Entra App Proxy config help

Question

I've been POCing Entra App Proxy its been working fine. It was discovered that a few more apps need to be added but they use AppPoolIdentity instead of a domain service account in IIS.&nbsp; I set the spn to that of the server and delegated but that is failing. Is that the correct way to do it for apps using App pool identity?

kidd_ip · Answer

Considering this:
&nbsp;

SPN Configuration:

When using AppPoolIdentity, the SPN (Service Principal Name) should typically be set for the machine account of the server hosting the application. This is because AppPoolIdentity runs under the machine account (&lt;domain&gt;\&lt;machine_name&gt;$) by default.
Ensure that the SPN is correctly registered for the machine account:

setspn -S HTTP/&lt;application_URL&gt; &lt;machine_name&gt;

Delegation Settings:

For Kerberos authentication to work, you need to configure delegation for the machine account in Active Directory.
Use "Trust this computer for delegation to specified services only" and add the SPN for the backend service the application is accessing.

Application Proxy Connector:

Verify that the Application Proxy Connector is installed and running on a server that has network access to the backend application.
Ensure that the connector is configured to use Kerberos Constrained Delegation (KCD) if required.

Troubleshooting Steps:

Check the Event Viewer logs on the server for any Kerberos-related errors.
Use tools like klist to verify that the Kerberos tickets are being issued correctly.
Test the SPN configuration using setspn -Q HTTP/&lt;application_URL&gt; to ensure there are no duplicates.

Forum Discussion

Entra App Proxy config help

1 Reply

Resources