How to Properly Configure IIS Reverse Proxy for ASP.NET Core Applications Secured with Entra ID
If you’ve ever worked on an ASP.NET Core application protected with Entra ID, you might have encountered an issue where the backend server URL appears as the redirect URI instead of the IIS Reverse Proxy URL. This is because ASP.NET Core applications use the backend server’s hostname to generate the redirect URI. While this behavior is the default, it can be problematic. While you can work around this by manually setting the redirect URI to the ARR/IIS Reverse Proxy endpoint in your code as follows: builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd")); builder.Services.Configure<OpenIdConnectOptions>(options => { options.Events.OnRedirectToIdentityProvider = context => { context.ProtocolMessage.RedirectUri = "https://arr.local.lab"; return Task.FromResult(0); }; }); It isn’t the most elegant solution, especially in environments where configuration changes might often be required. Instead, using Forwarded Headers offers a cleaner, more scalable approach. In this post, I’ll walk you through how to resolve this issue using Forwarded Headers. ASP.NET Core provides a ForwardedHeaders Middleware , which reads headers such as X-Forwarded-Host and X-Forwarded-Proto. These headers replace values in HttpContext such as HttpContext.Request.Host and HttpContext.Request.Scheme. By passing these headers appropriately from IIS Reverse Proxy, we can resolve the redirect URI issue. But IIS reverse proxy or server farms doesn't send X-Forwarded-Host & X-Forwarded-Proto headers by default. You’ll need to configure IIS to include these headers using the URL Rewrite feature. To do so, follow these steps: Set Server Variables Open the URL Rewrite module in the IIS Manager Console and Select View Server Variables. Add following Server Variables: HTTP_X_Forwarded_Host HTTP_X_Forwarded_Proto Edit Inbound Rules Once Server Variables are added, select the concerned reverse proxy inbound rule and select Edit under Inbound rules in Actions Pane. Add the Server Variables to the inbound rule: Map HTTP_X_Forwarded_Host to {HTTP_HOST} Map HTTP_X_Forwarded_Proto to https Once IIS is configured to pass forwarded headers, the application needs to process them. Add ForwardedHeaders Middleware in your ASP.NET Core application and configure ForwardedHeadersOptions as follows: using Microsoft.AspNetCore.HttpOverrides; var builder = WebApplication.CreateBuilder(args); // Add services to the container. builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd")); builder.Services.AddAuthorization(options => { // By default, all incoming requests will be authorized according to the default policy. options.FallbackPolicy = options.DefaultPolicy; }); builder.Services.AddRazorPages() .AddMicrosoftIdentityUI(); builder.Services.Configure<ForwardedHeadersOptions>(options => { options.KnownProxies.Add(IPAddress.Parse("10.160.7.4")); // Reverse Proxy IP address options.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost; }); var app = builder. Build(); app.UseForwardedHeaders(); // ForwardedHeaders Middleware // Configure the HTTP request pipeline. if (!app.Environment.IsDevelopment()) { app.UseExceptionHandler("/Error"); app.UseHsts(); } app.UseHttpsRedirection(); app.UseRouting(); app.UseAuthentication(); app.UseAuthorization(); app.MapStaticAssets(); app.MapRazorPages() .WithStaticAssets(); app.MapControllers(); app.Run(); Note: Order of the Middleware is important. Ensure ForwardedHeaders Middleware is called before any other middleware in the pipeline. Make sure to add the IP address of your ARR/IIS Reverse Proxy to the KnownProxies list. Alternatively, you can use KnownNetwork to set IP range. With these configurations, X-Forwarded-Host and X-Forwarded-Proto headers sent from IIS Reverse Proxy will replace the Host and Scheme in HttpContext. This ensures that the redirect URI correctly points to the IIS Reverse Proxy endpoint, resolving the issue seamlessly. Further Reading: Refer to these resources for more information: Configure ASP.NET Core to work with proxy servers and load balancers | Microsoft Learn Setting HTTP request headers and IIS server variables | Microsoft Learn IIS Server Variables | Microsoft Learn Hope this guide helps!
IIS port problem
Hi everybody! My company would like to use MantisBT and i got the task to setup mantis but i have some problem with it. I would like to run MantisBT on port 443 (https) but one application already use this port. (This application isn't based on IIS). The server which should run MantisBT has two network cards and using Windows Server 2019. The first (x.x.x.1) is used by the necessary monitoring application, the other one (x.x.x.2) should used by MantisBT. The problem is if i bind x.x.x.2 IP to port 443 than i got an error message: The process cannot access the file because: it is being used by another process.(Exception from HRESULT: 0x80070020) Any idea what should i do? Can you give me step by step advice? Thank you. Have a nice day! PNConfiguring CORS in IIS with the IIS CORS Module: A Step-by-Step Guide
The Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that enables control of which resources are accessible based on the origin of requests. This way, web servers are given the authority to define which domains are allowed to access resources, ensuring only trusted sources will interact with your server. In this modern era of applications, where most web apps fetch data from multiple origins, CORS is very important to manage and secure these interactions.IIS URL Rewrite Rule Not Working: Resolving 'HTTP Error 404.4 - Not Found' Issues.
