I have 2 apps in AAD:
Main app → for production use (developers read only)
Dev app → for development (developers have full access)
As I understand in Partner Center we can only set up one app per offer.
But how can I access the same offer from the dev AAD app?
Related
I'm working on on-premise web application (front end hosted on IIS) that currently uses traditional form-based authentication. Our client wants the application to support "single sign on", which basically means he wants the users to automatically log in to the application. AFAIK there are two ways I can take to achieve the desired effect:
Most articles that I found suggest using some kind of Identity Provider system (like Active Directory Federated Services), which my application can communicate with over SAML/OIDC in order to obtain user's claims.
On the other hand, I could set up IIS to use Integrated Windows Authentication and get user claims directly from Active Directory through Kerberos/NTLM. This approach seems easier.
Given that my application will not be used outside of intranet, it is hosted in environments using Microsoft products (Active Directory, Windows Server, users using Windows machines), is there any reason I should consider the first approach?
I have an Azure website (built using VS2015 Community) which uses "social" login for authentication.
I have successfully deployed a working PoC to azure which happily authenticates the user using the Google+ or Microsoft Account authentication services - i.e. the Azure app service is configured correctly to support social login from these two providers.
The problem is that I don't know how to replicate this for development on localhost; when clicking on one of these links (e.g. the MS one) the browser navigates to http://localhost:60380/.auth/login/microsoftaccount and I unsurprisingly get HTTP Error 404.0 - Not Found.
Question: is there a way I can configure my solution/local environment to authenticate using social authentication whilst running on localhost? Service providers such as Google seem to have no issue letting you specify localhost addresses.
My website has some very basic authorization checks that I want to perform, and I obviously want to do this on my dev environment first.
For your reference - HTML / Login links:
Microsoft Account
Google Account
Google API Manager Config - Authorized JavaScript origins
https://[my site].azurewebsites.net
http://localhost:60380
According to your description, I assumed that you are using Authentication/ Authorization of Azure App Service which provides you with an easy way to protect your application without changing any code on your app back-end.
As I known, when your app hosting on Azure then you could take advantage of the "Easy Auth" feature. But while developing locally, I assumed that you need to write your code to support "social" login for authentication. For more details, you could follow this tutorial.
Additionally, you could follow this Architecture of Azure App Service Authentication / Authorization and this tutorial for a better understanding of Easy Auth.
The integrated identity support is a feature of App Service that cannot easily be moved to localhost development. If you need to test locally on your dev machine, you'll need to simulate the identity component yourself.
If you are building a mobile app, there is some support for local debugging which might be helpful: https://github.com/Azure/azure-mobile-apps-net-server/wiki/Local-development-and-debugging-the-Mobile-App-.NET-server-backend
Otherwise, I suggest you create a second web app to use for integrated development/testing. It's not as convenient, but Azure App Service does support remote debugging, etc, through Visual Studio.
I've been battling through the same process. Feels to me like this is a gap - I'd love to see the .auth pipeline included as part of the dev environment.
Currently, I use this the method defined here - https://weblogs.asp.net/pglavich/easy-auth-app-service-authentication-using-multiple-providers, and whilst clumsy, it works for me.
I would like to use Windows authentication to access an ASP.NET application, hosted in a Windows Container (in Windows Server 2016 TP4). For this, I presume I need to add the container to the Active Directory domain. Is it all possible to add a Windows Container (or Hyper-V Container) to a domain? There is no clear documentation from Microsoft on this, and I myself tried adding the container to the domain using PowerShell, but with no luck.
If domain joining a Container is not supported, is there any alternative way to enable Windows Authentication in a web application hosted in a Windows or Hyper-V Container?
Any input will be highly appreciated.
Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.
Although Windows Containers cannot be domain-joined, they can also
take advantage of Active Directory domain identities similar to when a
device is realm-joined. With Windows Server 2012 R2 domain
controllers, we introduced a new domain account called a group Managed
Service Account (gMSA) which was designed to be shared by services.
Additionally, here's a guide that walks through the specific steps in detail, covering the following:
Deploying containers with an emulated domain identity is simple, and
based around existing workflows using Windows Server and Active
Directory.
Deploying this feature requires:
An existing Active Directory domain, running at Windows Server 2012 or
later functional level
Windows Server 2016 with the Container role and
Docker installed. This will be referred to as a Container host. These
hosts need to be joined to the domain.
This guide will cover the
following steps to deploy a container in detail:
Create a group Managed Service Account in the Active Directory for
each application/service
Give each container host access to use the
group Managed Service Account
Add configuration files on each
container host that store details about the group Managed Service
Accounts. These will be referred to as Credential Specs
Start
containers with a parameter telling which credential spec to use
Extract of the Windows Containers - Work in progress
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
We have an Active Directory domain sitting on a networked Azure VM and have a separate Azure WebApp/Website that is running Orchard CMS on the same virtual network.
Do webapps support windows authentication for connecting to Active Directory? If so, how do I go about setting it up in IIS?
No, it's not possible. In order to have Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN
Yes, you can connect your web app to Azure Active Directory.
The simplest option is Azure Easy Authentication
http://azure.microsoft.com/en-us/documentation/videos/azure-websites-easy-authentication-and-authorization-with-chris-gillum/.
That's a one click way to authenticate your site.
You could setup Active Directory Federation Services for Windows AD, and use SAML or OpenID Connect. It would prompt the user for their windows credentials
We have a web application that consists of three main parts:
Web server running ASP.NET 4.5 Web site;
Database server hosting SQL Server 2012;
Another server hosting some Legacy App used by back office;
Relations between parts are as follows:
Web application runs with App Pool Identity set to local user called Foo and consumes database using Entity Framework;
Legacy app consumes database and periodically exports data changes in file system as XML files, folder is shared to local user Foo (local user has the same password as on Web Server) using Windows File Share feature;
Web application monitors file share for new data and imports all the changes if any;
Now we would like to migrate this application to Azure. Unfortunately we have to use VM for SQL Server because our legacy app database uses File Stream feature which is not available on Azure SQL. Also, we need another VM for legacy app.
Currently I have ended up with the following:
Created a new Virtual Network on Azure;
Created a new Azure Website and connected it to VNET using Point-To-Site VPN connection;
Created 2 VM's for SQL Server and legacy app and connected both to VNET, marked network as private network, disabled firewall;
Everything works fine except one thing - Website is unable to access file share located on Legacy App VM. I have tried to enable sharing to Everyone but to no avail.
So, my question: is it possible to access a file share from an Azure website? If not, what alternatives do I have?
I know that we could spin up another VM for Website and then I would have no issues but I would like to use Azure Website to optimize costs and make use of all Azure goodies.
At the time of writing Azure file service SMB shares are only accessible from VMs, Web- and Worker roles. You can use the storage REST.API or client library to access your files from Azure Websites or on-premise. You can get it from nuget.
Install-Package WindowsAzure.Storage
I went through the same exercise of moving a web application that used files to Azure.
Example of what I did.