Browser logon prompt when using IIS reverse proxy and Windows Auth

Must-share information (formatted with Markdown):

  • SQ 8.7.1, LDAP Auth to local AD, no extra plug-ins/extensions
  • Using an IIS reverse proxy for SSL, but want to enable Windows Auth at IIS endpoint

First, the reverse proxy and LDAP authentication works great. We have been using that for several versions without issue.

I am hoping to add Windows Auth to the IIS endpoint to keep non-authorized (they are not in an LDAP group defined in SQ) users from logging in and see no projects … We don’t want them to be able to hit URL at all. This would be a simple setting, but the SQ logon page returns a 401 for /api/navigation/global when the user does not have an established session. With Windows Auth enabled in IIS, the 401 triggers a browser challenge so authorized users have to ESC 3 times while the browser attempts to hit that SQ endpoint.

Once the user logs into SQ they are fine until the session expires at which point they get the 401 and have to ESC past the browser challenge.

Has anyone tries this configuration and if so determined a workaround to avoid the 401? Have the proxy pass a special header?