We have internet web applications for our company with which we want to authenticate employees.
We setup ADFS 2016 and and this works internally on the intranet and now we setup Web Application Proxy (WAP) to authenticate the employees externally.
We have a DNS A record on the internet for the WAP server.
When the client tries to access a web app, they get the login page as expected. When the button is clicked for employees (this is the normal MVC template with Identity 2), the client gets redirected to the ADFS url which is not resolvable since there is no DNS record.
I read where we are supposed to use split DNS and I think that means we are supposed to create a public DNS record for the ADFS server. If we do that, what is the purpose of the WAP?
Wap is an adfs proxy too. Externally you access adfs at the wap. Your adfs external DNS should point to wap IP address.
Related
I have an Asp.net website for domain A users with Integrated Windows Authentication.
Now users from domain B need to access the website.
But Domain B users receive a pop-up window to input the authenticated information when they access the website
My question is:
How to configure the IIS or Windows Server to allow Domain B users to access the website without the pop-up windows for authentication, just like the users from Domain A.
There are two requirements:
Domain A needs to trust Domain B, and
On the users' computers, the website needs to be added to the Trusted Sites in the Windows Internet Options. This tells Chrome and Edge that they can automatically send the credentials of the logged in user. Firefox can do it too, but has its own setting for it.
I have a problem regarding RODC forwarding.
There is a WPF Application calling an WCF service configured with Net.Tcp Binding and Windows Authentication (like here)
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-windows-client in an off-site scenario.
In that off-site there is only a RODC installed for security reasons. Now the problem is if WCF asks for the Kerberos-Ticket on client-side (WPF) it asks the RODC and this Controller redirects its requests to the RWDC (that is somewhere else with a slow Connection).
So the calls get very slow and sometime also have timeouts because of AD-Communication.
So is there a way to tell WCF to use the RODC with cashed credentials so that the RODC could response with the Kerberos ticket directly
thanks in advance very much for you input
• When a user/service authenticates to an RODC, a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Windows Server Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC. Once the user account is authenticated, the RODC makes another request for the replication of the user’s password in a unidirectional replication providing the account has been configured to allow replication. Thus, please check your credentials are cached correctly in credential manager/vault in Control Panel.
• In your case, if you want WCF to prioritize authentication requests of cached credentials to send it to RODC, you should configure the weight of the RODC higher than the other DCs for your site as authentication is managed by sites and services in an AD environment. As you said, it is an off-site where you have setup RODC for security reasons, then accordingly configure the respective sites and its related subnets in the Primary Domain Controller correctly for the authentication request priorities in that site to be redirected to the DC in that subnet/site accordingly. This might help you resolve your authentication redirection problem.
You can also do the following for prioritizing RODC for authentication in that site: -
Move the RODC to a new site in Active Sites & Services, then assign the subnets to that new site. Remember to create site links to link the new site to the others.
Set LdapSrvPriority to zero for the RDOC and increase to a higher value for the writable DCs. (HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvPriority)
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
My MVC 4 application (https://testapp.com) with WIF and windows authentication is on Domain A and my ADFS and users are on domain B.
Requirement: Users in Domain B will browse my application https://testapp.com which is hosted in Domain A and my application should use their local windows user creds and redirect to the ADFS in Domain B.
I believe I dont require a AD cross Domain trust between A and B and that is what ADFS and SAML authentication is meant for.
I dont see such much materials for reference in such scenarios also. Kindly help understand how to configure such an MVC application in Domain A.
You need to establish a trust between your MVC4 application and your ADFS. In ADFS lingo this is called "Relying Party". You will need to have an endpoint in your application that accepts a HTTP POST message and processes the payload generated by ADFS.
I had to recreate these a long time ago but you can spare the pain. There are more options available -
http://saml2.codeplex.com/ (open source)
http://www.componentspace.com/Products/SMLv20.aspx
Configuring ADFS can be tricky but there are lot of guides out there.
I have an application in domain A and would like it to use domain B credentials to access domain B content. These domains have no trust. Is it possible to challenge a user in domain A, and get them to input credentials for domain B? Then use these credentials to authenticate in domain B. Meaning we bypass domain A's Kerberos Distribution Center (KDC).
I have no problem getting this to work inside a single domain, meaning impersonating the challenged user and maintaining an impersonation level of delegation. However, MS documentation says that the application in domain A will use its KDC to issue a ticket (or fail to issue the ticket) and this will cause my service in domain B to drop to NTLM.
Is it possible to force my service in domain A to use domain B's KDS? I could be way off base here.
The architecture is Microsoft WCF services.
Thanks,
Kevin
The quick answer is NO you cannot pass credentials across domains without the 2 domains having some level of trust.
However, I got around this by using asp.net forms authentication. When the users credentials from domain A fail I effectively get them to input the credentials from domain B and redirect them to an "Authentication" MVC controller that scrapes the user identity and then encrypts it in a Asp.Net forms authentication cookie. This is returned in the response header. All subsequent requests are made with this cookie and I check for the the authenticated user in the session cookie. Not as elegant as delegation but it works.