Accessing MIM Portal with Azure AD App Proxy

Enabling MIM Portal to work with Azure AD App Proxy is not new.  There are certainly numerous articles out on the Internet that talk about the topic.  At the same time, MIM Portal on App Proxy is not as easy to configure as other web-based applications are. My reasons for documenting this was to solve a problem at my customer’s site.  We had a a need to make the MIM Portal available to remote workers when the pandemic started.  I hope you will find this useful for your environment.  Feel free to comment with questions and I will do my best to answer them. 

Assumptions 

• MIM Portal works without error in your customer’s internal environment.
• Customer has the proper Azure AD license.
• App Proxy Connector servers are already configured.

MIM Portal Configuration

Perform these steps on your secondary MIM Portal server.  When your connection between App Proxy and MIM Portal is consistent, then switch over to the Primary system.

Requirements

Here are the steps that I had to take to get MIM Portal successfully working with Azure AD App Proxy. 

• MIM Portal should have a DNS A Record for the MIM Portal URL.
• Use a domain-based SharePoint App Pool service account.  For example, MIMSP or similar.
• Use a domain-based MIM Service service account.  For example, MIMServ
• Kerberos needs to be required and not allow NTLM failback.
• An SPN should be configured for your MIM Portal.  (For example, HTTP/mimportal.contoso.com using the SharePoint App Pool service account mentioned previously)
  • For the SharePoint App Pool service account, set delegation to Kerberos only and select the MIM Service service account.  Use the SPN previously registered.
• For the MIM Service service account, set a spn for FIMService/mimportal.contoso.com using the domain-based MIM Service service account.
  • For the MIM Service service account, set delegation to Kerberos only and select the MIM Service service account.  Use the SPN previously registered. For example, FIMService/mimportal.contoso.com

Configuration Steps

• Modify the Web.config file located at C:\inetpub\wwwroot\wss\VirtualDirectories\XX\web.config   NOTE:  XX is normally 80
  • Change line <resourceManagementClient resourceManagementServiceBaseAddress=http://mimportal.contoso.com:5725 timeoutInMilliseconds=”60000”/>
  • To: <resourceManagementClient resourceManagementServiceBaseAddress=http://mimportal.contoso.com:5725 timeoutInMilliseconds=”60000” requireKerberos=”true”/>
• Validate information in the Config file located at C:\Program Files\Microsoft ForeFront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config
  • Make sure the Address in your environment match the contents in your Config file
  • <resourceManagementClient resourceManagementServiceBaseAddress=”mimportal.contoso.com” />
  • <resourceManagementService externalHostName=”mimportal.contoso.com” />
• Modify the Config file located at C:\Windows\System32\inetsrv\config\applicationHost.config
  • Search the file for <location path=”MIM Portal”>
    • Remove line <add value=”NTLM” />
• Perform an IISReset

Active Directory Server Delegation Configuration

For each Azure AD App Proxy Connector server, configure the Delegation settings. Similar to the image below.

Azure AD Application Proxy Application Configuration

If you have already done this, create your MIM Portal application inside of Azure AD.  Search for Enterprise Applications. Click New Application.  Next click On-premises Application. 

Basic Settings

You will be presented with the screen below. Type in the Name and Internal URL field for the MIM Portal. For now just type the URL in the following format: https://mimportal.contoso.com. This will be explained later. You will notice that the type-able field between Internal URL and External URL will auto-populate. This can be changed. Do so if you do not want to use this value. The External URL will automatically adjust based on this field.

For the Pre-Authentication field, set it to Azure Active Directory.

The Connector Group drop-down should be the group of connectors of your own choosing. If you have no connector groups and your connectors are online, you will just need to leave this setting at Default.

Additional Settings

Set the Backend Application Timeout drop-down to Long.

The Yes/No switches should be set just like the image below.

To Save, click the Add button, located in the upper left region of the image below. This will create the applications.

Users and Groups

After you have built your application, you will need to do a few other things. First, you will need to grant access to this application for others to use. Unfortunately, you cannot just use Domain Users since it does not exist in Azure AD. You should use a security group that does contain all the users you want to have access. NOTE: Do not use nested groups. It will not work for the nested groups. You can add multiple groups, so it does not have to be a single group with all users in it.

When the built application appears, on the left-hand side, click Users and groups. Click Add user to start the process of adding users and groups.

Single sign-on

The next step will be to configure the Single sign-on method. When you first click Single Sign-on, you will be presented with a series of options. Select Windows Integrated Authentication. Configured the next like the image below. For the Internal Application SPN field type in the format of: HTTP/MIMPORTAL-SPN

NOTE: You can use the setspn command with the appropriate switch to find your current SPN entry in your on-prem environment.

For the Delegate Login Identity drop-down, select On-premises user principal name

Click Save to complete the process.

SharePoint 2016 Configuration

After configuring the above steps, I found it to be necessary to make a configuration to SharePoint. Once you do these steps you will no longer have to type /IdentityManagement/default.aspx as part of your MIM Portal address.

NOTE: Before I did these next steps my App Proxy repeatedly kept trying to redirect my External URL to the Internal URL.  I never found out why this was happening.  After performing these steps below the redirection problem stopped occurring. 

• Open SharePoint Management Shell as an Administrator.
• Type out the following
  • $w = Get-SPWeb http://mimportal.contoso.com
    • NOTE: the SPWeb address could be http or https depending how your SP environment is configured.
  • $root = $w.RootFolder
  • Echo $root
  • $root.WelcomePage = “IdentityManagement/default.aspx”
  • $root.Update()
  • Iisreset
• Additionally, visit the following address while logged onto the server with the account that installed SharePoint
  • Visit http://mimportal.contoso.com/_layouts/user.aspx
  • Click Grant Permissions
    • If you are still on SharePoint 2010 or 2013 you may have Browse capability, if so, search for “Authenticated Users”.  Grant them Read permissions.
    • If you are on SharePoint 2016 or higher, type “NT Authority\Authenticated Users”.  Hopefully, the People picker will be able to resolve what was typed.  Grant them “Read” permissions.