Azure Active Directory Forms Authentication - asp.net-mvc-4

WAAD login page just does not seem right, especially because of branding. Is it possible to use the WAAD default domain in web.config of a MVC app with forms authentication. For instance:
<connectionStrings>
<add name="WAAD" connectionString="LDAP://mydomain.onmicrosoft.com:389"/>
</connectionStrings>
I tried and get Configuration Error Unable to establish secure connection with the server.

Azure Active Directory can provide you with a claims-based experience but not a forms-based one. You can't yet customise the Azure login page and there's no capability to make an LDAP-based connection to WAAD.

Related

How to call RESTFul WCF service with Forms authentication

Assumptions:
Client is a Web application (ASP.NET) configured for STS Passive Issue
Server is a MVC Application with 2 services (1. Issues a token and other gets metadata)
Server on the other hand configured for Forms authentication and should redirect to Login page if unauthenticated access is made.
Workflow:
end user tries to load client.
It contact the STS by redirecting to the STS server.
The server is configured with Forms authentication with a redirect URL.
But Server does not redirect to login page. instead it allows to call the Issue end point.
I tried to restrict via authorization tag in web.config. Also, i tried location tag to set authorization explicitly. But it still allows the call.
i referred many blogs
How to: Enable the WCF Authentication Service
How to: Customize User Login When Using the WCF Authentication Service
But no luck.
This is easy to achieve with ADFS. Use the following steps if ADFS is your STS:
Navigate to the folder where ADFS web application is located (normally C:\inetpub\adfs\ls)
Make a copy of the current web.config for safety
Open web.config in notepad
Locate
In , change the order of authentication to assure that it lists Forms Authentication first
The order must look like this:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
Save the changes (you do not need to restart ADFS)
Navigate to your application and click on Login. Instead of sending the login request to ADFS, a page containing a login dialog will pop up. Please enter your credential and click ok. Then, you will get the same result as above.
Reference articles:
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part I
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part II

MVC web API identity impersonation

HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config

Web ReportViewer authentication

I need some help with authentication when using the web reportviewer to view SSRS reports.
In IIS I've set "Windows Authentication" only and unchecked "Anonymous Access" and the other checks in the Directory Security tab. The result in my website is that WindowsIdentity.GetCurrent() returns the ASPNET user and Request.LogonUserIdentity the domain account of the user that logged in. On the page that hosts the ReportViewer control, I programmatically impersonate the Request.LogonUserIdentity, then set all the report/server properties and refresh the ServerReport, however this returns the "The request failed with HTTP status 401: Unauthorized." error and I'm 100% sure the Request.LogonUserIdentity has access to the report. To proof the impersonation worked, WindowsIdentity.GetCurrent() returns the same user as Request.LogonUserIdentity after the impersonation and I'm using the same impersonation when I need to query the database, just with a specific user.
I've noticed that on the ReportViewer1, the ServerReport property has a property for ImpersonationUser, but I'm not able to set this and can't find where to either.
Can anyone shed some light please! I've been working on this for days now....
It's not clear why you need to do impersonation yourself. If you're using Windows Authentication and have disabled anonymous access, then simply let ASP.NET flow the end-user's credentials to Reporting Server. Try adding the <identity> element to your web.config file:
<identity impersonate="true" />
Another issue you might be encountering (if your Reporting Server is on a different machine to your web server) is the NTLM double-hop problem and you may need to configure Kerberos in order to support credential delegation over multiple machines.

Lock down a site using Forms Auth in IIS7 with Windows Auth

I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.
I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.
So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?
EDIT:
Here's a clarification. The site must work like this.
You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.
The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.
Trick here is to change the provider for your authentication to use Active Directory, rather than change the settings to Windows.
Or, use a version of the following provider:
<add
name="AdProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="YourAd"
applicationName="YourApp"
enablePasswordReset="false"
/>
With a version of the following connection string:
<add name="YourAd"
connectionString="LDAP://[your DC]/OU=[your OU],DC=[your domain],DC=[your extension]"
/>
Authorization-wise, you have some options. If it is based on domain groups, then you'll need to get azman wired up. If it is application controlled, you'll need to line up the AD users with the database-stored roles.
PS: I suck at LDAP connection strings, you can probably do alot more with it than I did.
Well, seems like I answered the wrong question. I'll leave this up for posterity's sake, but you should just try to disable Anonymous Authentication for the site.
I found my answer here:
IIS7 and Authentication problems
The short of it is, in IIS 7 you cannot have two-tiered authentication like you could with IIS 6.

IIS7 and Authentication problems

i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.