Forwarding NTLM credentials from IIS with ARR and URL Rewrite - iis

Thanks in advance for your help.
In my environment, I configured IIS to act as a reverse proxy and forward requests to certain paths to an application server on another host. In order to do this, I used Application Request Routing (ARR) and URL Rewrite modules, I create my rule and everything's working fine.
IIS is responsible to authenticate clients using NTLM, so my question is: is it possible to pass the authentication credentials (at least the username) to my application server after authenticating the user?
I tried to do this adding a custom header to my requests, writing a rule like this:
<rule name="ForwardToApplicationServer">
<match url=".*" />
<serverVariables>
<set name="HTTP_AUTH_USER" value="{AUTH_USER}" />
</serverVariables>
<action type="Rewrite" url="http://myappserver/myapp/{R:0}" logRewrittenUrl="true" />
</rule>
But it doesn't work: when I read it on my application my header is alwasy empty. I also tried with and but none of these worked.
So, what am I doing wrong? Should I use another server variable? Am I missing something?
More in general: is it possible to do what i'd like to do?
Again, thanks in advance for your help, and please forgive me if I'm asking something obvious but I'm new to using IIS and I couldn't find anything that helped me.

http://weblogs.asp.net/owscott/an-intro-to-iis-url-rewrite-plus-redirecting-urls-to-www-web-pro-week-8-of-52
{REMOTE_USER}, {LOGON_USER} & {AUTH_USER} do not work with URL-REWRITE, ...
You can use www.isapirewrite.com which runs later in the stack and has a handle on the auth data.

Related

Windows IIS ARR Reverse Proxy Encoding Issue

We have an environment with an Windows 2019 Server IIS 10, which is acting as Reverse Proxy (ARR) for my IIS Server farm (Application Request Routing 3.0 and URL Rewrite 2.1). We send the users name in the HTTP headers. But my ARR somehow screws up the encoding (we are using german special characters, e.g. ö,ü,ß...), so when i check the respone of the WebServer it shows me: H%C3%B6lmuth M%C3%A4%C3%9Fterm%C3%BCller instead of Hölmuth Mäßtermüller.
I have an old environment with Windows 2012R2 Server with the same configuration, in this environment the display of the name is correct. I have checked all kind of settings between old and new servers, but cannot find any difference.
Futher i have used Failed Request Loggins and Network Monitor to see what the server receives and sends, below find the results.
Received Request on the IIS ARR (old and new):
X-AUTHENTICATE-FamilyName: M%C3%A4%C3%9Fterm%C3%Bcller
X-AUTHENTICATE-GivenName: H%C3%83%C2%B6lmuth
X-AUTHENTICATE-cn: H%C3%B6lmuth M%C3%A4%C3%9Fterm%C3%BCller
Request send to the IIS (new):
X-AUTHENTICATE-FamilyName: M%C3%A4%C3%9Fterm%C3%BCller
X-AUTHENTICATE-GivenName: H%C3%83%C2%B6lmuth
X-AUTHENTICATE-cn: H%C3%B6lmuth M%C3%A4%C3%9Fterm%C3%BCller
Request send to the IIS (old):
X-AUTHENTICATE-FamilyName: Mäßtermüller
X-AUTHENTICATE-GivenName: Hölmuth
X-AUTHENTICATE-cn: Hölmuth Mäßtermüller
Anyone has an idea how i can change this behaviour? Help would be much appreciated.
Can you give me an example how to use the {UNENCODED_URL} variable. Currently we are using the rewrite module to route requests to specific Server Farms, see my rules below:
<rewrite>
<globalRules useOriginalURLEncoding="true">
<rule name="ARR_BPBP-DEV_loadbalance" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<action type="Rewrite" url="http://BPBP-DEV/{R:0}" />
<conditions>
<add input="{HTTP_HOST}" pattern="bmi-bpbp-dev.vecos.at" />
</conditions>
</rule>
<rule name="ARR_BPBP-TEST_loadbalance" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<action type="Rewrite" url="http://BPBP-TEST/{R:0}" />
<conditions>
<add input="{HTTP_HOST}" pattern="bmi-bpbp-test.vecos.at" />
</conditions>
<serverVariables>
</serverVariables>
</rule>
</globalRules>
How can i adapt the rules to use the {UNENCODED_URL} variable?
When an HTTP request arrives on Windows, the latest HTTP.sys encodes both URL and HTTP headers, and puts the original URL in UNENCODED_URL server variable so that it can be recovered afterwards.
However, the original headers (such as X-AUTHENTICATE-FamilyName: Mäßtermüller) do not seem to be preserved (no clear documentation on that), so there isn't any easy way to recover them.
If you want to modify the the header from X-AUTHENTICATE-FamilyName: M%C3%A4%C3%9Fterm%C3%BCller back to X-AUTHENTICATE-FamilyName: Mäßtermüller, the only way I can think of is to write a custom IIS module to perform the decoding step.
Alternatively, you might modify your other code to accept such encoded header values (and decode them when needed in your code), as anyway that's how Windows/IIS behaves now and you cannot fight it.
Try to set the useOriginalURLEncoding to false, and URL rewrite will no longer encode the urls when using the {UNENCODED_URL} variable in the rules.
To set the flag to go IIS Manager then select Configuration Editor and go to the section system.webServer/rewrite/rules, where you will find the useOriginalURLEncoding flag.

