Our customer his server is located in the "a.local" domain.
There is an domain trust to "b.local".
From my application we allow the user to choose a domain first, and then fill in their credentials.
In the configuration of our application there is a config for both domains, where a service account is set to authenticate with.
When a user want to login with a "b.local" user, we are now seeing that the PrincipalContext just connects to the domain controller of "a.local".
As a test, we even filled in the domain controller in the constructor.
Dim oDomainContext As New PrincipalContext(ContextType.Domain, "DC.b.local", "svc_acc", "pwd")
After that we printed out the oDomainContext.ConnectedServer.
And we got that it was connected to "DC.a.local".
Is it allowed to connect to a domain controller outside the domain of where the service is in?
If not, is there a workaround for this?
Related
I'm using AD LDAP authentication on my application (redmine, pfsense, ESXi, etc...)
I recently successfully made a two way trust relationship between my domain PARIS.france and a foreign domain BERLIN.germany. The domain trust relationship look's OK, DNS too, I can browse each domain without issues.
The next step is to allow users from that domain to authenticate on my application. So I did create a domain local group "application-access" in my A.D PARIS.france, containing user PARIS\Pierre and BERLIN\Otto
But when I try to log in on a web application, only Pierre works. Otto can't authenticate.
When I look further, I see in my group that Pierre has a SamAccountName, but Otto is a special kind of object ("this object is just a placeholder for a user or group from a trusted external domain") and doesn't have such an attribute. I guess that why it does not work? I can see the account in the ForeignSecurityPrincipal group.
Is what I want to achieve is possible? Does it require a special ldap query to configure in application?
We have internet web applications for our company with which we want to authenticate employees.
We setup ADFS 2016 and and this works internally on the intranet and now we setup Web Application Proxy (WAP) to authenticate the employees externally.
We have a DNS A record on the internet for the WAP server.
When the client tries to access a web app, they get the login page as expected. When the button is clicked for employees (this is the normal MVC template with Identity 2), the client gets redirected to the ADFS url which is not resolvable since there is no DNS record.
I read where we are supposed to use split DNS and I think that means we are supposed to create a public DNS record for the ADFS server. If we do that, what is the purpose of the WAP?
Wap is an adfs proxy too. Externally you access adfs at the wap. Your adfs external DNS should point to wap IP address.
How to implement Singel Sign On (SSO) in cross domain MVC4 Web Applications
Same domain SSO could be easily achieved by setting the domain property of the forms authentication cookie to the root domain and configuring the same machine keys for both applications.
Cross domain SSO is more challenging. There are different techniques to implement it. For example StackExchange uses HTML5 Local Storage. Their mechanism is described in this blog post.
Here are some of the basic steps:
Setup a master domain for users to logon. For example logon.com
When a non-authenticated user attempts to access a protected resource on some of the 2 applications he is redirected to the logon domain for authentication.
The user authenticates and the logon domain generates a session identifier containing the username of the logged in user. This session id is encrypted using symmetric algorithm with a shared secret between the 3 domains. The logon domain also sets a forms authentication cookie to indicate that the user is already authenticated there.
The logon domain redirects back to the protected resource passing along the session identifier.
The application holding the protected resource decrypts the session id to extract the username and set a forms authentication cookie on its domain.
The user requests a protected resource on the second domain.
Since he is not yet authenticated he is redirected to the logon domain.
The user is already authenticated on the logon domain and a session identifier using the same technique is generated and passed back
The second domain decrypts the session identifier to extract the username and emit a forms authentication cookie for the second domain.
As an alternative to encrypting the username into the session identifier, the logon domain could simply store this information into a shared (between the 3 domains) data store and the session identifier will simply be an identifier of this record so that the other domains could retrieve the username from this shared data store.
Finally, I am able to implement. Following are the steps I have done
Login in App1
Get Option to Login with App2
Click on “Login with App2”
Redirects to the Login screen of App2
On click of Login button of App2 that redirects to the SSOInMVCWcfService. Here, method Login calls the method Authenticate of the service of App1 i.e. SSOAuthService. If authenticated then generates token for this username and also retrieves the userid from the service of App1.
Once token generated and user id retrieved for this Authenticated user, these values are entered in the table say ‘SessionDetails’ in database.
Then send the userid and token for the current user to App2.
Now App2 sends the returnurl i.e. the authenticated page url of app1 alongwith the userid and token to the login page of App1 by adding these values as cookies in the Response Object.
Now on the App1 login page, these cookies are retrieved and on the base of the userid the current username is retrieved from the “SessionDetails” table.
I have an application in domain A and would like it to use domain B credentials to access domain B content. These domains have no trust. Is it possible to challenge a user in domain A, and get them to input credentials for domain B? Then use these credentials to authenticate in domain B. Meaning we bypass domain A's Kerberos Distribution Center (KDC).
I have no problem getting this to work inside a single domain, meaning impersonating the challenged user and maintaining an impersonation level of delegation. However, MS documentation says that the application in domain A will use its KDC to issue a ticket (or fail to issue the ticket) and this will cause my service in domain B to drop to NTLM.
Is it possible to force my service in domain A to use domain B's KDS? I could be way off base here.
The architecture is Microsoft WCF services.
Thanks,
Kevin
The quick answer is NO you cannot pass credentials across domains without the 2 domains having some level of trust.
However, I got around this by using asp.net forms authentication. When the users credentials from domain A fail I effectively get them to input the credentials from domain B and redirect them to an "Authentication" MVC controller that scrapes the user identity and then encrypts it in a Asp.Net forms authentication cookie. This is returned in the response header. All subsequent requests are made with this cookie and I check for the the authenticated user in the session cookie. Not as elegant as delegation but it works.
In a SharePoint application page I have to get listitems from a list on remote server in the same Active Directory domain.
I use the Client Object Model to get at the list. If I do not supply Network credentials (with userid, password and domain) I get a 401 access denied.
Is there a way to pass the credentials of the user that is logged in in Sharepoint (not in the windows client; can be different) to the ClientContext to allow it to get at the remote list?
Check if your Sharepoint2010 Web Application is configured with Claims based authentication. It needs to be configured with Classic Authentication so that you will not have to pass the username and password explicitly.