I am not quite sure how to properly phrase this question so I will do my best to explain my issue.
I have a .Net website that works using Active Directory. It works great. No issues. However I have a need to stand-up a new copy of the website for an office that won't have access to Active Directory.
I am trying to come up with any possible solutions that will allow me to accomplish this without having to rewrite large portions of our user code base.
I might have to accept the fact this might take a lot of work but I figured I would try to explore any possible options before I jump into that.
Depending how the site is built, you might be able to set up an AD LDS instance on the web server that would mimic some of the services AD provides. OpenLDAP might do something similar.
You still probably need to change some things on the site, but this might let you get by with changing a lot less.
Does the user :
-Access an IIS hosted site via windows authentication (like on an Intranet) ?
-Access an IIS hosted site using Azure AD (user signs into azure ad or office 365 via browser)?
-Access an azure hosted site using Azure AD (user signs into azure ad or office 365 via browser)?
You might consider some refactoring your application to use Microsoft's Identity framework which will allow you to easily plug and play how your application authenticates.
For .NET framework
Take a look at using ASP.NET Identity
https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity
For .NET Core
Take a look at using Identity on ASP.NET Core
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-2.1&tabs=aspnetcore2x
By using these frameworks, you can keep your login code the same and change the way the user is authenticated.
Hope this helps! Cheers!
Related
We already have a single authentication process using Active Directory for our home made web sites (simple login and password). Our AD is also on Azure (everything is synchronized).
Now we want 2 factors authentification using this: (Microsoft Authenticator) https://www.microsoft.com/en-us/account/authenticator
I've been searching for an exemple for a while, but most of the tutorials I found are about MVC CORE; I'm not using core, just regular MVC .Net Framework. Furthermore, the only tutorials I found using .Net framework were for Google authenticator, not Microsoft's one.
The intended behavior would be the same as when I connect to office 365, first I enter my password in the web site, then I receive a notification on my cell phone (for exemple), by approving the connection, I can have access to web content.
I'm still trying to figure out if this is even allowed, is Microsoft Authenticator only meant to be used for Microsoft developers or can we random developers use this app for our 2FA needs? Or is there a way to trigger the office 365 authentication windows?
If yes, they don't seem eager to share any code or tutorial for MVC .net Framework. (I'm still searching)
EDIT for comments:
Microsoft auth .Net Core documentation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-5.0
Google auth with .Net framework documentation:
https://medium.com/#henryhdelgado/2fa-with-google-authenticator-in-asp-mvc-4788c79c47
EDIT / Solution :
In case someone didn't borther reading the answer's comments, here's what I was actually looking for : https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
In short: you don't need to do anything (provided that your application authenticates users using OIDC, which it will do if you're using Azure Active Directory or Office 365 with your application). Just flip the switch in your organization's O365 or AAD settings to require TOTP/2FA.
However, if your application is actually authenticating against on-prem AD (whether using Kerberos via the browser shell, or with "Forms authentication") and you can't make your web-application authenticate against AAD/O365 (not on-prem AD) and you don't have AD Federation working, then you're in for a world of pain because getting on-prem 2FA working is a massive undertaking that requires just as much work from your sysadmins as it does from you (and then your question would be closed for being "too broad", sorry!)
Authenticating against AAD/O365 can be done using any OIDC client library, though Microsoft does make a purpose-built library available on NuGet which works in .NET Framework applications in addition to .NET Core: https://www.nuget.org/packages/Microsoft.Identity.Client/ (formerly https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/ )
"Azure Active Directory" (AAD) is a misnomer btw, as it has very little to do with on-prem Active Directory. That said, if you're using Office 365 within your enterprise then you will already have AAD up-and-running - just be aware that it's still completely unrelated to Active Directory (as far as technology is concerned).
Using AAD/O365 for SSO basically means using OIDC (whereas on-prem AD is Kerberos, not OIDC) - so any OIDC library can be used with AAD/O365. The TOTP/2FA part is handled entirely by AAD/O365 so you don't actually need to do anything in your own application to handle TOTP/2FA.
Is there a way to mimic powershell's Get-AzureADUser to read AD properties on given users without having to register the C# console app I am trying to build with Azure?
I know you can run powershell in C# but I am wondering if there is a different route I can take to achieve the same thing WITHOUT registering the app?
Short Answer: No. You will need to register an application with Azure AD to be able to authenticate.
