The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Is there a way to allow access to on-premises web apps that are WIA, from accounts that are in AAD only? RRS feed

  • Question

  • Okay, so the subject makes this quite difficult to understand, so let's break this into two parts.

    1. We currently have a number of web applications on-premises that run on IIS. Some of these are internally-developed applications, some are commercial products, but all of them currently leverage Windows Integrated Authentication (WIA). Currently, these are typically made available as links in our portal (on-premises SharePoint), and everything is externally authenticated via Forms-based authentication. We're in the process of replacing this legacy firewall, and now need a new authentication solution for these pages. I immediately landed on Azure AD Application Proxy, however, the requirement for WIA means I'm looking at complication (and performance hit) in the form of Kerberos Constrained Delegation (KCD). Is there something else I should look at?
    2. We are also finishing up a migration project that sees us switch from SharePoint on-premises to SharePoint Online. As part of this, we have identified a large group of users in Active Directory that are only there to get access to our portal via the legacy authentication scheme. These users are otherwise unlicensed, not used for anything else, but require us to pay for a 3rd party solution to manage Self Service Password Reset. Yuck. So here is where we hatched the grand plan to recreate these as B2C accounts in our Azure AD tenant, without an associated AD account, and just provide them access to SPO and the free/built-in SSPR. That all sounds great, until you factor in these on-premises web applications which they'll also need access to. What now? I Can't use AAD Application Proxy with KCD if there is no on-premises AD account from which to impersonate.

    Now, I could just continue adding these accounts to AD so that AAD-AP w/ KCD works... but we really don't want to do that. And if we did that, the new portal (SPO) will require that I also synchronise these accounts via AAD Connect... and we really don't want to do that either. We could change our internally-developed applications so they support SSO and pre-authenticate through AAD, and we're looking into that, but the commercial products we need will be a challenge (terrible, and usually expensive support). We're just not sure what to do to support hybrid use cases in this situation. As rubbish as the old firewall is, that FBA SSO page does magic that is going to be hard to replace. I had also considered using Azure MFA Server on-premises to see if I can leverage that to somehow authenticate the external users, but I'm struggling to figure out how that would work (or if it is even suitable for our situation).

    I guess, as long as we get point 1 covered, I can delay point 2... but it would be great if this could be solved in one hit. Any ideas?

    Tuesday, October 15, 2019 3:59 AM

All replies