IIS Rewrite Module Windows Authentication

Question

I have two asp.net web applications. One of the applications is main mvc web app and the second is web app acting as reverse proxy containing only one file - web.config. Reverse proxy doesn't have any authentication mode enabled but main app has windows authentication. When accessing app through reverse proxy, in browser appears popup asking for windows credentials. Is it possible to somehow pass one domain user through all reverse proxy requests? When reverse proxy redirect request it adds custom headers. Is it possible to pass user from iis pool or somehow hard coded so all reverse proxy request can pass through windows auth to main app and then user can authenticate through normal login page? The goal is access main app through reverse proxy without entering windows credentials. Disabling windows auth on main app is not possible. Thanks for answers.

Reverse proxy web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                <match url="(.*)"/>
                <action type="Rewrite" url="https://main-app.com/{R:1}"/>
                <serverVariables>
                    <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}"/>
                    <set name="HTTP_ACCEPT_ENCODING" value=""/>
                    <set name="HTTP_CUSTOM_ZEW_HEADER" value="True"/>
                </serverVariables>
            </rule>
        </rules>
        <outboundRules>
            <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                <match filterByTags="A, Form, Img" pattern="^http(s)?://main-app.com/(.*)"/>
                <action type="Rewrite" value="http{R:1}://main-app.com/{R:2}"/>
            </rule>
            <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)"/>
                <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}"/>
            </rule>
            <preConditions>
                <preCondition name="ResponseIsHtml1">
                    <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html"/>
                </preCondition>
                <preCondition name="NeedsRestoringAcceptEncoding">
                    <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+"/>
                </preCondition>
            </preConditions>
        </outboundRules>
    </rewrite>
</system.webServer>

Answer 1

It is not possible to forward the REMOTE_USER header because when the Authorization header is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).

You could use the custom HTTP module which sends the authenticated user custom header.

another way is you could set SPN:

https://docs.microsoft.com/en-us/archive/blogs/benjaminperkins/configure-application-request-routing-with-windows-authentication-kerberos

https://docs.microsoft.com/en-us/archive/blogs/asiatech/a-quick-solution-when-windows-authentication-is-required-on-backend-web-server-for-arr-scenario