What is the proper way to use IIS to forward the REMOTE_USER header to Tomcat?

I am trying to set up SSO with IIS 10 and Tomcat 9. I want to use Windows Authentication in IIS and pass the authenticated username to Tomcat. I had this working with Tomcat 8.5, however after upgrading to Tomcat 9 I can't get the ISAPI_redirect.dll method to work.

Extensive searches have led to suggestions that ISAPI is not the way to go anymore. I attempted to use ARR, but since it forwards the requests before authentication you will always get a blank REMOTE_USER and AUTH_USER. So ARR is not a viable option without a third-party way to pass the authentication headers.

Another suggestion I saw was to use HttpPlatformHandler. However, the downloads are currently broken on the Microsoft site and it appears that the module is being replaced by ASP.NET Core. However, I can't find any information on how to use ASP.NET Core to perform the proxy I want.

What is the current recommended way to proxy requests from IIS to Tomcat and pass the authenticated user?

Edit: The HttpPlatformHandler download is back up. However, that is still not an option as it has the same issue as ARR and runs before authentication. It seems ISAPI is the only option other than third party applications to pass authenticated header information.

The ISAPI DLL still seems to be the only way to do this if you are trying to use Windows Authentication in IIS and pass the authenticated username in the headers

I was able to get ISAPI to work. I think what fixed it was deleting web.config under C:\inetpub\wwwroot. I had removed the URL rewrites I made for my ARR attempt from the IIS interface but there was a lingering entry in that file.