Active Directory Federation Services (AD FS) role on a domain controller or a separate server. See Microsoft: AD FS Deployment
Web Application Proxy (WAP) role on a separate server to the AD FS role instance
SquaredUp DS using your preferred authentication mode (Windows Authentication or Forms). SquaredUp DS works best with WAP/AD FS when it is in Windows Authentication mode rather than the default Forms-based authentication mode. If Forms is used, the user will need to authenticate to AD FS and then authenticate to SquaredUp DS as well. If Windows Authentication mode is used, successful AD FS authentication will permit the WAP server to obtain a Kerberos token for the user and sign them into SquaredUp DS without any further login prompts. If you wish to use Windows Authentication we recommend you configure it and test it for a period of time before configuring an application proxy. See User authentication methods for SquaredUp DS for SCOM
In the Remote Access Management Console on the Web Application server click Publish in the right-hand pane.
In the Publish New Application Wizard use the following settings:
Preauthentication: Active Directory Federation Services (AD FS)
Supported Clients page: Web and MSOFBA
Relying Party: Select the AD FS relying party that was created for SquaredUp DS in the AD FS Relying Party Trust Wizard previously. For example, SquaredUp DS.
Publishing Settings:
External URL: The URL that clients will open to access SquaredUp DS.
External certificate: Select the certificate for the External URL.
Backed server URL: The internal URL to the SquaredUp Server or load balancer to which WAP will proxy requests.
Backend server SPN: The HTTP SPN of the SquaredUp Server (or the load balancer if SquaredUp DS is in High Availability mode).
If you are using Windows Authentication for SquaredUp DS you should ensure that Web Application Proxy can make use of Windows Authentication in the same way.
In Active Directory Users and Computers, find the Computer account of the Web Application Proxy server and open its properties. Select the Delegation tab and click Add.
If the SquaredUp DS application pool is running as the default NetworkService account then add in the Computer account of the SquaredUp Server (or load balancer computer account if SquaredUp DS is in High Availability mode) and then choose http from the list of Service Types. If the SquaredUp DS application pool is running as a domain account, then add in this domain account and choose the http entry from the list of Service Types that correspond to the SquaredUp Server (or load balancer if SquaredUp DS is in High Availability mode).
To ensure SquaredUp DS is aware that it may be accessed via Web Application Proxy and AD FS, create a JSON key called adfs-server-url in the authentication.json file. Add the external URL for SquaredUp DS that Web Application Proxy has been configured to listen on.
HTTP 500 errors may be displayed for SquaredUp DS tiles if Web Application Proxy is installed on a Windows 2019 Server. A review of the HTTP response will show the error code below:
HTTP/1.1500 Internal Server ErrorContent-Length: 0Server: Microsoft-HTTPAPI/2.0X-Error-HRESULT: 80072F00
In this case, HTTP2 for WinHTTP needs to be disabled on the server running Web Application Proxy.
This is disabled by adding a DWORD called EnableDefaultHttp2 with a value of 00000000 to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
After adding this DWORD value, restart the Web Application Proxy server.
The Event Log under Applications and Services Logs on the Web Application Proxy server has both an AD FS event log and a Web Application Proxy log (the latter is found under Microsoft -> Windows -> Web Application Proxy). In addition, the AD FS server will have an AD FS event log as well.
It is also worth checking the IIS log and SquaredUp Server log (Where to find log files) on the SquaredUp Server in case the problem is on the SquaredUp Server.
