DEV Community

loading...

Discussion on: Hosting a Node.js application on Windows with IIS as reverse proxy

Collapse
jesben profile image
jesben

Windows Authentication

Have tried with NodeSSPI is not working behind a reverse proxy.

URL rewrite is running before Windows authentication, so impossible to attach LOGON_USER in the header that way.

The solution here is:
ISAPI_Rewrite 3 LITE (Freeware)
helicontech.com/isapi_rewrite/down...

C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf

RewriteBase /
RewriteCond %{REQUEST_URI} ^/.*
RewriteHeader X-Remote-User: .* %{REMOTE_USER}

E.g. for Express middleware

app.use(function (req, res, next) {
    if (req.headers.hasOwnProperty('x-remote-user')) {
        req['user'] = req.headers['x-remote-user'];
    }
    next();
});

The IIS site has Windows authentication enabled and with these providers: Negotiate, NTLM.

It gave me unfortunately these challenges when users visit the site for the first time (Tested with Chrome, Edge. In IE the error was constant)

401 
400 (X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=7f1e3067-1a02-4405-b275-000f06952bc2&SERVER-STATUS=400)

This was driving me insane, then I turned off "Negotiate" as a provider, leaving only "NTLM" back and then the error was gone!