I'm having an issue with Kerberos authentication behaving differently for external Web Application Proxy users than for internal Internet Explorer users.
I have a third-party web application (non-claims-aware) that runs in IIS using Windows Authentication. The only authentication provider enabled in IIS is "Negotiate." IIS box is Server 2012 R2.
Internal domain clients access the IIS box directly from Internet Explorer (automatic signin). External clients access it via Web Application Proxy with Kerberos delegation (after signing in to ADFS).
In both cases, users get authenticated properly. But the application ends up seeing a different username depending on which method the user came in on.
For internal users, the application sees the username as being just the bare username with no prefix or suffix (e.g. "someguy"). For external users, the application sees the username as being the full UPN (e.g. "someguy@example.com"). Unfortunately, this results in the application's internal logic treating each scenario as a separate user. The third-party developer does not want to change their application. They insist that they just take whatever username string IIS provides them.
How can I configure Web Application Proxy so that it provides the username to the application in the same format that internal IE clients do? (Alternatively: how can I configure IE clients to provide the username in the same format that Web Application Proxy does?)
I have a third-party web application (non-claims-aware) that runs in IIS using Windows Authentication. The only authentication provider enabled in IIS is "Negotiate." IIS box is Server 2012 R2.
Internal domain clients access the IIS box directly from Internet Explorer (automatic signin). External clients access it via Web Application Proxy with Kerberos delegation (after signing in to ADFS).
In both cases, users get authenticated properly. But the application ends up seeing a different username depending on which method the user came in on.
For internal users, the application sees the username as being just the bare username with no prefix or suffix (e.g. "someguy"). For external users, the application sees the username as being the full UPN (e.g. "someguy@example.com"). Unfortunately, this results in the application's internal logic treating each scenario as a separate user. The third-party developer does not want to change their application. They insist that they just take whatever username string IIS provides them.
How can I configure Web Application Proxy so that it provides the username to the application in the same format that internal IE clients do? (Alternatively: how can I configure IE clients to provide the username in the same format that Web Application Proxy does?)