Azure auth behind Kemp proxy

Product: PowerShell Universal
Version: 4.0.6

Hi,
We cannot get azure authentication to work behind a Kemp proxy. Current set up is:

• server1.company.com: internal only runs PSU and auth works fine on http and https
• outside.company.com is cname to kemp proxy that then connects to server1 via http on the inside.

We have tried several different options, but always get errors like The redirect URI ‘http://outside.company.com/auth/signin-oidc’ specified in the request does not match the redirect URIs configured for the application.

Is there a way to change the server name that PSU sends in the Azure auth requests or some other way to get this to work?

cheers,
ski

It looks like the X-Forwarded-Protocol header isn’t being sent to PSU. The X-Forwarded-Host looks good since the external URL is in the redirect URI but the protocol is set to HTTP rather than HTTPS (which I’m assuming is configured).

I have never used Kemp before but I found some discussion around adding headers here: https://support.kemptechnologies.com/hc/en-us/community/posts/10860047207693-add-X-Forwarded-Host-to-RS-request

So I followed the directions in that Kemp post with no luck. For some reason it keeps saying the redirect in the URI is set to http (e.g. http://riapp.nsd.org/signin-oidc) instead of https. I am pretty sure this is from the packet that PSU is sending to Azure. I tried to rewrite it in the kemp with no luck. Any ideas on how to force PSU put https in the redirect to Azure?

We are also opening a case with Kemp on this.

cheers,

ski

This is certainly PSU sending the incorrect info for the redirect but it’s due to the fact that it doesn’t realize it’s behind the proxy.

You can validate which headers are sent into PSU by creating a basic GET endpoint and outputting the $Headers variable. Call the endpoint from your proxy and verify that all the X-Forwarded headers are present in the output. If you post them here, I can review and suggest what you might need to change.

Adam, Finallly got time to work on this. The headers page now shows the https protocol header.
[{“Accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7”,“Connection”:“keep-alive”,“Host”:“riapp.nsd.org”,“User-Agent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82”,“Accept-Encoding”:“gzip, deflate, br”,“Accept-Language”:“en-US,en;q=0.9”,“Cache-Control”:“max-age=0”,“Upgrade-Insecure-Requests”:“1”,“Via”:“HTTPS/1.1 10.1.22.27:443”,“sec-ch-ua”:“"Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"”,“sec-ch-ua-mobile”:“?0”,“sec-ch-ua-platform”:“"Linux"”,“DNT”:“1”,“Sec-Fetch-Site”:“none”,“Sec-Fetch-Mode”:“navigate”,“Sec-Fetch-User”:“?1”,“Sec-Fetch-Dest”:“document”,“X-Forwarded-For”:“10.1.22.32”,“X-Forwarded-For-Port”:“39680”,“X-Forwarded-Protocol”:“https”,“X-Original-For”:“[::ffff:10.1.22.15]:9800”,“X-Original-Host”:“riapp.nsd.org”}]

The problem is that PSU is still sending http in the request to MS for authentication:
AADSTS50011: The redirect URI ‘http://riapp.nsd.org/auth/signin-oidc’ specified in the request does not match the redirect URIs configured for the application ‘8a9237e2-9002-49e8-b749-ef3f54ca46a0’. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to Error AADSTS50011 the redirect URI does not match the redirect URIs configured for the application - Active Directory | Microsoft Learn to learn more about how to fix this.

When I am on the MS Enter password page, the URL is:
login.microsoftonline.com/cf138e27-2493-447d-b195-53dd5fd26163/oauth2/authorize?client_id=8a9237e2-9002-49e8-b749-ef3f54ca46a0&redirect_uri=http%3A%2F%2Friapp.nsd.org%2Fauth%2Fsignin-oidc&response_type=code

so you can see that something is putting http, not https in the response URL.

The setup is SSL to the Kemp, then non-ssl between the kemp and the PSU server.

Can you update the redirect URI in Azure to HTTP, and have a listener on the Kemp that forwards requests on port 80 to 443?

That’s probably a lot simpler than trying to modify headers in the response from the PSU server.

Unfortunately MS requires:

Must start with “HTTPS” or “http://localhost”. Must be a valid URL

for the return URL to the powershell universal application.

If Kemp support isn’t any help in modifying the header, maybe try switching from SSL offload to SSL bridging (use SSL between Kemp and PSU in addition to SSL between client and Kemp).