I developed an application in ASP NET MVC. The application uses AD to authenticate user. It works fine in development . But when the application is hosted in IIS, It can not validate AD user. Note that, AD and IIS are not in same domain.
Related
IIS on Windows Server 2012 setup with 2 projects:
example.com: ASP.NET Core MVC project with VueJS as javascript framework.
api.example.com: ASP.NET Core Web API project whichs feeds the UI project.
The example.com is setup using Windows Authentication, the api.example.com is setup with both Anonymous and Windows Authentication.
Both projects have a seperated Application Pool.
Everything is working fine except when I go to the example.com website, I get a prompt to input my AD credentials for example.com, after that I get another one for api.example.com.
So the user needs to enter his credentials twice. Is there a way to reduce this to one and send the credentials to both websites?
I am using Google Chrome as browser to use the website.
Ok reduced the login to zero. Disabled the Windows authentication on the example.com because all authentication is done on the API project so no need to apply it here. Then added the api.example.com under Internet Explorer > Settings > Security > Intranet sites and kow the client can work directly without applying credentials when working inside the domain.
We're trying to develop an ASP.NET Core web API which lets users authenticate through Azure AD and would like to retrieve files from NextCloud on behalf of this Azure AD user. Our infrastructure is composed of an Ubuntu server running NextCloud 12, a Windows Server running the ASP.NET Core web API and an Azure Active Directory instance with Azure AD Domain Services.
Signing in through NextCloud using LDAP (provided by AAD Domain Services) works without any issues.
We've been trying out SSO with SAML in addition to LDAP but we keep seeing this error message when signing into NextCloud:
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
How exactly are we able to retrieve files from NextCloud by using the same Azure AD token we receive when authenticating with our ASP.NET web API?
SAML is not well versed to use with Web APIs - its protocol is heavily vested on the application being Web Apps - ideally you should use Open Id Connect with Jwt tokens.
Been googling this for hours, and can't find a clear tutorial or anything..
I have an Azure account with active directories already enabled. I also have an InMotion hosting account that hosts numerous domains (each having their own respective cpanels).
How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?
So in theory, you would visit the domain, get hit with the Windows login Auth. page, and if login is successful, you are directed to the home page and can view the content.
Is this do-able through the .htaccess file? Or would I have to alter the actual Apache files? If so, how do I only make it applicable to only one domain?
To integrate the web app with Azure AD, we need to write the custom code to implement the logic to redirect the unauthenticated request to Azure AD and verify the token after users sign-in. ( refer here about the code samples to integrate with Azure AD)
And it is more easy if you deploy the web app on Azure. In this scenario, we can use the authentication and authorization feature provide by Azure which we don't have to change code on the web application.
How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?
Based on my understanding, we integrate the Azure AD with web app and config the domain for the web site. Then we can visit the web app via the domain instead of ip address. In this scenario, only the web app you integrate with Azure AD will be redirect to the login page if users are accessing the page which require authentication when users doesn't login.
I have a simple WCF Service Application that I want to connect to an active directory for basic authentication. I can install, configure and add users to my AD LDS instance using my personal credentials (I'm an administrator). However, IIS can't bind to the instance. If I restart IIS using my credentials, everything binds just find and the authentication works as expected.
However, I don't want to run IIS with administrator privs. How do I configure AD LDS so that an app pool in IIS can bind but won't have the kind of elevated privs that can be a security nightmares?
I have a WebAPI that I have successfully secured with Azure AD. When I run it locally (through Visual Studio), trying to access the WebAPI end point via a browser gives me
Authorization has been denied for this request.
Which is what I would expect. Accessing the WebAPI through a client with ADAL library works as it should. A forms login screen pops up, and authenticates me and passes back a token, which I can then use in my WebAPI requests.
Something I wouldn't expect happens if I deploy the WebAPI to an IIS server, and have Windows Authentication enabled for the site. When I try to hit it the IIS WebAPI end point through a browser, I get a Windows Authentication prompt. If I successfully authenticate the Windows Authentication, the WebAPI serves the response.
I guess I would expect that the WebAPI would return the same "Authorization has been denied for this request". Windows Authentication shouldn't authenticate me to the WebAPI if I've configured the WebAPI to use Azure AD authentication.
My question is, is this expected behaviour, and if so, why?
I can see from one perspective that the WebAPI can accept authentication from any method that I've configured. But part of me thinks that since the Azure AD authentication is configured in the WebAPI application, and not IIS, it should take precedence.