Jump to content

Redundant login prompt when using Azure AD App Proxy single sign-on

Recommended Posts

Hi, I'm using Azure AD Application Proxy to make our internal Passwordstate instance available from outside the LAN without a VPN connection, while also enforcing MFA and other conditional access rules. To implement single sign-on, I've set up the Azure application to use Kerberos Constrained Delegation, which sends an authentication token for the logged-in Azure AD user (synced from the on-prem AD user) through to the on-premises IIS app. This all seems to be working fine as far as IIS is concerned, I can navigate to the App Proxy URL (https://passwordstate.[ourdomain].com), and the IIS logs on our Passwordstate server show my requests with my UPN as the authenticated on-premise AD user.


However, Passwordstate doesn't seem to be recognizing the fact that IIS considers me to be authenticated. Instead of being logged in automatically (since I have Passthrough AD selected in Passwordstate's authentication options), I see Passwordstate's "manual AD" login page (/logins/loginadan.aspx).


Note that I have Anonymous auth disabled in IIS, so if I truly weren't authenticated, I wouldn't be able to see the loginadan.aspx page at all - IIS would request a Windows token from my browser first.


Any advice/suggestions would be much appreciated!

Link to post
Share on other sites
  • Create New...