How to configure SquaredUp DS to use an application proxy
You may wish to configure SquaredUp DS to use an application proxy, for example to allow you to configure multi-factor authentication (MFA).
This article describes how to configure SquaredUp DS to use either Web Application Proxy and AD FS or Azure Application Proxy:
You may also like to watch the webinar 'Providing external access to SquaredUp' (39 mins).
SquaredUp DS with Web Application Proxy and AD FS
Prerequisites
- Active Directory Federation Services (AD FS) role on a domain controller or a separate server. See Microsoft: AD FS Deployment
- Web Application Proxy (WAP) role on a separate server to the AD FS role instance
- SquaredUp DS using your preferred authentication mode (Windows Authentication or Forms). SquaredUp DS works best with WAP/AD FS when it is in Windows Authentication mode rather than the default Forms-based authentication mode. If Forms is used, the user will need to authenticate to AD FS and then authenticate to SquaredUp DS as well. If Windows Authentication mode is used, successful AD FS authentication will permit the WAP server to obtain a Kerberos token for the user and sign them into SquaredUp DS without any further login prompts. If you wish to use Windows Authentication we recommend you configure it and test it for a period of time before configuring an application proxy. See User authentication methods for SquaredUp DS for SCOM
Add a non-claims aware Relying Party Trust to AD FS
In the AD FS Management interface, click Add Relying Party Trust.
In the AD FS Relying Party Trust Wizard use the following settings:
- Non claims aware
- Display name: For example SquaredUp DS
- Configure identifiers: Your SquaredUp DS URL
- Choose Access Control Policy: Make a choice based on your requirements, for example Permit everyone and require MFA.
For more information see Microsoft: Creating a non-claims aware relying party trust
Your new Trust has been added and is ready to be selected as described in the next section.
Publish SquaredUp DS as a web application in Web Application Proxy
Prerequisites:
• Web Application Proxy is installed on a separate server to AD FS
• The Web Application Proxy server must be domain-joined
• The Web Application Proxy server must be able to resolve the AD FS FQDN to the server hosting AD FS
• The Web Application Proxy server must trust the Certificate Authority that issued the AD FS server’s service communications certificate
For more information see Microsoft : Publish an Integrated Windows authenticated-based Application for Web Browser Clients
- In the Remote Access Management Console on the Web Application server click Publish in the right-hand pane.
- In the Publish New Application Wizard use the following settings:
- Preauthentication: Active Directory Federation Services (AD FS)
- Supported Clients page: Web and MSOFBA
- Relying Party: Select the AD FS relying party that was created for SquaredUp DS in the AD FS Relying Party Trust Wizard previously. For example, SquaredUp DS.
- Publishing Settings:
- External URL: The URL that clients will open to access SquaredUp DS.
- External certificate: Select the certificate for the External URL.
- Backed server URL: The internal URL to the SquaredUp Server or load balancer to which WAP will proxy requests.
- Backend server SPN: The HTTP SPN of the SquaredUp Server (or the load balancer if SquaredUp DS is in High Availability mode).
Configure Kerberos Constrained Delegation for Web Application Proxy
If you are using Windows Authentication for SquaredUp DS you should ensure that Web Application Proxy can make use of Windows Authentication in the same way.
- In Active Directory Users and Computers, find the Computer account of the Web Application Proxy server and open its properties. Select the Delegation tab and click Add.
- If the SquaredUp DS application pool is running as the default NetworkService account then add in the Computer account of the SquaredUp Server (or load balancer computer account if SquaredUp DS is in High Availability mode) and then choose http from the list of Service Types.
If the SquaredUp DS application pool is running as a domain account, then add in this domain account and choose the http entry from the list of Service Types that correspond to the SquaredUp Server (or load balancer if SquaredUp DS is in High Availability mode). - Select Trust this computer for delegation to specified services only and then select Use any authentication protocol so that protocol transitioning is allowed. For more information see this Word document from Microsoft: Understanding Kerberos Constrained Delegation for Azure Active Directory Application Proxy Deployments with Integrated Windows Authentication Click OK to save the changes.
Update authentication.json file
To ensure SquaredUp DS is aware that it may be accessed via Web Application Proxy and AD FS, create a JSON key called adfs-server-ur
l in the authentication.json file. Add the external URL for SquaredUp DS that Web Application Proxy has been configured to listen on.
Troubleshooting Web Application Proxy
Client Access Requirements
Client access to AD FS is carried out via the Web Application Proxy server, so clients should resolve the AD FS FQDN to the WAP server. For more information see Microsoft Forum post: Web Application Proxy - Preauth using ADFS, access to ADFS has to be public?
Disable HTTP2 for WinHTTP if WAP is installed on Windows 2019
HTTP 500 errors may be displayed for SquaredUp DS tiles if Web Application Proxy is installed on a Windows 2019 Server. A review of the HTTP response will show the error code below:
HTTP/1.1 500 Internal Server Error
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
X-Error-HRESULT: 80072F00
In this case, HTTP2 for WinHTTP needs to be disabled on the server running Web Application Proxy.
This is disabled by adding a DWORD called EnableDefaultHttp2
with a value of 00000000
to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
After adding this DWORD value, restart the Web Application Proxy server.
AD FS and WAP event logs for troubleshooting
The Event Log under Applications and Services Logs on the Web Application Proxy server has both an AD FS event log and a Web Application Proxy log (the latter is found under Microsoft -> Windows -> Web Application Proxy). In addition, the AD FS server will have an AD FS event log as well.
