{"id":388,"date":"2017-12-16T15:29:24","date_gmt":"2017-12-16T15:29:24","guid":{"rendered":"http:\/\/www.ciraltos.com\/?p=388"},"modified":"2023-03-24T00:40:46","modified_gmt":"2023-03-24T05:40:46","slug":"azure-ad-application-proxy-iis","status":"publish","type":"post","link":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/","title":{"rendered":"Azure AD Application Proxy and IIS"},"content":{"rendered":"<p><img decoding=\"async\" loading=\"lazy\" class=\"alignleft wp-image-390 size-thumbnail\" src=\"\/wp-content\/uploads\/2017\/12\/RDS-150x150.png\" alt=\"\" width=\"150\" height=\"150\" srcset=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/RDS-150x150.png 150w, https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/RDS.png 256w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/>I had the pleasure of spending a significant amount of time elbows deep in a Remote Desktop Services deployment this week.\u00a0 As part of the effort, I published the RDS RDWeb IIS page with the Azure AD Application Proxy so MFA can be leveraged for remote desktop services.<\/p>\n<p><!--more--><\/p>\n<h2>The Problem<\/h2>\n<p>According to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/application-proxy-publish-remote-desktop\" target=\"_blank\" rel=\"noopener\">Microsoft Documentation<\/a>, this should have been a straightforward task (isn\u2019t that always the case!)\u00a0 However, my results were mixed at best.\u00a0 Using the Azure AD Application Proxy to access the site caused slow loading pages, broken image links and sometimes the page would give the error \u201cThis corporate app can\u2019t be accessed.\u00a0 If you continue to get this error, contact your IT department.\u201d<\/p>\n<p><a href=\"\/wp-content\/uploads\/2017\/12\/PageError.png\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-392 size-medium alignnone\" src=\"\/wp-content\/uploads\/2017\/12\/PageError-300x209.png\" alt=\"\" width=\"300\" height=\"209\" srcset=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/PageError-300x209.png 300w, https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/PageError-768x535.png 768w, https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/PageError.png 918w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The status code indicated a gateway timeout and to check the Application Proxy Connector Event Log for reported errors, so that\u2019s what I did.\u00a0 I noticed a lot of Event ID: 13006 Warnings in the AadApplicationProxy Connector event log with errors that client and backend URL\u2019s were not reachable.\u00a0 Opening links from the web server would sometimes work and other time not.\u00a0 However, I had no problem accessing any of these pages from a corporate workstation.<\/p>\n<p>First step is to review my configuration to determine how traffic is flowing.\u00a0 Below are the servers involved in the RDP deployment.\u00a0 I\u2019m limiting my details to the RDWeb servers as this is really a Web server and Application Proxy issue, not specific to RDS.<\/p>\n<p>GW.dowmain.com\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RDWeb Azure load balancer<br \/>\nGW01.domain.com\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RDWeb and RD Gateway, AAD Proxy Connector<br \/>\nGW02.domain.com\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RDWeb and RD Gateway, AAD Proxy Connector<\/p>\n<p><a href=\"\/wp-content\/uploads\/2017\/12\/RDS-Overview.png\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-393 size-medium alignnone\" src=\"\/wp-content\/uploads\/2017\/12\/RDS-Overview-232x300.png\" alt=\"\" width=\"232\" height=\"300\" srcset=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/RDS-Overview-232x300.png 232w, https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/RDS-Overview.png 289w\" sizes=\"(max-width: 232px) 100vw, 232px\" \/><\/a><\/p>\n<p>Here is the expected flow as the user signs into the application externally:<\/p>\n<p>Sign into Azure AD Application Proxy via O365<br \/>\nAAD App Proxy connects to the connector service inside the corporate network<br \/>\nThe connector service redirects to the Load Balanced resource<br \/>\nThe load balancer redirects to one of the two Gateway servers<br \/>\nThe AAD App Proxy redirects user to the web page.<\/p>\n<p>However, this flow was skewed as the AAD Proxy connector is running on the RDWeb servers behind the load balancer, attempting to access the load balanced resource.\u00a0 \u00a0The illustration below shows what was happening.<br \/>\n1) Inbound connection to the AAD Application Proxy Connection service<br \/>\n2) Connection service accesses load balanced resource from the load balanced resource<br \/>\n3) Things get all jacked up<\/p>\n<p><a href=\"\/wp-content\/uploads\/2017\/12\/LB-Flow.png\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-391 size-medium alignnone\" src=\"\/wp-content\/uploads\/2017\/12\/LB-Flow-265x300.png\" alt=\"\" width=\"265\" height=\"300\" srcset=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/LB-Flow-265x300.png 265w, https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2017\/12\/LB-Flow.png 289w\" sizes=\"(max-width: 265px) 100vw, 265px\" \/><\/a><\/p>\n<p>It appears that the load balancer was not able to keep accurate session data as the session was coming from behind the load balancer.\u00a0 In hindsight, it makes sense that this would cause an issue.\u00a0 It also explains why I saw issues accessing URL\u2019s from the web server, but not from a client workstation.<\/p>\n<h2>The Solution<\/h2>\n<p>So, how to fix it?\u00a0 The first (and recommended) option is to put the Azure AD Proxy connector service on a server external to the load balancer.\u00a0 This will provide correct session flow that keeps the load balanced traffic as it was intended.<\/p>\n<p>The second option (and the one I tested with) is to update the local Host file on the RDWeb servers to point the LB DNS name (GW.domain.com) to the hosts local IP address.\u00a0 This way, the Azure AD Proxy connector service will keep all traffic for the load balanced URL on the local machine.\u00a0 This will work fine until there is a problem with the local web server but the connector keeps running.\u00a0 This solution overrides the intended purpose of the load balancer.\u00a0 Best to go with the first option in production.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I had the pleasure of spending a significant amount of time elbows deep in a Remote Desktop Services deployment this week.\u00a0 As part of the effort, I published the RDS RDWeb IIS page with the Azure AD Application Proxy so MFA can be leveraged for remote desktop services.