Publishing with Windows server and Azure AD Web Application Proxy

The Azure AD Application Proxy is similar to the on-premises Web Application Proxy role, starting in Windows Server 2012 R2. With this service, you can enable external access for on-premises applications. Azure AD Application Proxy requires an Azure AD Basic or an Azure AD Premium subscription. The connection is made directly with Azure and done through a proxy into the private network, with an application proxy agent installed on the on-premises web application server.

Let's run a very common use case to include a Kerberos on-premises application into our Azure AD Access UI, https://myapps.microsoft.com. We use our existing application to configure the scenario:

Log in to https://portal.azure.com and choose the Azure Active Directory blade.
Under Application proxy, we first need to download and install the application proxy agent on our YD1APP01 server.

You don't need to install the agent directly on the application server. It's also possible to use any other server, or also additional agents for redundancy requirements. The agent needs to be installed on a server in the same or a correctly trusted domain/forest to support Kerberos constrained delegation, and the SPN of the application needs to be done on every agent instance. The domain function level needs to be Windows Server 2012 at a minimum. Also, the correct ports need to be accessible from the other server.

Download the agent onto the server and start the installation:

Configure the Azure AD Application Proxy

Agree to the license terms and conditions and click Next.
Next, you need to provide global administrator credentials to register the agent to Azure AD.
Recognize the notification for outbound proxy usage:

Installation of the Application Proxy Connector

The expected result is an Active agent:

Active agents overview

Now, we can start to configure our Kerberos-based on-premises application.
First, we create a group that can be assigned to grant access to the portal:

Assigning the needed test group

Assign one test user to your group.

In this example, we use the option that we don't publish the application with an official public FQDN. In that case, we don't need to open any firewall ports and the traffic to the app is working through the connector.

Next, we will configure the app proxy configuration:

Configuring the on-premises application properties

As you can see, you are able to provide several additional settings to address your needs.

You can find more information about the different options at the following reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application.

In the next step, we will configure the Single-Sign-On options for our application.
Choose the Windows Integrated Authentication option:

Choosing the Windows Integrated Authentication option

If you need to use Header-based authentication, the integration with PingAccess will be your friend. You can find more information about this integration at the following source: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-ping-access.

Enter your Internal Application SPN to configure the Kerberos part.
Keep in mind that only Kerberos Constrained Delegation will work:

Configure the SPN for the App

After this configuration, we can test the application with the assigned user in your access group, and you should get a similar result to this:

Result of a successful Kerberos authentication on the example app

This publishing method also allows us to use a public FQDN. This option can be useful if your application sends notification mails with links inside. To realize this use case, you need to change the external URL and provide a public SSL certificate. You can use your wildcard certificate or issue a separate SSL certificate with Let's encrypt.

You will find the settings under Basic Settings:

Defining the basic app settings

For the certificate, you need to use the following section. Don't forget to create the CNAME inside your public DNS:

View the DNS configuration options

The next authentication method we can use for cloud or on-premises applications (through Azure AD Web Application Proxy) is the password-based option. We use it for form-based authentication activated applications that use their own identity provider.

Your credentials will be securely stored under the user or group object.

In the next steps, we will add a password-based application access:

Add a new application and use the Non-gallery application option.
Choose the Password-based option under the Single sign-on method:

Choosing a non-gallery application

Provide a name for your application and navigate to the Single-Sign-On configuration:

Using the password-based authentication method

Provide the Sign-On URL and detect the sign-in fields of your application.
There are three options to do this configuration:
- Automatically
- Manually
- With custom configuration in the Advanced View:

Detecting the login fields of the application

In this example, we used our public DNS provider's login page.
You can view the field labels with any browser and the developer tools to provide the values if the Azure AD mechanism doesn't get the correct values:

Analyzing the code to find the login fields/labels

Next, you need to assign the user or group to the application:

Updating the credentials on the user/group

You have the option to provide the credentials hidden to the user or group, and the option that the credentials will be saved with the first access.

For now, provide the credentials with the Update Credentials button:

Update credentials dialog

Now, you are ready to test the application with your test user.

Keep in mind that the user needs to have the Access Panel UI extension installed or he will get asked to install it. You can also deploy this extension to all your computers using a group policy or any other software deployment tool. Find out more information about this at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/access-panel-extension-problem-installing

To test the same capabilities with your on-premises infrastructure, we provide you with a small challenge. If you don't get it running, send an email to [email protected] and we will be happy to provide you with the answer.
You need to deploy the test application with the following steps on the YD1APP01 server.
Create a DNS entry for the app on your domain controller (YD1ADS01), forms.inovitdemos.ch:

Add-DnsServerResourceRecord -ZoneName "inovitdemos.ch" -A -Name "forms" -IPv4Address "10.0.0.6"

Create the service account under which the application runs on your app server:

New-ADUser -Name "svcformsapp" -SamAccountName svcformsapp -UserPrincipalName [email protected] -path "OU=Users,OU=AAD,OU=Managed Service Objects,DC=inovitdemos,DC=ch" -AccountPassword (ConvertTo-SecureString "MIA@me1976ch" -AsPlainText -Force) -Description "Forms App Pool Account" -Enabled $True

Connect to your SQL Server over in the SQL Management Studio on your YD1APP01:

SQL Connection with the SQL Management Studio

Create a login for your service account under Security | Logins:

Configuring the login for the app service account

Assign the dbcreator server role to the user:

Assigning the dbcreator role to the service account

Next, we need to create the website on the server:

New-Item C:inetpubformsroot -type Directory
Import-Module Webadministration
cd IIS:
New-Item 'IIS:Sitesforms Web Site' -bindings @{protocol="http";bindingInformation=":80:forms.inovitdemos.ch"} -physicalPath 'c:inetpubformsroot'

As with the other on-premises demo applications, we will create a HTTPS binding and assign our SSL certificate:

Configuring the IIS Bindings for the application

We also need to create a new app pool for the website and use the service account to run the app:

Creation of the Application Pool

Next, we will assign the newly created application pool to our website under Advanced settings:

Assigning the newly created app pool

The authentication for the page should be configured as shown in the following screenshot:

IIS Authentication configuration

The next step is that we need to copy the content of the formsapp folder from the code package to C:inetpubformsroot:

Application Code

Before you can run the app, you need to configure the web.config file to address the SQL Server instance:

<add name="DefaultConnection" connectionString="Data Source=YD1APP01;Initial Catalog=FormsBasedAuthentication;Integrated Security=True" providerName="System.Data.SqlClient" />

Now, you can test your application by registering a user and a successful login:

Successful test of the app

Start with your publishing scenario and log in to this website—good luck!

In the next example, we will use the Windows Server Web Application Proxy to publish a Basic authentication-based application to external users:

First, you need to log in to your YD1ADS01 to configure the relying party for the Basic demo application.
Navigate to Relying Party Trusts and Add Relying Party Trust.
Choose the non-claims-aware option.
Fill in the following Display Name: Basic Demo Web Site.
Use https://basic.inovitdemos.ch (replace it with your domain) as Relying Party Trust Identifier and click add.

Don't forget to configure the FQDN in your public DNS.

Click Next until the wizard is finished.
Log in to your YD1URA01 server and open the Remote Access Management console.
Click on Publish in the right-hand Tasks pane: