HTTP server behind IIS: pass authentication headers
I have an IIS instance configured with Windows Authentication and URL Rewrite, so it basically works as a reverse proxy. My backend server (run on Linux) expects a REMOTE_USER header. Is it possible to configure IIS to pass information about the authenticated user to the backend server?
Answer
If IIS is configured for Windows Auth, then ARR will challenge and only forward requests once the user is authenticated.
It is possible to forward custom headers with the request using a HTTP naming convention and serverVariables element in the rewrite rules. For instance, in the following example the server variable LOCAL_ADDR is forwarded as a header named X-MY-HEADER.
<rule name="Reverse Proxy to MySite" stopProcessing="true">
<match url="^MySite/(.*)" />
<serverVariables>
<set name="HTTP_X_MY_HEADER" value="{LOCAL_ADDR}" />
</serverVariables>
<action type="Rewrite" url="http://www.myothersite.com/{R:1}" />
</rule>
Unfortunately it's not possible to use this technique to forward a REMOTE_USER header. This is because when the Authorization header is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).
You can however set IIS to use Basic Windows Auth, and then extract the username from the Base64 encoded Authorization header on your Linux server.