<\/p>\n","protected":false},"author":1,"featured_media":4101,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":""},"categories":[2],"tags":[182,179,15,9,12,177,178,11,34,180,181,52,75,10],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Azure AD Application Proxy and IIS - ciraltos<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure AD Application Proxy and IIS - ciraltos\" \/>\n<meta property=\"og:description\" content=\"I had the pleasure of spending a significant amount of time elbows deep in a Remote Desktop Services deployment this week.\u00a0 As part of the effort, I published the RDS RDWeb IIS page with the Azure AD Application Proxy so MFA can be leveraged for remote desktop services.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\" \/>\n<meta property=\"og:site_name\" content=\"ciraltos\" \/>\n<meta property=\"article:published_time\" content=\"2017-12-16T15:29:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-24T05:40:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/RDS-150x150-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Travis Roberts\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ciraltos\" \/>\n<meta name=\"twitter:site\" content=\"@ciraltos\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Travis Roberts\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\"},\"author\":{\"name\":\"Travis Roberts\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"headline\":\"Azure AD Application Proxy and IIS\",\"datePublished\":\"2017-12-16T15:29:24+00:00\",\"dateModified\":\"2023-03-24T05:40:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\"},\"wordCount\":590,\"commentCount\":3,\"publisher\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"keywords\":[\"2016\",\"aad application proxy\",\"Active Directory\",\"Azure\",\"cloud\",\"load balancer\",\"loadbalance\",\"Microsoft\",\"network\",\"published application\",\"RDS\",\"remote desktop\",\"server\",\"SSO\"],\"articleSection\":[\"Azure\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\",\"url\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\",\"name\":\"Azure AD Application Proxy and IIS - ciraltos\",\"isPartOf\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#website\"},\"datePublished\":\"2017-12-16T15:29:24+00:00\",\"dateModified\":\"2023-03-24T05:40:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/www.ciraltos.com\/staging2\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure AD Application Proxy and IIS\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#website\",\"url\":\"http:\/\/www.ciraltos.com\/staging2\/\",\"name\":\"ciraltos\",\"description\":\"cloud, technology and trends\",\"publisher\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.ciraltos.com\/staging2\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\",\"name\":\"Travis Roberts\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png\",\"contentUrl\":\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png\",\"width\":5657,\"height\":3563,\"caption\":\"Travis Roberts\"},\"logo\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/www.ciraltos.com\",\"https:\/\/twitter.com\/ciraltos\"],\"url\":\"https:\/\/www.ciraltos.com\/staging2\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure AD Application Proxy and IIS - ciraltos","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/","og_locale":"en_US","og_type":"article","og_title":"Azure AD Application Proxy and IIS - ciraltos","og_description":"I had the pleasure of spending a significant amount of time elbows deep in a Remote Desktop Services deployment this week.\u00a0 As part of the effort, I published the RDS RDWeb IIS page with the Azure AD Application Proxy so MFA can be leveraged for remote desktop services.","og_url":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/","og_site_name":"ciraltos","article_published_time":"2017-12-16T15:29:24+00:00","article_modified_time":"2023-03-24T05:40:46+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/RDS-150x150-1.png","type":"image\/png"}],"author":"Travis Roberts","twitter_card":"summary_large_image","twitter_creator":"@ciraltos","twitter_site":"@ciraltos","twitter_misc":{"Written by":"Travis Roberts","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#article","isPartOf":{"@id":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/"},"author":{"name":"Travis Roberts","@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"headline":"Azure AD Application Proxy and IIS","datePublished":"2017-12-16T15:29:24+00:00","dateModified":"2023-03-24T05:40:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/"},"wordCount":590,"commentCount":3,"publisher":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"keywords":["2016","aad application proxy","Active Directory","Azure","cloud","load balancer","loadbalance","Microsoft","network","published application","RDS","remote desktop","server","SSO"],"articleSection":["Azure"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/","url":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/","name":"Azure AD Application Proxy and IIS - ciraltos","isPartOf":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#website"},"datePublished":"2017-12-16T15:29:24+00:00","dateModified":"2023-03-24T05:40:46+00:00","breadcrumb":{"@id":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ciraltos.com\/staging2\/azure-ad-application-proxy-iis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.ciraltos.com\/staging2\/"},{"@type":"ListItem","position":2,"name":"Azure AD Application Proxy and IIS"}]},{"@type":"WebSite","@id":"http:\/\/www.ciraltos.com\/staging2\/#website","url":"http:\/\/www.ciraltos.com\/staging2\/","name":"ciraltos","description":"cloud, technology and trends","publisher":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.ciraltos.com\/staging2\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a","name":"Travis Roberts","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/","url":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png","contentUrl":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png","width":5657,"height":3563,"caption":"Travis Roberts"},"logo":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/www.ciraltos.com","https:\/\/twitter.com\/ciraltos"],"url":"https:\/\/www.ciraltos.com\/staging2\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/388"}],"collection":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":5,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"predecessor-version":[{"id":398,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/388\/revisions\/398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/media\/4101"}],"wp:attachment":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}