Share via

Step 5: Plan to Publish Applications using Pass-through Preauthentication

Updated: August 26, 2013

Applies To: Windows Server 2012 R2

This topic describes the preauthentication flow when using pass-through preauthentication and the planning tasks for publishing applications through Web Application Proxy using pass-through preauthentication.

The general pass-through preauthentication flow is as follows:

  1. The client device attempts to access a published web application on a particular resource URL.

    The resource URL is a public address on which Web Application Proxy listens for incoming HTTPS requests.

  2. Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS.

  3. If required by the backend server, the user authenticates directly to the backend server.

  4. After successfully authenticating, the client now has access to the published web application.


Web Application Proxy does not support wildcard domain publishing. That is, you cannot configure an external URL using a wildcard; for example, https://*

5.1. Plan Applications for Pass-Through Preauthentication

No additional planning is required for applications that use pass-through preauthentication.


Applications that use pass-through preauthentication cannot leverage the additional features that AD FS provides; such as, Workplace Join, multifactor authentication (MFA), and multifactor access control.

See also