Recipe · IIS · AD
Put /apps behind IIS Windows Authentication
iVistaar is an internal deployment control plane for Windows Server/IIS that gives Flask, Dash, and Streamlit apps an org URL without Git or cloud services. Native AD gating for /apps is on the roadmap — until then, this is the documented afternoon path using IIS as an authenticating reverse proxy.
What you get
Users hitting https://your-server/apps/<slug>/ must pass Windows Authentication (domain join / AD) before IIS forwards to iVistaar’s localhost gateway. The admin UI can stay on the gateway port or behind the same site with separate rules.
Prerequisites
- iVistaar installed in service mode (
install-admin-service.cmd) listening on localhost, e.g. public gateway127.0.0.1:8080or only on loopback if you bind that way - IIS with Windows Authentication and URL Rewrite (+ ARR reverse proxy) installed
- Server domain-joined (or workgroup NTLM for a lab test)
1. Keep iVistaar on localhost
Prefer the gateway listening on the machine but only published through IIS. Practical pattern:
- iVistaar gateway:
http://127.0.0.1:8080/(admin +/apps) - IIS site:
https://apps.contoso.local/(or the server’s public HTTPS binding)
If the gateway currently binds 0.0.0.0:8080, firewall it to intranet-only until IIS is in front — or stop advertising that port and use IIS as the only ingress.
2. Create an IIS site (or app) for org URLs
- IIS Manager → Sites → Add Website (or add an application under an existing intranet site)
- Physical path: an empty folder is fine (e.g.
C:\inetpub\ivistaar-edge) — traffic will be rewritten, not served from disk - Binding: HTTPS with your org cert (required for clean Windows Auth in browsers)
3. Enable Windows Authentication
- Select the site → Authentication
- Anonymous Authentication → Disabled
- Windows Authentication → Enabled
- (Optional) Providers: Negotiate first, then NTLM
Authorize who may enter with Authorization Rules (Allow roles / AD groups such as DOMAIN\App-Readers). Deny unauthenticated.
4. Reverse-proxy /apps to the gateway
With ARR + URL Rewrite, add a rule that forwards authenticated requests:
<!-- web.config in the IIS site root (illustrative) -->
<rule name="iVistaar Apps" stopProcessing="true">
<match url="^apps(/.*)?" />
<action type="Rewrite" url="http://127.0.0.1:8080/{R:0}" />
<serverVariables>
<set name="HTTP_X_FORWARDED_PROTO" value="https" />
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
</serverVariables>
</rule>
Allow server variable overrides for those headers in IIS (URL Rewrite → View Server Variables). Enable ARR proxy: IIS root → Application Request Routing Cache → Server Proxy Settings → Enable proxy.
WebSockets: Streamlit/Gradio need WS upgrades. Enable WebSocket protocol in IIS and ensure ARR passes upgrades (ARR 3+). If WS fails, see Streamlit not interactive.
5. Smoke-test
- From a domain workstation, open
https://your-site/apps/<slug>/ - Expect a Windows Auth challenge (or SSO if already logged on)
- Wrong group → 401/403 from IIS before the Python app runs
- Admin UI: either leave on
:8080for admins only, or add a separate rewrite + stricter AD group
Service account note
Recommended: run under a dedicated service account. Pass -ServiceUser only — the installer prompts for the password (keeps it out of shell history):
.\scripts\install-admin-service.cmd -Port 8080 -ServiceUser "DOMAIN\ivistaar-svc"
Grant that account read/execute on the install folder, modify on data\, logs\, and your apps root. See the security section on the homepage.
Built-in AD gating
Per-app AD group mapping inside iVistaar is the next hardening build. This recipe is the supported bridge so “place it behind your reverse proxy” is a checklist, not homework.