Reverse proxy not working for ADFS using ARR and URL-Rewrite on IIS

1
votes

I am trying to implement reverse proxy using ARR and URL rewrite module on IIS. I have two servers called A and B. I have installed ADFS on server "A" and server "B" used only for reverse proxy. I have installed ARR and URL-Rewrite modules on server "B".

For example server "A" domain name "myadfs1.com" and server "B" domain name "myproxy.com". The federation server login page URL - https://myadfs1.com/adfs/ls/IdpInitiatedSignon.aspx

Problem statement -
When I am accessing direct ADFS URL i.e. https://myadfs1.com/adfs/ls/IdpInitiatedSignon.aspx, getting response and ADFS login page opening fine. There is no problem. But when I am trying to access ADFS login page via proxy i.e. https://myproxy.com/adfs/ls/IdpInitiatedSignon.aspx getting 503 errors i.e. the service is unavailable.

Below rules I am using for rewrite – 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <outboundRules>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
            <rules>
                <clear />
                <rule name="ReverseProxyInboundRule2" stopProcessing="true">
                    <match url="[a][d][f][s](.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="On" />
                    </conditions>
                    <action type="Rewrite" url="https://myadfs1.com/adfs{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>                
            </rules>
        </rewrite>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="ASP" verbosity="Verbose" />
                        <add provider="ISAPI Extension" verbosity="Verbose" />
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions timeTaken="00:00:00" statusCodes="400-600" />
                </add>
            </traceFailedRequests>
        </tracing>
    </system.webServer>
    <system.web>
        <identity impersonate="false" />
    </system.web>
</configuration>

Some observation –

If I am trying to access https://myproxy.com/adfs/ls/IdpInitiatedSignon.aspx URL then I am not getting any log on IIS on proxy server. But If I try same URL just replacing "adfs" to "adfs1" then IIS logging the request and getting 404 error.

So I am looking for help to configure reverse proxy for my ADFS access.

1
iisurl-rewritingadfsarr
Did you find a solution? I find many tutorials which are using "Web Application Proxy (WAP)" from Windows 2012 R2 instead of IIS ARR to fulfill this task. see msdn.microsoft.com/en-us/library/azure/dn528859.aspxdataCore

1 Answers

0
votes

I have just stumbled on this myself, it turned out that something wasn't removed on my IIS server when I installed ADFS on it in the past and later removed it.

The http.sys component in Windows has a feature called 'URL reservations', which allow multiple applications to work on the same hostname without interfering with eachother. This enables IIS, ADFS, Remote Desktop Gateway and so on to run on the same server.

I ran the following command on my server:

netsh http show urlacl

This listed me all URL reservations, and a couple of them were for ADFS - despite it no longer being installed on that particular machine! I then issued these commands:

netsh http delete urlacl http://+:80/adfs/
netsh http delete urlacl https://+:443/adfs/
netsh http delete urlacl https://+:49443/adfs/
netsh http delete urlacl https://+:443/FederationMetadata/2007-06/

Once having done this, everything started to work.