Longer Answer:
AFAIK all of the OAuth 2.0 grants for authentication supported by Azure AD will require some information about the client (i.e. registered application) that is being used to make the authentication call. This would be true whether you use ADAL Libraries or directly hit the relevant token/authorization endpoints.
You may already know but it's worth mentioning that the simplest and recommended way to do authentication/query user data with right privileges will be to register your application with Azure AD.
In fact default setup for Azure AD, is such that it promotes the use case of developers being able to register applications and consent to applications on their own behalf. Read here.. Who has permission to add applications to my Azure AD instance? and at the end it mentions that Microsoft itself uses the same configuration internally.
Full Disclosure: I know that some very knowledgeable people (Microsoft MVP's, Microsoft Azure AD team members) follow the azure-active-directory tag. So even though I think this is the right answer, your question is such that it would make sense to wait for more answers/comments to see if there is anything else possible.
Possible workaround if it suits your scenario:
In case you don't want to register your application just because you don't have permissions to a specific Azure Active Directory tenant, there may be a workaround possible.
You would still need to register your application but with a different Azure AD tenant or with Azure AD B2C, and then make your application as a multi-tenant. See this SO post for more details.
I am building a Xamarin app which will authenticate with Identity Server. I have this working with ASP.NET Identity Core. However, I'd like to be able to use AD as well. The documentation states this is possible but gives no examples. My biggest issue is that I'm using IdentityModel to manage my login calls, and I don't see any calls that seem to relate to AD.
I've discovered IExtensionGrantValidator, but I don't see any way, in that code, to work out the AD user logged in, in the client application. I could obviously make the user my payload, but at that stage it doesn't seem secure enough to me. I could make it work that way easily, but I'm hoping for a way that IdentityServer validates against the AD user, hopefully including that they are associated with a specific role.
I am hoping someone can point me to sample code for using AD (not Azure AD) with Identity Server.
Thanks
Here is the documentation about the Windows Authentication. Also in the AcountOptions.cs set public static bool WindowsAuthenticationEnabled = true;, and have in mind:
to enable windows authentication, the host (IIS or IIS Express) also must have windows auth enabled.
Then in the AccountController.cs you have a method "ExternalLogin" and there you have a check for Windows Authentication, where you can follow what happens, but the important work is the above.
There is a requirement to implement Single Sign On (SSO) in our website so that users accessing it from the intranet won't have to type in their credentials.
The problem here is that the website is going to be hosted on the internet, on a remote server.
Is there some way this can be done?
--EDIT--
I looked at following link:
http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
And the example scenario that is mentioned in there is exactly what we require.
Here is the detailed explanation on the situation:
There is an Active Directory Domain Controller that is used to authenticate users in the intranet.
Once the user logs into the machine, and opens up the remote website, the website should somehow verify that the user is already logged into the intranet using AD credentials and automatically allow access to the website.
Also, the website is supposed to be getting a Security Token that can be used to authenticate the user.
Of course, for example, Microsoft's way of doing that for connecting Office365 to your Intranet is called Active Directory Federation Services.
It is (as most single sign on solutions) not entirely straight forward, and it assumes a domain on your intranet, but since Office365 uses it, it is and will most likely continue to be well supported in the future.
It's just a matter of integrating your web app with the authentication provider that you are using for SSO. The details are going to vary dramatically if your using OAuth vs. Shibboleth vs. ADFS vs. etc, so there really isn't enough information in your question to give a helpful answer.
As an organisation, we use Google Apps. We have the paid version (mapped to our domain) etc...
We are developing a web based application to manage orders, and other business functionality.
I want to be able to use federated login with our google apps accounts-
For example, if a user is logged in to their email (gMail) - they should automatically be logged in to our ASP.net application
If they're not logged in - the log in form should auth. against our google apps account.
How can this be done?
Is it possible to be able to "get" the user who is currently logged in using this method etc...?
Sure, use dotNetOpenAuth. It's recommended by OpenId library and it should be easy in use. As far as google provides OpenId interface there should be no problem with using it in your application.
Stackoverflow is successfully using it and I'm logged here always when I'm logged on my google account.
Just doing a quick search through Google's API documentation, it sounds like you need to use Google's implementation of OAuth protocol.
If you have not yet started developing, you could even considering developing for Appengine - using python or Java (though I would prefer Python myself).
Advantage is that it has a much closer integration with Google Apps services and it will be much easier to build further functionality that works with Google apps (docs/mail etc). Besides this, there arent too many hassles for hosting the app.