It is also worth checking the IIS log and SquaredUp Server log (Where to find log files) on the SquaredUp Server in case the problem is on the SquaredUp Server.
SquaredUp DS with Azure Application Proxy
Prerequisites
- An Azure Premium P1 Subscription which provides access to Azure Application Proxy (AAP)
- One or more on-premises servers to host the AAP Connector
- SquaredUp DS using your preferred authentication mode (Windows Authentication or Forms). SquaredUp DS works best with Azure Application Proxy when it is in Windows Authentication mode rather than the default Forms-based authentication mode. If Forms is used, the user will need to authenticate with Azure Application Proxy and then authenticate to SquaredUp DS as well. If Windows Authentication mode is used, successful Azure Application Proxy authentication will permit the proxy server to obtain a Kerberos token for the user and sign them into SquaredUp DS without any further login prompts. If you wish to use Windows Authentication we recommend you configure it and test it for a period of time before configuring an application proxy. See User authentication methods for SquaredUp DS for SCOM
About the connector
The Azure App Proxy Connector is a lightweight piece of software that opens an outbound connection to Azure in order to facilitate the flow of pre-authenticated traffic to backend on-premises software, such as SquaredUp DS. When SquaredUp DS is in Windows Authentication mode and Kerberos delegation has been configured for the Connector’s computer account, it also obtains a Kerberos token for the user allowing them to be automatically signed in to SquaredUp DS with their Window identity after successfully authenticating with their Azure identity.
Multiple Connector servers can be pooled to service the same application. To add Connector servers, open App Proxy in the Azure Portal and download the Connector software, and install it on the servers that will act as Connectors.
Once installed, the status of Connector servers can also be viewed from this page. Connector servers that have been offline for 10 days get automatically removed from Azure. For more information see Microsoft: Understand Azure AD Application Proxy connectors
Configuring Kerberos delegation for Azure Application Proxy
After SquaredUp DS has been configured to use Windows Authentication, a domain-joined user should be able to simply open the internal SquaredUp DS URL and be logged on automatically, without being prompted for a username and password. (See User authentication methods for SquaredUp DS for SCOM)
To ensure that the Azure Application Proxy Connector server can make use of Windows Authentication in the same way, Kerberos delegation needs to configured for the Connector server as well:
- In Active Directory Users and Computers, find the Computer account of the Azure Application Proxy Connector server and open its properties. Select the Delegation tab and click Add
- If the SquaredUp DS application pool is running as the default NetworkService account then add in the Computer account of the SquaredUp Server (or load balancer computer account if SquaredUp DS is in High Availability mode) and then choose http from the list of Service Types.
If the SquaredUp DS application pool is running as a domain account, then add in this domain account and choose the http entry from the list of Service Types that correspond to the SquaredUp Server (or load balancer if SquaredUp DS is in High Availability mode). - Select Trust this computer for delegation to specified services only and then select Use any authentication protocol so that protocol transitioning is allowed. For more information see this Word document from Microsoft: Understanding Kerberos Constrained Delegation for Azure Active Directory Application Proxy Deployments with Integrated Windows Authentication
Click OK to save the changes.
Creating an application in Azure App Proxy
For more information see Microsoft Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory
- In the Azure Portal, open Azure Active Directory > Enterprise Applications and click New application
- Click the Add an on-premises application option on this page.
- Set the fields in the Add your own on-premises application page. The Internal Url field should be configured with the internal URL or the SquaredUp DS instance (or load balancer if SquaredUp DS is load balanced). It should have a trailing slash on it in order to be valid.
- Ensure that the External Url that is auto-populated matches your requirements, set the Pre-Authentication option (Azure Active Directory will prompt the user with the Microsoft sign-in page whereas Pass Through will send the user’s traffic straight to the backend server). Select the Connector group that contains the Connector server(s) that will service SquaredUp DS. The Additional Settings options can be left as default.
- Click Add to add the new Enterprise Application for Azure Application Proxy.
Configuring the Azure App Proxy application
- In the Azure Portal, open Azure Active Directory > Enterprise Applications and search for the name of the Enterprise Application that was created for Azure App Proxy.
- Click the application then open the Users and Groups blade. Add the permitted users and/or groups that will need access to SquaredUp DS via Azure Applciation Proxy.
- Click the Single Sign-On blade and configure the application with the SPN for the SquaredUp Server (or load balancer if SquaredUp DS is load balanced) that was created as part of the Kerberos delegation steps earlier in this article. Depending on whether the users’ Azure identities match their on-premises Active Directory User Principal Names (UPN), select the appropriate Delegated Login Identity from the dropdown list. For more information see Microsoft: Working with different on-premises and cloud identities
- Click the Application proxy blade, click the Test Application button and then click open application. This will proxy the browser request via the Connector servers to SquaredUp DS.
Update authentication.json file
To ensure SquaredUp DS is aware that it may be accessed via Azure Application Proxy, create a JSON key called adfs-server-ur
l in the authentication.json file. Add the external URL for SquaredUp DS that Azure Application Proxy has been configured to listen on.
Troubleshooting Azure Application Proxy
If any errors are displayed, refer to this MS KB for more information:
Microsoft: Troubleshoot Application Proxy problems and error messages
It is also worth checking the IIS log and SquaredUp Server log on the SquaredUp Server in case the problem is on the SquaredUp Server.