IIS conditional skip builtin windows auth

Question

Issue

We are trying to retrofit a legacy application (TFS) with 2FA auth. It's a lot to explain in detail but the setup is the following:

                           Host A                      Host B
End user - https ->       IIS Proxy      - https ->    IIS App
       - 2FA/kerberos -> Impersonation - kerberos ->

On the IIS Proxy side we developed an .net app which acts as reverse proxy (classic pipeline) and handles the auth and passes the impersonated kerberos credentials to the app. For this the IIS Proxy is configured to use Windows Auth (with 401 Challenge). Now the legacy app has two special cases where no authentication is requested:

/_static/* path
JWT token in Authorization header

in these two cases the IIS Proxy should not send a 401 challenge and simply pass through anonymous.

Tries

I assumed it would be possible to write a custom http module which sets skip authorization=true in these conditions:

private void Context_BeginRequest(object sender, EventArgs e)
{
    var req = HttpContext.Current.Request;
    var authHeader = req.Headers.Get("Authorization");
    var path = HttpContext.Current.Request.Url.AbsolutePath;
    if (path.Contains("/_static/") ||
        path.Contains("/_public/") ||
        (authHeader != null && authHeader.StartsWith("Bearer ")))
    {
        HttpContext.Current.SkipAuthorization = true;
    }
}

but sadly it doesn't work, the IIS proxy still sends a 401 and the proxy app doesn't get called. I'm by far no IIS expert but so far I haven't found a precise answer if it is even possible to conditional skip the windows authentication and continue anonymously.

So if anyone has some hints or a clear "you can't do that" I would appreciate it.

Refs

Various references I've looked at

IIS conditional skip builtin windows auth

Issue

Tries

Refs

Answers (0)

Related Questions