An Azure Premium P1 Subscription which provides access to Azure Application Proxy (AAP)
One or more on-premises servers to host the AAP Connector
SquaredUp DS using your preferred authentication mode (Windows Authentication or Forms). SquaredUp DS works best with Azure Application Proxy when it is in Windows Authentication mode rather than the default Forms-based authentication mode. If Forms is used, the user will need to authenticate with Azure Application Proxy and then authenticate to SquaredUp DS as well. If Windows Authentication mode is used, successful Azure Application Proxy authentication will permit the proxy server to obtain a Kerberos token for the user and sign them into SquaredUp DS without any further login prompts. If you wish to use Windows Authentication we recommend you configure it and test it for a period of time before configuring an application proxy. See User authentication methods for SquaredUp DS for SCOM
The Azure App Proxy Connector is a lightweight piece of software that opens an outbound connection to Azure in order to facilitate the flow of pre-authenticated traffic to backend on-premises software, such as SquaredUp DS. When SquaredUp DS is in Windows Authentication mode and Kerberos delegation has been configured for the Connector’s computer account, it also obtains a Kerberos token for the user allowing them to be automatically signed in to SquaredUp DS with their Window identity after successfully authenticating with their Azure identity.
Multiple Connector servers can be pooled to service the same application. To add Connector servers, open App Proxy in the Azure Portal and download the Connector software, and install it on the servers that will act as Connectors.
Once installed, the status of Connector servers can also be viewed from this page. Connector servers that have been offline for 10 days get automatically removed from Azure. For more information see Microsoft: Understand Azure AD Application Proxy connectors
After SquaredUp DS has been configured to use Windows Authentication, a domain-joined user should be able to simply open the internal SquaredUp DS URL and be logged on automatically, without being prompted for a username and password. (See User authentication methods for SquaredUp DS for SCOM)
To ensure that the Azure Application Proxy Connector server can make use of Windows Authentication in the same way, Kerberos delegation needs to configured for the Connector server as well:
In Active Directory Users and Computers, find the Computer account of the Azure Application Proxy Connector server and open its properties. Select the Delegation tab and click Add
If the SquaredUp DS application pool is running as the default NetworkService account then add in the Computer account of the SquaredUp Server (or load balancer computer account if SquaredUp DS is in High Availability mode) and then choose http from the list of Service Types. If the SquaredUp DS application pool is running as a domain account, then add in this domain account and choose the http entry from the list of Service Types that correspond to the SquaredUp Server (or load balancer if SquaredUp DS is in High Availability mode).
In the Azure Portal, open Azure Active Directory > Enterprise Applications and click New application
Click the Add an on-premises application option on this page.
Set the fields in the Add your own on-premises application page. The Internal Url field should be configured with the internal URL or the SquaredUp DS instance (or load balancer if SquaredUp DS is load balanced). It should have a trailing slash on it in order to be valid.
Ensure that the External Url that is auto-populated matches your requirements, set the Pre-Authentication option (Azure Active Directory will prompt the user with the Microsoft sign-in page whereas Pass Through will send the user’s traffic straight to the backend server). Select the Connector group that contains the Connector server(s) that will service SquaredUp DS. The Additional Settings options can be left as default.
Click Add to add the new Enterprise Application for Azure Application Proxy.
In the Azure Portal, open Azure Active Directory > Enterprise Applications and search for the name of the Enterprise Application that was created for Azure App Proxy.
Click the application then open the Users and Groups blade. Add the permitted users and/or groups that will need access to SquaredUp DS via Azure Applciation Proxy.
Click the Single Sign-On blade and configure the application with the SPN for the SquaredUp Server (or load balancer if SquaredUp DS is load balanced) that was created as part of the Kerberos delegation steps earlier in this article. Depending on whether the users’ Azure identities match their on-premises Active Directory User Principal Names (UPN), select the appropriate Delegated Login Identity from the dropdown list. For more information see Microsoft: Working with different on-premises and cloud identities
Click the Application proxy blade, click the Test Application button and then click open application. This will proxy the browser request via the Connector servers to SquaredUp DS.
To ensure SquaredUp DS is aware that it may be accessed via Azure Application Proxy, create a JSON key called adfs-server-url in the authentication.json file. Add the external URL for SquaredUp DS that Azure Application Proxy has been configured to listen on.
