I am having hard time with IIS/ARR reverse proxying to WildFly application server. On Linux we use web-servers to offload HTTPS, authentication and security functions from application server, so the initial idea was to do the same with IIS.
- Application use WebSockets, it means Jakarta ISAPI redirector is of no help and we are using ARR instead.
- ARR is not capable to forward authenticated user information, so we had to stop using Kerberos on IIS and now it is supported in WildFly with waffle module.
- We are aware of HeliconTech products like ISAPI Rewrite but would like to use no additional price software.
It seems that IIS block or break negotiation between client and application server. Test servlet I placed in application server works good being accessed directly, but popup authentication window being accessed through IIS/ARR.
<rule name="ReverseProxyInboundRuleAT" enabled="true" stopProcessing="true">
<match url="^(auth-test)(/.*|$)"/>
<action type="Rewrite" url="http://127.0.0.1:8080/{R:0}" logRewrittenUrl="true" />
<serverVariables>
<set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
<set name="HTTP_X-Forwarded-Proto" value="https" />
<set name="HTTP_X-Forwarded-Port" value="443" />
<set name="HTTP_X-Forwarded-HOST" value="site.example.com" />
</serverVariables>
</rule>
Authentication fails with waffle error:
error logging in user: com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid
It happens on Windows Server 2016/2019 and IIS 10. Is it possible to place Kerberos-protected SSO application behind IIS?
UPD: I have checked that Apache HTTP Server does not ruin negotiation protocol proxying requests to WildFly, but IIS does. Comparing to Apache proxy server IIS "eat" two packets in the middle of Negotiate conversation like initial proposal and reply for it.
