Single Sign On – IIS as SSO Reverse Proxy for vScope

This is a step-by-step guide to setup Microsoft Internet Information Server (IIS) as a Reverse Proxy in front of vScope to support SSO (Windows Authentication).

1. Install IIS via Server Manager -> Manage -> Add Roles and Features

  • Select Web Server (IIS) Role
  • Select sub role: Security -> Windows Authentication

2. Enable Windows Authentication on Site in IIS

  • Start IIS Manager (via Administrative Tools)
  • Select Site and click Authentication feature
  • Disable all authentication options except enabling “Windows Authentication”

More info

3. Install ARR and URL Rewrite modules in IIS

  • Install Web Platform Installer (Download from Microsoft)
  • Search for Application Request Routing 3.0 -> Click Add
  • Restart IIS Manager

4. Enable Reverse Proxy on Default Web Site

  • Select “Default Web Site” -> URL Rewrite
  • Click “Add Rule” and select “Reverse Proxy” template, and Ok in warning Dialog
    • Enter “localhost:8080” in Inbound Rules server name field.

5. Install ISAPI-Rewrite 3 Lite

  • Install IIS extensions: ISAPI Filters, ISAPI Extensions
    • Located under: Server Roles -> Web Server (IIS) -> Web Server -> Application Development
  • Download MSI from Helicontech
  • Run MSI installer and restart IIS

6. Configure ISAPI-Rewrite to forward authenticated user in header

  • Edit C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf and insert line:RewriteHeader X-Logon-User: .* %{LOGON_USER}
  • Restart IIS

7. Configure vScope to use header for authentication

  • Make sure AD integration is active in vScope and that vscope-admins group mapping is configured.
  • Edit C:\vScopeData\configuration\config.ini and insert line:api.rest.auth=header
  • Restart vScopeServer service

8. Verify that Reverse Proxy is working with user forward

  • Point browser on external machine towards:http://[vscope-host]/rest/backend/debugRequest
    • It should return list of headers and should include X-Logon-User

Notes:

Helicon ISAPI-Rewrite 3 Lite is an ISAPI request filter. Since it runs after the authentication stage in the pipeline, it has access to the LOGON_USER variable and can rewrite the request such that a new HTTP header is added to it with LOGON_USER as its value. That’s why this module is also required on top of IIS URL Rewrite module.

Leave a Reply