Issue Most of you have encountered situations where you have used IIS URL Rewrite to redirect traffic from one site to another. But in some cases, rewrite rules fail to work as expected and returns 'HTTP Error 404.4 - Not Found'. The 404.4 status code means no handler configured. Which means the file name extension of the requested URL doesn't have a handler that is configured to process the request on the Web server. For example you have two sites hosted in IIS. Site1 bind with port 81 and Site2 bind with port 82. The requirement is to rewrite all the request coming to Site1 (port:81) should rewrite to Site2 (port:82). The below rule is configured - <system.webServer> <rewrite> <rules> <rule name="RewriteToPort81" stopProcessing="true"> <match url="^.*$" /> <action type="Rewrite" url="http://localhost:82/{R:0}" appendQueryString="true" /> </rule> </rules> </rewrite> </system.webServer> Solution First you need to check if the correct module is installed in IIS. To check this go to IIS Manager and open the Modules. Within the Modules check if the correct URL Rewrite module is installed. You can get the latest IIS URL Rewrite module from this link URL Rewrite : The Official Microsoft IIS Site If the correct module is installed as highlighted above, the next thing you check the Failed Request Tracing logs for the request. And verify if the correct rule is invoked and it updates the URL to new one. Here in this case you can see "RewriteToPort82" rule is invoked and it changed the request URL to http://loalhost:82/. Also verify if the HttpStatus="404" and HttpSubStatus="4". To remediate the issue, go to IIS Manager, open Application Request Routing Cache module and open Server Proxy Settings form the right-hand Actions pane. Within the Server Proxy Settings you will find an option to enable proxy. Check the Enable proxy checkbox and click apply form the right-hand Actions pane as pointed in the below picture. After this you need to restart IIS. This should resolve the URL rewrite issue. To know more about URL rewrite in IIS you can follow this article - Using the URL Rewrite Module | Microsoft LearnHow to integrate with Angular ngCspNonce`
Good Day I'm trying to set up CSP Nonce support with Angular, using IIS on Windows-based Azure App Service Plans. I can't switch to a different web server due to other requirements, so I'm stuck with IIS. What I need to configure is a replacement for 'nonce-random_nonce_value' In Apache or Nginx, this is trivial, but on IIS how do I tell it to replace "nonce-random_nonce_value" with "nonce-<blah-long-hash>". ThanksHow to fix HTTP Error 500.37 - ASP.NET Core app failed to start within the startup time limit error
ASP.NET Core applications hosted in IIS are designed to provide robust performance. However, sometimes, issues arise that prevent apps from starting properly within the expected time. One common problem is the HTTP Error 500.37, which indicates that the application failed to start within the startup time limit. This article will walk you through what causes this error and how to resolve it.
No remote management of IIS on Server Core
Hi, I have three VMs running on a Server 2022 Hyper-V host: Windows 11 for management, Server 2022 as a domain controller and Server 2022 Core for Exchange 2019. On the DC I installed the optional feature "IIS Management" and downloaded and installed "IIS Manager for Remote Administration 1.2". Access to IIS on Exchange server works without problem. But if I do the same on the Windows 11 VM, I get an error message when trying to connect: An unexpected error occurred, connection was reset. I have tried the following without success: 1. use host name or FQDN of the mail server 2. use IP address of the mail server 3. use ports 80 and 443 (e.g. mailhost:443) 4. complete shutdown of all firewall profiles on both the Windows 11 client and the mail server The mail server's certificate is the original self-signed certificate that is created when Exchange/IIS is installed - I would expect to be asked about the trustworthiness of the certificate, but apparently the connection fails even before the SSL handshake. All four machines are domain members, name resolution and ping work fine. The Windows and IIS logs contain no clues. Several hours of web research have not yet yielded any results. Does anyone have an idea / a starting point? Many thanks in advance and best regards StefanoHow to fix Failed to Load API Definition error in SwaggerUI when hosting an ASP.NET Core API in IIS
When hosting an ASP.NET Core API, it’s not uncommon to encounter the "Failed to load API definition" error in SwaggerUI. This article will explore the reasons behind this error and provide steps to resolve it.HTTP Error 500.30 - ASP.NET Core App Failed to Start: Root Cause and Solutions
When deploying an ASP.NET Core application, encountering the "HTTP Error 500.30 - ASP.NET Core app failed to start" is the most common error. This error typically indicates an issue within the application startup process, often triggered by misconfigurations, dependencies or environment mismatches.
