I'm developing an ASP.NET Web API which implements also an Identity provider using Identity Server. The requirement is to support Windows Authentication via Active Directory, and also Custom credentials.
All these requirements are achievable. An extra requirement is to support Win Auth from different untrusted domains.
Recap:
Three untrusted domain (A, B, C)
the ASP.net Core service runs (using HTTP.SYS and not behind IIS) on a server joined to domain A
a user from domain B wants to login using Windows Authentication (preferable SSO) using domainB\userB
I've googled and it doesn't seem possible.
It's an option to migrate to Kestrel 3.0, but Microsoft says here
In ASP.NET Core 3.0, Kestrel has the ability to use Negotiate, Kerberos, and NTLM on Windows, Linux, and macOS for Windows domain-joined hosts
so supports only domain joined hosts.
My understanding is that LDAP could support untrusted domains, is this true?
Thanks,
Related
I'm trying to develop many projects under one solution on asp.net and I want to be authenticated just on the first project (Demarrage) then having authenticated immedialtly in the others projects. I'm using Windows authentication.Project Overview Link
As far as I know, if you enable the IIS windows auth and use IE or Chrome to access the web application. The browser will auto store the windows credenticial and use it to login in. That means you just need to login in once and it could access other web application.
If you want to enable a SSO for both windows auth and other auth mode. I suggest you could consider using identity server. The Identity server is an OpenID Connect and OAuth 2.0 framework. It could Single sign-on (and out) over multiple application types and it support windows auth.
Details about how to use it with windows auth, you could refer to below article:
http://docs.identityserver.io/en/latest/topics/windows.html
I want to deploy an ASP.NET Core application in Linux with Windows authorization.
I understand approximately what I need to configure, for example, nginx as a reverse proxy server that will forward Kerberos to Kestrel. But I don’t understand if Kestrel can accept kerberos tokens or how it needs to be configured for this scheme to work?
For IIS we need add this:
services.AddAuthentication(IISDefaults.AuthenticationScheme)
No official support (90% sure)
Base on :
Configure Windows Authentication in ASP.NET Core | Microsoft Docs
HTTP.sys web server implementation in ASP.NET Core | Microsoft Docs
Notice :
Windows Authentication can be configured for ASP.NET Core apps hosted with IIS or HTTP.sys.
Windows Authentication relies on the operating system to authenticate users of ASP.NET Core apps.
IIS and HTTP.sys only runs on Windows
Possible Workaround
Use Identity Server
See iis - How to implement Windows Authentication with IdentityServer 4 - Stack Overflow
We have a webforms (.net 4.5) application which uses membership for user authentication which we host ourselves. Our clients have Active Directory and ADFS which they host in their own networks, they require our software to use single sign on authenticating against their ADFS server. I'm looking for steps on how to implement this so we can continue to use our normal membership login but use SSO where available.
There's a lot of info out there and I honestly don't know where to start. Cheers.
I wrote up something very similar to this:
OWIN : ASP.NET MVC application with multiple authentication options
Basically, use the OWIN Identity stacks to support whatever protocols you want.
Note that this application (RP in ADFS speak) still needs to be configured on the ADFS side.
I have an application built in .NET (C# and ASP.NET). We offer our own register/login login, but a client that just signed up with us requested support for ADFS since that's the authentication service they use across their company. This is brand new to me.
How can I add support for ADFS on my application? I'm guessing my client will provide the new users a link to click that I'll have to process for the SSO?
What would my client need to do on their end? (i.e. add groups and assign our future users to those groups?)
What .NET (or 3rd party) libraries can I use?
Thank you!
You could do this with OpenID Connect OWIN but ADFS 3.0 doesn't support this. So you need WS-Fed (WIF).
The easiest way to do this is with VS.
Create a new ASP.NET project and for "Change Authetication" select the on-premises option.
Use the On-Premises Organizational Authentication Option (ADFS) With ASP.NET in Visual Studio 2013.
Obviously ADFS needs to be configured. You need to find out what attributes the application requires in the form of claims.
Code sample which is similar for Azure AD - Integrating a web app with Azure AD using WS-Federation.
I am very very new to ADFS 2.0, i have been using Domain trust and i am doing some research on ADFS 2.0 to convert my current web app to ADFS 2.0, question i have is
Does the Web server needs to be on a perimeter network facing internet? or i can use web proxy or if federation proxy supports that built in for web server too.
Does my SSL cert needs to be on my IIS or i can host it on my load balancer?
Also do i need to have .net 3.0 and above to use adfs with asp.net?
For ADFS, you can install an ADFS proxy that is accessible to the Internet. This communicates with an instance of ADFS which can be behind a firewall.
ADFS requires a "Service communications" certificate which typically uses the SSL certificate of the IIS that hosts ADFS.
I detailed the WIF requirements in my other answer to you.
ADFS requires Microsoft .NET Framework 3.5 together with Service Pack 1.