Authentication Delegation With Isa to Tomcat and Others
Just posting this, because it took me a while to figure it out and I think it can be helpfull for others. Last week I was building a test environment for our new secured webapplication. This webapplication is secured with BASIC authentication and the user database is an Microsoft Active Directory. (probably this will work with other LDAP services too.) We have a couple of servers and to publish this webapplication secured to the outside, we put an ISA in our DMZ to function as a reverse proxy. To make it more secure, the ISA does also an authentication at the Active Directory. Of course we don’t want to bother the enduser with a double authentication so it would be nice if the ISA could pass the credentials to the webapplication. This can be easilly done with the tab Authentication Delegation in the publishing rule. Make sure this tab is set to BASIC Authentication if the webservers ofcourse uses BASIC Authentication. A commom problem is that the ISA will pass through the credentials that are typed, but when the DOMAIN isn’t typed, the ISA will put it in front of the accountname, so for example: I log in with username: testuser and password: test, the ISA will pass this “domain.localtestuser:test” to the webapplication. You can see “:” as a tab.There is a great chance that your webserver will see “domain.localtestuser” as the username and as you can guess most of the times this won’t work. We don’t want to bother our users with the domainname, so we have to solve this issue. Luckely for us, this is very simple. Go to the listner and go to the authentication tab, now click on configure validation servers… In the new window select the LDAP server set and click on edit. In new window go to the middle where it asks for a FQDN. Make sure it is empty, cause this field will determine what is putted before the username to authenticate.
We had this problem authenticating with our tomcat servers, but probably this will also work with other webservers. Good luck.