IIS URL Rewrite with Incoming URL

I have a strange business case where I need any time a URL is called on my web server that it is re written with the incoming URL.
Example:
Incoming URL
/site/1
URL that it is going to
/innerlink/2
In the browsers URL
/innerline/2 would show /site/1
If you can answer this question or get me to some material that could help me in doing this it would be greatly appreciated. Thanks!
The name of this approach "URL rewriting". In IIS you can achieve it with URL rewrite module.
In your case when you just need to rewrite /site/1 to /innerlink/2 you need to do the following:
Install URL rewrite module for IIS (it might be already installed)
In your web.config you need to add this rewrite rule:
.
<rule name="Laravel5" enabled="true" stopProcessing="true">
<match url="^site/1$" />
<action type="Rewrite" url="/innerlink/2" />
</rule>
And now if you will open in your browser this link {YOUR DOMAIN, IP OR HOSTNAME}/site/1 it will make request to /innerlink/2 (but browser will keep showing /site/1)
P.S. Also you can find some useful rewrite/redirect rules in this article: https://host4asp.net/top-iis-rewrite-rules/

IIS Throwing HTTP 500 for rewrite rules

When I put my web.config into any folder/main directory it seems to be throwing the HTTP error code: 500--unfortuenly I don't have access to the logs so I can't see why, so surely it's down to my web.config - I've never used IIS before but I'm trying to re-route all requests to a file called 'api.php', here's my web.config file.
<rewrite>
<rules>
<rule name="rule 1Q">
<match url="^/.*" />
<action type="Rewrite" url="/api.php" />
</rule>
</rules>
</rewrite>
Apache equivalent:
RewriteEngine on
RewriteRule ^/.* /api.php
Any help is greatly appreciated.
This is not an exact answer because I am not sure of your server variables but here is something that might be useful to you. Here. This walks through the IIS set up for version 7 and it has some basic concepts. There is rewrite module/tool that could help but I haven't used it. And another document here...Shows the GUI interface like the first link and is in 7.5.
Again not specific solutions but hopeful you have some server gurus there that can help you at least get the IIS settings right (or at least not sound dumb if you have to communicate something specific to them) if this is a first time IIS Isapi venture for you.

ARR/URL Rewriter within a .net Web API application

I have two applications. One of which is going to handle authentication across a range of products. Because of this, from each one I want to rewrite a URL from each individual website to our "authentication" project. It would look something like this.
http://www.mywebsite.com/api/profile/login -> http://www.myauthentication.com/api/profile/login.
So essentially pushing the request cross domain.
For this I have setup ARR and URL Rewriting in IIS. However I can't seem to get it to work, and I have a feeling URL Rewriting is not running on requests that would normally cause a 404. I think this because on a REDIRECT request (301 redirect), the config works perfectly. When I use a rewrite, I get a generic 404 page.
The rules configuration looks as per below :
<rules>
<rule name="Route the requests for the Profile API." enabled="true" stopProcessing="true">
<match url="^profiles/(.*)" />
<action type="Rewrite" url="http://authentication.local/api/profiles/{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
It should be noted that I am using the WebAPI, not MVC, which I'm not sure if that is causing issues or not. Because the redirect works but not the rewrite, I'm sure I've got everything installed OK in IIS.
For ARR, I have simply ticked "Enable Proxy" but I am unsure if I need to do anything else.
I managed to solve this by adding an ignore route for ARR.
RouteTable.Routes.IgnoreRoute("api/profiles/{*pathInfo}");

IIS Url Rewriter rewrite fails but redirect works flawlessly

I have to set up a couple of apps on a new intranet server (Win 2008 R2 Standard SP1). I have been having some difficulty with a URL Rewriter rule. I had a similar rule working great on my local IIS (Win 7). The rule is designed to create a reverse proxy for a web service that enables jQuery AJAX requests from the client to avoid XSS.
The rule is as below and if I use this as is, and type an example URL into the browser:
http://srv01.domain.com/serviceproxy/workflow/Users/GetUsers?q=smith&max=10
I get a 404 response from the server. If I change the type to "Redirect" I get the response from the server expected (but obviously this will void my attempt to avoid XSS).
<rewrite>
<rules>
<rule name="Reverse Proxy - WCF Service" stopProcessing="true">
<match url="serviceproxy/workflow/(.+)" />
<action type="Rewrite" url="http://srv01.domain.com/WorkflowService/{R:1}" />
</rule>
</rules>
</rewrite>
Any ideas what might be missing from the server configuration? Is it a security setting somewhere that needs to be configured to allow the rewrite to occur?
I found my issue. I didn't have Application Request Routing installed on this server. Either I forgot installing it on my other server or it was already on there for another reason.
Found this article that helped me resolve it.
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Had a similar issue on Windows 2008, IIS 7.5
The problem was that the app pool was in integrated mode. that caused issues with the rewrite.
Redirect was always ok, but rewrite always failed.
changed the app pool to classic mode and problem solved (at least for now).
a better solution might be http://forums.iis.net/t/1200671.aspx?ARR+URl+Rewrite+is+not+working+for+external+servers
right at the end. but i havent tried it.

Resources