Active Directory Membership Provider across multiple domains - wcf

I have a WCF authentication service that uses active directory membership provider and provides AD login function and we have this working for one domain A. There is another domain B which is behind the firewall and there is a one way trust relationship between domain A and B. Users from domain B can log onto the domain controller of domain A but not vice versa. The WCF service is on Domain A. I tried to authenticate users from domain B using the service and I received the unknown username or bad password error.
I am wondering if anyone know if the active directory membership provider works across multiple domain with one way trust relationship? I have tried changing the LDAP connection string to point to domain A's domain controller but specify the DC parameter to Domain B and set the connectionUser to DomainB\Username but I received the same error. If I have everything pointing to DomainA I receives the same error too. The domain controllers for A and B can see each other. Does anyone know a solution?
(We can't point the LDAP string to domain B as its behind firewalls)
Thanks in advance

Related

Active Directory: Allow users of different domain to login

We currently have all of our servers in domain A.
But many users from a different department also need to log in on our systems, however, their devices are registered in domain B.
What kind of trust should I set up to allow the users of domain B to log in on our server in domain A.
I assume a one way trust is sufficient to be able to add domain B users to our domain A user groups in the Active Directory? But what direction should it be?
Does that mean that I will be adding the users like domainB\user1 to domainA\group1. Or do I have to redefine domainB\user1 in domain A as domainA\user1 (with the same username and password) and then add domainA\user1 to domainA\group1?
Yes, a one-way trust will likely do. A one-way trust essentially means "Domain A trusts that Domain B users are who they say they are".
So if Domain A trusts Domain B, then you will be able to add Domain B users to Domain A groups.
The opposite will not be true, unless you make a two-way trust.

IIS windows authentication to other domain without trust

I am trying to host a classic asp page in IIS. I have set Integrated windows authentication as an authentication mechanism to access the page.
It works fine.
I have three domains. A, B, C. A and B both are in trust relationship. C is a separate domain. I have installed IIS in the domain C. I have enabled WIA for the page I have hosted. Windows Authentication will/must check for the user level authentication only in the domain C.
Is there anyway to configure windows authentication in the IIS in domain C, authenticate users against domain A and B without adding it to trust? I checked this question which is not very helpful.
I think your best bet is to create an Active Directory server that is accessible by all your domains and then authenticate against it. This design will give you a lot of advantages.
For more details on how to set it up, you can read this article from Microsoft: How Domain and Forest Trusts Work.

WCF security cross domain

I have a WCF service hosted in domain A. It requires Windows authentication and Anonymous Access has been disabled at the IIS level. Everything works as expected until another domain B was introduced. Domain A has absolutely no knowledge of the other domain. So my question is: is there a way to use client configuration hosted in the domain B to pass some credentials to the service that will be authenticated against domain A?
No, unless you create a trust relationship between Domain A and Domain B you will not be able to use Windows authentication.

User in Domain or Outside Domain

I have the following requirement. I have many users log into my system either from within my domain (intranet and on the VPN) or from outside the domain from public internet. I would like to know from where users log in and route them separately. (bind them to specific endpoints on a WCF service)
I tried using the "Environment" variable. But there is one special case that I would like to address. People who have a laptop that is registered in the domain always show as "Being in Domain" even when logging in from an outside network. How do I go about solving this?
Any help would be appreciated.
I'm not sure if you can reliably do this. I think the best course of action would be to have an internal server and an external server (or at least two separate applications, one accessible from the local intranet and one accessible from the internet. When accessing the application internally the companies internal DNS would route to the internal version of the application. And externally would route to the external version of the application.
There are similar questions here,
How to detect if machine is joined to domain (in C#)?
and here
Detecting a users domain in asp.net

Azure app using custom domain with SSL certificate

Could someone explain the steps that one must do to show an Azure application (example.cloudapp.net) in a custom domain (service.example.com), when we want to use a secured connection? So the users browse to https://service.example.com, see it as a certified, trusted domain, and can safely access the application.
Right now, I think that
1) we need a domain (and subdomain) with a static IP from a service provider
2) we need a certificate from a CA for our domain
But I'm not quite sure how the connection between our domain and cloudapp.net should be made. I have found many examples and blog posts, but they tell either how to install a certificate to Azure application or how to show the application in custom domain (without the certificate).
This sounds like a basic requirement, so I'd expect a rather simple solution to exist.
Thanks!
Look at this blog entry
Custom Domain Names in Windows Azure
Basically you need to buy domain name and add some CNAME record in DNS table. The part remaining would be to buy appropriate SSL certificate for your site.
Here is a stop-gap for custom domains: http://www.bradygaster.com/running-ssl-with-windows-azure-web-sites
I do not believe that Azure currently supports using a certificate with a custom domain (see request for feature). In the meantime, you can use CORS.