DEV Community

loading...

Discussion on: Hosting a Node.js application on Windows with IIS as reverse proxy

Collapse
abhishekhingu profile image
abhishekhingu

how we can do window authentication for angular app that served from express application running behind proxy

Collapse
petereysermans profile image
Peter Eysermans Author

It's hard for me to point you in the right direction. Can you give some more information what exactly goes wrong? Do you have an error message?

Collapse
abhishekhingu profile image
abhishekhingu

I have created an angular 2 application. Now, these are the requirements for windows authentication.

1) If any user within the organization access this application, he should not get the login prompt and should be able to login directly into the application.

2) If any specific user within the organization tries to access the application, then he should get the specific role(Like admin, Manager) and able to login directly.

3) If any user outside the organization tries to access the application, he should get the login prompt.

Backend will also play the significant role. I have created rest API using node js and express. So will this passport package help in my case? I have implemented the passport.js on my node js rest API, but now how to validate that thing on the angular side.

I hope this text helps you to understand my query.

Thread Thread
petereysermans profile image
Peter Eysermans Author

I don't have experience with Windows Authentication in combination with passport.js. There are a lot of frameworks and parts you're mentioning so it is difficult to solve this in a simple reply. There is an NPM package which mentions passing the user from IIS to node but that uses iisnode: npmjs.com/package/passport-windows.... So I guess you need to find a way for IIS to pass that the user to node running via pm2. Let me know if you find a solution.

Collapse
jesben profile image
jesben

Windows Authentication

Have tried with NodeSSPI is not working behind a reverse proxy.

URL rewrite is running before Windows authentication, so impossible to attach LOGON_USER in the header that way.

The solution here is:
ISAPI_Rewrite 3 LITE (Freeware)
helicontech.com/isapi_rewrite/down...

C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf

RewriteBase /
RewriteCond %{REQUEST_URI} ^/.*
RewriteHeader X-Remote-User: .* %{REMOTE_USER}

E.g. for Express middleware

app.use(function (req, res, next) {
    if (req.headers.hasOwnProperty('x-remote-user')) {
        req['user'] = req.headers['x-remote-user'];
    }
    next();
});

The IIS site has Windows authentication enabled and with these providers: Negotiate, NTLM.

It gave me unfortunately these challenges when users visit the site for the first time (Tested with Chrome, Edge. In IE the error was constant)

401 
400 (X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=7f1e3067-1a02-4405-b275-000f06952bc2&SERVER-STATUS=400)

This was driving me insane, then I turned off "Negotiate" as a provider, leaving only "NTLM" back and then the error was gone!