How to set up hybrid cloud to on-premises authentication using Azure AD App Proxy & Kerberos

My GitHub repo is a demo implementation of the hybrid cloud to on-premises setup for Azure AD App Proxy.



Deployment instructions

In general, follow the instructions for setting up Azure AD App Proxy.

You will also need to follow the instructions for sharing a B2B user into your tenant, then creating a shadow ID for them in your local AD domain. You will then need to configure Kerberos Constrained Delegation support as defined in this link for the web application.

If successful, when logging into the website URL from the Azure portal, you will be prompted to sign-in with your B2B Azure AD account, then will be signed in with Integrated Windows Authentication on the local AD domain. You will see that the ID that you are logged in with on the website is the local AD ID, not your Azure AD ID directly.


Here are some additional tips.

Local AD domain-joined web app server using Integrated Windows Authentication

  1. Create an Service Principal Name (SPN) for your web application. Since the web app is running as the default ApplicationPoolIdentity, this means your SPN should be set to the machine name.setspn -R HTTP/ vmb2ctenantussd Verify existence of SPN.setspn -Q HTTP/ Should result in something like the following.Checking domain DC=b2btenant,DC=com CN=vmb2ctenantussd,OU=Domain Controllers,DC=b2btenant,DC=com HTTP/
  2. Make sure the account that your App Proxy runs under is added to the Windows Authoriztion Access Group Properties group in your AD domain.
  3. Create the local AD shadow copy of the users you wish to be able to login using the AAD account. In this example, the user is a B2B user (guest) of the AAD tenant (notice the This is the UPN of the user that will be passed to the local AD domain to sign in.

Azure AD setup

  1. Create Enterprise Application
  2. Setup Single sign-on options
    1. Select Integrated Windows Authentication.
    2. Set the Internal Application SPN to the one configured on the onprem web server.
    3. Set the Delegated Login Identity to User principal name if that is what you set as the UPN of the AD shadow account. 
  3. Setup Application proxy options
    1. Set the Internal Url to the local path on the web server
    2. Set the Pre Authentication to Azure Active Directory to force AAD signin ![enterpriseApplicationApplicationProxyBlade.png]

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *