A quick solution when windows authentication is required on backend web server for ARR scenario


 

Background:

ARR is a kind of like NLB which works on application-level. ARR is a very popular OOB module. Frequently, we receive a question from customer saying how to make it work if we want to identify the incoming caller in the intranet. In other word, how to make it work with windows authentication enabled for ARR scenario.

 

From this forum post: http://forums.iis.net/t/1162690.aspx, our user made great efforts to make it work finally.

 

To simplify and summarize the process how to make it work, here I’d like to summarize below steps.

Solution:

1.       The application pool identify of ARR server and backend web server should be the same. Of course, we need to set useAppPoolCredentials =true if your web server is IIS7 or above. Suppose we configure the application pool identify as domain\user1.

2.       We need to configure the proper SPN associate with ARR server and content server properly. For example:

a)       For ARR Server,

Setspn –a http/<arrserver.domain.com> domain\user1

b)       For content server,

Setspn –a http/<contentserver.domain.com> domain\user1

3.       We should enable anonymous authentication on ARR server. I understand you must be curious why we set SPN if we enabled anonymous authentication on ARR server. But that’s necessary.

4.       Then we can enable “Windows authentication” on content server.

 

Note

1.       Some people may think that we need to enable delegation for that application pool identity domain\user1. But actually it’s not NECESSARY.

2.       We check the IIS log of backend web server, we will find 401.2 -> 401.1 -> 200, but not like a normal IIS log of Kerberos scenario: 401.2 -> 200.

3.       Above steps are just a quick solution, but not the only solution based on my testing. According to my testing result, configuring the windows authentication provider of backend web server as NLTM plus anonymous authentication of ARR server is also a quick solution for this kind of scenario. Regarding this “NTLM as provider” solution, we even no need to configure SPN at all.

 

References:

IIS logging for Windows Integrated authentication

http://support.microsoft.com/kb/969060/en-us

 

Description of Microsoft Internet Information Services (IIS) 5.0 and 6.0 status codes

http://support.microsoft.com/kb/318380/en-us

 

Regards,

Winston He from APGC DSI Team

Comments (1)

  1. Nacho says:

    Hi Winston He.

    I know this is an old post but I would like to ask you something. Within this article you state "the application pool identify of ARR server and backend web server should be the same". What about if ARR and backed servers run on different application pool identities? Let's say DOMAIN\arrUser and DOMAIN\backendUser. Could ARR and URL rewrite manage to use authentication delegation when moving from ARR to BACKEND?
    I am trying to do this and I think ARR does not create a new request on behalf-of frontend user when comunicating to backed server.

    Thank you.

    Best regards,
    Nacho

Skip to main content