Hi,
We have an application (A) that is acting as a proxy for another application (B) on another server. Both applications run behind IIS6 on Windows 2003 Server. Clients use IE7, and both domains are trusted, i.e. NTLM authentication takes place.
Application A uses IIS Integrated Windows Authentication and does not permit anonymous access. Therefore, IIS sets the X-Remote-User header.
The proxying code in Application A passes this header (and all other headers) through to Application B on the second server.
Predictably, IIS on the second server doesn't trust the X-Remote-User header or the Authorization header (which was established between the user's browser and the first server), and returns a 401.1 - Unauthorized response. Entering credentials here fails, though, because they are sent to the proxy (A) instead of directly to the server where the response originated (B).
Thus, we need to find a way to make IIS at B trust the authorisation performed by server A, and pass the X-Remote-User header through to Application B.
We have played with different combinations of allowing anonymous access in IIS at the second server, and enabling or disabling integrated windows authentication there as well. However, the header is always stripped. That's probably for good reasons (it'd be a security hole otherwise), but there must be some way to say "requests from this source are trusted"?
Alternatively, perhaps we could copy the X-Remote-User header to another header and use that. That'd mean modifying Application B, though.
What is the correct way to achieve this type of pass-through authentication?