NextCloud LDAP behind IIS Reverse Proxy

EDIT 08-27-2020
The way that this is fixed may be better solved as seen here

After setting up NextCloud, I setup the LDAP app, and put a reverse proxy rule in IIS to forward to it.

Everything worked fine for the webbrowser. But when I tried to connect the iPhone app, I kept getting a 401 error.

I ended up launching Fiddler, to try to debug it. This first image is the request from the app with it not working, notice the 401 errors? I clicked on the headers view because that is where the error is shown.

401 errors in fiddler

And heres a (still non-fixed) working web browser instance. Notice anything different between them?

Working non fixed in fiddler

And what actually tipped me off to the issue:

401 error in fiddler

Now what tipped me off to the problem: I couldn’t get the 401 error in my webbrowser, even by navigating (not logged-in to next cloud either) to that url, /nextcloud/status.php.

Now, if NextCloud was giving me the 401 I would understand, because the proxy is going to be relaying the information to and from that machine. But why was IIS returning a 401 error? And only when using the iPhone app and not a webbrowser?

The answer in this case had to do with the IIS authentication methods that were enabled. The first picture shows that the browser is receiving a 401 error, is sending a NTLM authentication header, which is NOT what NextCloud is expecting, and IIS is intercepting.

No NTLM authentication is being used, the second picture shows that the webbrowser is sending the authentication parameters in a WebForm. So we need to change IIS authentication to allow for that.

Head over to the IIS manager that is hosting the reverse proxy for NextCloud.

Open IIS and go to authentication methods

Enabled authentication

From here we can see that Basic Authentication and Windows Authentication are enabled, and set to sent a 401 (!!) challenge.

Now, IIS won’t let you enable both the Forms 302 authentication with the 401 challenge. I am not using either Basic or Windows in any of my projects, so I disabled those, enabling Forms Authentication in it’s place.

Depending on your environment, you may need to look into creating a new Application that will host the authentication and reverse proxy.

EDIT 08-27-2020
Take a look here to see how to do that.