Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain

  • Article

 

Applies To: Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Web Application Proxy Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012 R2

Product/Feature

Web Application Proxy

Severity

Error

Category

Configuration

Issue

Web Application Proxy can perform backend authentication using Integrated Windows authentication only when it is running on a server that is joined to a domain.

Impact

Users will not be able to access this application from the current server.

Resolution

Join this server to a domain.

When publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users to the published application.

To use Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain. The following lists the domain and forest considerations for a deployment using Integrated Windows authentication with Kerberos constrained delegation:

  • Deployments where users, resources, and Web Application Proxy servers are all in the same forest are supported.

  • Deployments with multiple forests where there is a user forest, a resource forest, and a Web Application Proxy forest:

    • Supported deployments

      • Users and Web Application Proxy servers are in the same forest, but resources are in a different forest.

      • Resources and Web Application Proxy servers are in the same forest, but users are in a different forest.

    • Unsupported deployments

      • Users, resources, and Web Application Proxy servers are all in different forests.

      • Users and resources are in the same forest, but Web Application Proxy servers are in a different forest.

In multi-forest deployments:

  1. The user forest must trust the Web Application Proxy forest, and the Web Application Proxy forest must trust the resource forest.

  2. All of the Active Directory domains in a multi-forest deployment must have at least one Windows ServerĀ® 2012 or higher domain controller. For more information, see Kerberos Constrained Delegation across Domains

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To join the Web Application Proxy server to a domain

  1. In Server Manager, click Local Server. In the details pane, click the link next to Computer name.

  2. On the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

  3. In Computer Name, type the name of the computer if you are also changing the computer name when joining the server to the domain. Under Member of, click Domain, and then type the name of the domain to which you want to join the server; for example, corp.contoso.com, and then click OK.

  4. When you are prompted for a user name and password, enter the user name and password of a user with rights to join computers to the domain, and then click OK.

  5. When you see a dialog box welcoming you to the domain, click OK.

  6. When you are prompted that you must restart the computer, click OK.

  7. On the System Properties dialog box, click Close.

  8. When you are prompted to restart the computer, click Restart Now.