

After configuring the lab environment, publishing a claims-based application through Web Application Proxy, you can also configure a website on the WebServ1 server to require Integrated Windows authentication. You can publish this website as an additional application through Web Application Proxy to demonstrate how Web Application Proxy uses Kerberos constrained delegation to authenticate users to non-claims-based applications. This topic describes how to configure the website, prepare your lab environment, publish the website, and then test connecting to the website from a client device.

Important

You must join the Web Application Proxy server to the Active Directory® Domain Services domain before you can publish applications that use Integrated Windows authentication.

This topic contains the following sections:

  • Install Windows Authentication on WebServ1

  • Create a new website using IIS

  • Create a non-claims-aware relying party trust

  • Configure Kerberos constrained delegation

  • Test accessing the application internally

  • Publish the application

  • Test accessing the application

Install Windows Authentication on WebServ1

When you install the Web Server (IIS) role, by default, it does not install the option to use Integrated Windows authentication (referred to by IIS as Windows Authentication). This procedure installs Windows Authentication.

To install Windows Authentication on WebServ1

  1. On the edge server, open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop.

  2. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.

  3. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

  4. On the Select server roles dialog, expand Web Server (IIS), expand Web Server, expand Security, select Windows Authentication, and then click Next.

  5. On the Select features dialog, click Next.

  6. On the Confirm installation selections dialog, click Install.

  7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Create a new website using IIS

The WebServ1 server already hosts a website that uses claims-based authentication. This procedure creates a new website that uses Integrated Windows authentication.

To create a new website

  1. Open an Explorer window and go to C:\inetpub\.

  2. Create a new folder called NonClaims.

  3. Open C:\inetpub\wwwroot\ and copy the contents to the new folder C:\inetpub\NonClaims\.

    Important

    Do not copy the web.config file.

  4. On the Start screen, click the Apps arrow. On the Apps screen, type inetmgr.exe, and then press ENTER.

  5. In the IIS console, in the Connections pane, expand WebServ1, expand Sites, right-click Default Web Site, and then click Add Virtual Directory.

  6. On the Add Virtual Directory dialog box, in the Alias box, type NonClaims.

  7. Next to the Physical Path box, type C:\inetpub\NonClaims, and then click OK.

  8. In the Connections pane, click the NonClaims virtual directory.

  9. In the middle pane, in the IIS section, double-click Authentication.

  10. In the Authentication pane, right-click Anonymous Authentication, and then click Disable. Right-click Windows Authentication, and then click Enable.

Create a non-claims-aware relying party trust

To publish the application through Web Application Proxy, you must first create a non-claims-aware relying party trust on the AD FS server.

To create a non-claims-aware relying party trust

  1. On the AD FS server, in the AD FS Management console, in the left pane, click Trust Relationships.

  2. In the Actions pane, click Add Non-Claims-Aware Relying Party Trust.

  3. In the Add Non-Claims-Aware Relying Party Trust Wizard, on the Welcome page, click Start.

  4. On the Specify Display Name page, in Display name, enter a name for this trust; for example, Non-Claims Application, and then click Next.

  5. On the Configure Identifiers page, in Non-claims-aware relying party trust identifier, enter an arbitrary URL as an identifier for this trust, click Add, and then click Next.

  6. Click Next twice.

  7. On the Finish page, click Close.

    The Edit Claim Rules for <relying party> dialog box opens.

  8. On the Edit Claim Rules for <relying party>, click Add Rule.

  9. In the Add Issuance Authorization Claim Rule Wizard, on the Select Rule Template page, in the Claim rule template list, select Permit All Users, and then click Next.

  10. On the Configure Rule page, click Finish, and then on the Edit Claim Rules for <relying party> dialog box, click OK.

Configure Kerberos constrained delegation

To allow users to access applications that use Integrated Windows authentication, the Web Application Proxy server must be able to provide impersonation for users to the published application.

Tip

This procedure assumes that the Web Application Proxy server is named EDGE1.

To configure Kerberos constrained delegation

  1. On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop.

  2. Click Tools, and then click ADSI Edit.

  3. On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.

  4. In the left pane, expand Default naming context, expand DC=contoso,DC=com, expand CN=Computers, right-click CN=EDGE1, and then click Properties.

  5. On the CN=EDGE1 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.

  6. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/EDGE1.contoso.com and click Add. Then enter HTTP/EDGE1 and click Add.

    The Values list now contains two new entries; for example, HTTP/EDGE1.contoso.com and HTTP/EDGE1.

  7. On the Multi-valued String Editor dialog box, click OK.

  8. On the CN=EDGE1 Properties dialog box, click OK.

  9. In Server Manager, click Tools, and then click Active Directory Users and Computers.

  10. In the navigation pane, under contoso.com, click Computers. In the details pane, right-click the edge server, and then click Properties.

  11. On the EDGE1 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.

  12. Click Add, and on the Add Services dialog box, click Users or Computers.

  13. On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web server; for example, WebServ1, and then click OK.

  14. On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.

  15. On the EDGE1 Properties dialog box, click OK.

Test accessing the application internally

To make sure that the application is working correctly, you should test accessing the application from the Web Application Proxy server before continuing.

To access the application internally

  1. On the Web Application Proxy server, make sure that IE Enhanced Security Configuration is turned off.

  2. Open an Internet explorer window and go to the non-claims-based web application; for example, https://webserv1.contoso.com/nonclaims/.

  3. On the sign in page, enter the credentials of the test user that you created when you set up the environment.

    The default IIS website appears.

Publish the application

The final step is to publish the application through Web Application Proxy.

To publish the non-claims-based application

  1. On the Edge server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER.

  2. In the navigation pane, under Configuration, click Web Application Proxy.

  3. In the Tasks pane, click Publish.

  4. In the Publish New Application Wizard, on the Welcome page, click Next.

  5. On the Preauthentication page, make sure that Active Directory Federation Services (AD FS) is selected, and then click Next.

  6. On the Relying Party page, select the non-claims application relying party, and then click Next.

  7. On the Publishing Settings page, do the following, and then click Next:

    • In the Name box, enter a friendly name for the application to identify it in the list of published applications; for example, Non-Claims Application.

    • In the External URL box, enter the external URL for this application; for example, https://WebServ1.contoso.com/NonClaims/.

    • In the External certificate list, select a certificate whose subject covers the external address.

    • In the Backend server URL box, the value is entered automatically and is the same as the external URL.

    • In the Backend server SPN box, enter the service principal name for this application; for example, HTTP/WEBSERV1.contoso.com.

  8. On the Confirmation page, click Publish.

  9. On the Results page, click Close.

Test accessing the application

Now that the application is published through Web Application Proxy, you can test accessing the application from the simulated Internet.

To test accessing the application

  1. Connect the client computer to the simulated Internet network and assign a static IP address; for example 131.107.0.10.

  2. Open an Internet explorer window and go to the non-claims-based web application; for example, https://webserv1.contoso.com/nonclaims/.

  3. On the sign in page, enter the credentials of the test user that you created when you set up the environment.

    The default IIS website appears.

See also