Skip to main content

Articles in this section

See more
Print

How to configure Cayosoft Administrator for remote access through Microsoft Entra Application Proxy

  • Updated

How to configure Cayosoft Administrator for remote access through Microsoft Entra Application Proxy

Summary: Using Microsoft Entra application proxy to publish on-premises apps for remote users provides secure remote access to on-premises web applications. After a single sign-on to Microsoft Entra, users can access both cloud and on-premises applications through an external URL or an internal application portal.

This article explains how to configure Cayosoft Administrator for remote access through Application Proxy in Microsoft Entra. Also, it is possible to enforce two-factor authentication when signing into the Web Portal through the Microsoft Entra Application Proxy.

Checking required prerequisites

  • You must have the Microsoft Entra ID Premium subscription in your tenant.

  • You need to use an application administrator account for configuration.

  • User identities must be synchronized from an on-premises directory or created directly within your Microsoft Entra tenants.

  • Using Application Proxy requires a Windows server running Windows Server 2012 R2 or later.

  • Check the following requirements in the Add an on-premises application for remote access through application proxy in Microsoft Entra ID article:

    • Check the recommendations for the connector server.

    • Check the TLS requirements.

    • Open ports to outbound traffic.

    • Allow access to URLs.

Installing and register the connector

To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. During installation specify credentials of an application administrator account.

  • Verify the installation through Microsoft Entra ID.

  • Verify the installation through your Windows server.

Learn more in: Install and verify the Microsoft Entra private network connector.

Adding Cayosoft Administrator application to Microsoft Entra

  1. Sign in as an administrator in the Microsoft Entra admin center.

  2. Navigate to Identity > Applications > Enterprise applications.

  3. Click New application.

  4. In the On-premises applications section, select Add an on-premises application.

  5. In the Add your own on-premises application section, provide the following information about your application:

    • Name: specify the Application Proxy name. For example, CayoAdmin.

    • Internal URL: specify a Cayosoft Administrator endpoint URL with the server name and trailing "/" in the end. For example, https://cayoadminserver.domain.com/CayosoftWebAdmin/

    • External URL: generates automatically. You will need to copy/paste it for the Web Portal Settings.

    • Pre Authentication: use the default value Microsoft Entra ID.

      NOTE: Users or groups must first be assigned to this application before being able to access it.

  6. Leave default values for other application proxy optional parameters.

  7. Click Save.

Assigning users or groups to the CayoAdmin proxy application

Before adding a user or group to the CayoAdmin proxy application, verify that they already have permission to access the application from inside the corporate network.

  1. Select Enterprise applications, and then select the created CayoAdmin proxy application.

  2. Select Getting started > Assign users and groups.

  3. Click Add user/group.

  4. Under Add assignment, select Users and groups. The User and groups section appears.

  5. You can choose the users and groups you want to add.

  6. Choose Select, and then select Assign.

Configuring CayoAdmin Application Proxy when Automatic Single Sign-on (SSO) for Microsoft Entra is used

  1. In the Cayosoft Administrator Console, navigate to Home > Configuration > Web Portal > Web Portal Settings.

  2. In the Server URL, paste the External URL from the CayoAdmin application proxy.

  3. Ensure that the User sign-in authentication method is set to Automatic Sign-in (SSO) for Azure Active Directory / Office 365 accounts.

  4. Set Enable integration with Azure AD Application Proxy to Yes.

  5. Save changes.

Test sign-in

  1. In the Web browser, specify the External URL from the CayoAdmin application proxy.

  2. Sign in to Microsoft Entra using the user's credentials assigned to the CayoAdmin proxy application.

  3. Ensure that the Web Portal home page appears.

Configuring CayoAdmin Application Proxy when Automatic Single Sign-on (SSO) for Active Directory is used

Configuring Active Directory

  1. If the connector and application server are in the same domain, perform these steps that enable the Application Proxy Connector to impersonate users in AD against the applications defined in the list.

  2. If the connector and application server are in different domains, perform the steps described in the following article: Add an on-premises application for remote access through application proxy in Microsoft Entra ID.

Configuring single sign-on

  1. Sign in as an administrator in the Microsoft Entra admin center.

  2. Select the created CayoAdmin application and click Single sign-on.

  3. Select Integrated Windows Authentication as a Single sign-on method.

  4. In Internal Application SPN, specify http/cayoadminserver.domain.com

  5. Delegated Login Identity is the value that the connector service takes to authenticate a user using the Key Distribution Center (KDC). It must match to the UserPrincipalName or samAccountName user attributes in the on-prem Active Directory.

    If Microsoft Entra UserPrincipalName matches to on-prem Active Directory UserPrincipalName, you can use the User principal name as Delegated Login Identity.

  6. Save changes.

Configuring delegation on Cayosoft Administrator server

  1. In Active Directory Users and Computers, locate the Cayosoft Administrator server, right-click it and select Properties.

