Recipe · IIS · AD

Put /apps behind IIS Windows Authentication

iVistaar is an internal deployment control plane for Windows Server/IIS that gives Flask, Dash, and Streamlit apps an org URL without Git or cloud services. Native AD gating for /apps is on the roadmap — until then, this is the documented afternoon path using IIS as an authenticating reverse proxy.

What you get

Users hitting https://your-server/apps/<slug>/ must pass Windows Authentication (domain join / AD) before IIS forwards to iVistaar’s localhost gateway. The admin UI can stay on the gateway port or behind the same site with separate rules.

Prerequisites

1. Keep iVistaar on localhost

Prefer the gateway listening on the machine but only published through IIS. Practical pattern:

If the gateway currently binds 0.0.0.0:8080, firewall it to intranet-only until IIS is in front — or stop advertising that port and use IIS as the only ingress.

2. Create an IIS site (or app) for org URLs

  1. IIS Manager → SitesAdd Website (or add an application under an existing intranet site)
  2. Physical path: an empty folder is fine (e.g. C:\inetpub\ivistaar-edge) — traffic will be rewritten, not served from disk
  3. Binding: HTTPS with your org cert (required for clean Windows Auth in browsers)

3. Enable Windows Authentication

  1. Select the site → Authentication
  2. Anonymous Authentication → Disabled
  3. Windows Authentication → Enabled
  4. (Optional) Providers: Negotiate first, then NTLM

Authorize who may enter with Authorization Rules (Allow roles / AD groups such as DOMAIN\App-Readers). Deny unauthenticated.

4. Reverse-proxy /apps to the gateway

With ARR + URL Rewrite, add a rule that forwards authenticated requests:

<!-- web.config in the IIS site root (illustrative) -->
<rule name="iVistaar Apps" stopProcessing="true">
  <match url="^apps(/.*)?" />
  <action type="Rewrite" url="http://127.0.0.1:8080/{R:0}" />
  <serverVariables>
    <set name="HTTP_X_FORWARDED_PROTO" value="https" />
    <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
  </serverVariables>
</rule>

Allow server variable overrides for those headers in IIS (URL Rewrite → View Server Variables). Enable ARR proxy: IIS root → Application Request Routing Cache → Server Proxy Settings → Enable proxy.

WebSockets: Streamlit/Gradio need WS upgrades. Enable WebSocket protocol in IIS and ensure ARR passes upgrades (ARR 3+). If WS fails, see Streamlit not interactive.

5. Smoke-test

  1. From a domain workstation, open https://your-site/apps/<slug>/
  2. Expect a Windows Auth challenge (or SSO if already logged on)
  3. Wrong group → 401/403 from IIS before the Python app runs
  4. Admin UI: either leave on :8080 for admins only, or add a separate rewrite + stricter AD group

Service account note

Recommended: run under a dedicated service account. Pass -ServiceUser only — the installer prompts for the password (keeps it out of shell history):

.\scripts\install-admin-service.cmd -Port 8080 -ServiceUser "DOMAIN\ivistaar-svc"

Grant that account read/execute on the install folder, modify on data\, logs\, and your apps root. See the security section on the homepage.

Built-in AD gating

Per-app AD group mapping inside iVistaar is the next hardening build. This recipe is the supported bridge so “place it behind your reverse proxy” is a checklist, not homework.