  2. In the Delegation tab, select the Trust this computer for delegation to specified services only option.

  3. Add an http service type entry; specify the name of the computer. Click Apply to save changes.

For additional information, refer to the following Microsoft article: How to configure Kerberos Constrained Delegation | Microsoft.

Configuring Cayosoft Administrator

  1. In the Cayosoft Administrator Console, navigate to Home > Configuration > Web Portal > Web Portal Settings.

  2. In the Server URL, paste the External URL from the CayoAdmin application proxy.

  3. Ensure that the User sign-in authentication method is set to Automatic Sign-in (SSO) + Sign-in form for Active Directory accounts.

  4. Set Enable integration with Azure AD Application Proxy to Yes.

  5. Save changes.

Test sign-in

  1. In the Web browser, specify the External URL from the CayoAdmin application proxy.

  2. Sign in to Microsoft Entra using the user's credentials assigned to the CayoAdmin proxy application.

  3. Ensure that the Web Portal home page appears.

Enforcing Two-Factor Authentication when signing into the Web Portal through the Microsoft Entra Application Proxy

To enforce two-factor authentication when users sign in to the Web Portal, perform the following steps:

  1. Configure Cayosoft Administrator Application Proxy when Automatic Single Sign-on (SSO) for Azure Active Directory or when Automatic Single Sign-on (SSO) for Active Directory is used.

  2. In Azure AD create a Conditional Access Policy that will be applied to the created CayoAdmin proxy application and will require multi-factor authentication for users and groups that are defined in the policy scope:

    1. Sign in to Microsoft Entra admin center.

    2. Navigate to Conditional Access on the left.

    3. In the Policies section, click New Policy.

    4. Specify policy name.

    5. Select Users and Groups who will be required two-factor authentication when signing in to the Web Portal.

    6. In the Cloud Apps or actions, select the CayoAdmin proxy application.

    7. In the Conditions select Any location.

    8. In the Access Controls, click Grant Access and check Require multi-factor authentication.

    9. Enable policy - select On.

    10. Click Save.

After that when users that are in the Conditional Access Policy scope are signing in to the Web Portal using the External URL from the CayoAdmin application proxy they will be required to provide a second factor during authentication.

Adjusting token lifetime for Application Proxy connection with policies

Sometimes you can see the Failed to communicate with the Cayosoft Administrator Service error when performing a search or other requests in the Web Portal. This error appears when the Web Portal redirects to login.microsoftonline.com to authenticate, and the access token expires. The error means that the CORS call fails. CORS is a W3C standard that lets a server relax the same-origin policy and allow some cross-origin requests while rejecting others.

A workaround for this scenario is to extend the lifetime of your Application Proxy app access token, to prevent it from expiring during a user’s session.

More about CORS issues with Application Proxy you can read in this Microsoft article: Resolve cross-origin resource sharing issues in Microsoft Entra application proxy. To resolve the error you need to apply option 5: Extend the lifetime of the access token.

The easiest way to extend the token lifetime is provided in this Microsoft KB: Create a policy and assign it to an app.

Here are the step-by-step instructions on how to do this with PowerShell:

  1. Install the PowerShell module:

    Copy
    Install-Module Microsoft.Graph -AllowClobber

  2. Connect to your tenant and grant access to perform policy changes in the tenant:

    Copy
    Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"

  3. Create a new token lifetime policy. This example creates a policy with an 8hour lifetime period ("8:00:00"), but you need to adjust it to the value you need in your tenant:

    Copy
    $params = @{
    Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"8:00:00"}}')
    DisplayName = "WebPolicyScenario"
     IsOrganizationDefault = $false
    }

    $tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id 

  4. Assign the policy to your Azure App Proxy application. You need to replace the "11111111-1111-1111-1111-111111111111" with your actual application ID. To get the ID, login to entra.microsoft.com portal, go to Applications > App registrations > select All Applications and find your Application Proxy app. In the app Overview, copy the Object ID value.

Copy
$params = @{
 "@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"
}
$applicationObjectId="11111111-1111-1111-1111-111111111111"
New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params

My Profile & Password

To use the My Profile & Password functionality that allows users to reset their passwords and unlock accounts together with Application Proxy you should use the user sign-in authentication method Sign-in for Active Directory accounts:

  1. In the Cayosoft Administrator Console, navigate to Configuration > Web Portal > Web Portal Settings.

  2. In the User Sign-in Settings section, set the User sign-in authentication method to Sign-in for Active Directory accounts.

  3. Save changes.

After login to the Web Portal, users who need to unlock their account or reset their passwords may see this form:

In this case, users should click Cancel and after that the Login form for the Web Portal with SelfService links will be displayed:

Using these links user can reset the password or unlock the account if this user enrolled in SelfService before.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.