I have ADFS 2012 R2 installed on a Domain Controller in Azure and I want to remove the role, in fact separate them out. Is it as straight forward as :
Installing another ADFS server in the same site to the ADFS farm
Removing the ADFS role from the Azure DC?
Thanks
J
The current one is your primary and the DNS (e.g. login.adfs.com) points to it.
The new one will be the secondary so when you remove the old one, you need to promote the new one to primary and switch the DNS over.
Related
Using Alfresco Community - 7.1.0, running on a Docker Swarm cluster with Portainer.
I have managed to set up an instance of Alfresco with SSO using Kerberos with an Active Directory server as KDC (with AD users synched through LDAP). All I did was follow the instructions in the Alfresco documentation, so I don't know enough about Kerberos to understand how and why it works.
Right now Alfresco is accessed through a single URL which has the same domain as the AD server (which is also the domain controller). For annoying reasons that I won't go into right now, I need to make this Alfresco accessible through 2 separate external URLs, both of which have
different domains from the AD server.
Do I need to have more than 1 Kerberos realm, or is there a 1 to 1 association between realms and KDCs?
Do I need to map from the internet domain names to the Kerberos realm?
For some reason I'm having a hard time getting my head around this Kerberos stuff...
Alfresco expects only one REALM.
You need to create for every expected url a separate SPN and put all of them into the one keytab for Alfresco.
At least Windows needs to be configured to trust the other domains for SSO/kerberos authentication by putting them into the intranet zone.
Today I have an ASP.NET application where each of dozens of tenants (i.e. customers) have their own URLs, e.g. 'A Company' would have https://acompany.awesomeservice.com. I'm using DNS to direct all tenants to the production web server.
I'd like to have multiple production web servers and assign each subdomain to a single server. e.g. so tenants A, B, C use Server 1 and tenants D, E, F use Server 2. But I don't want to use DNS for this as I'd like to be able to move a tenant to a different web server reasonably fast, for green-blue deployments etc. For example, when doing upgrades I might:
move all tenants to Server 1
upgrade Server 2
move some tenants back who want the new version first
move remaining tenants some days later when everything seems stable
It seems like using IIS URL Rewrite module is an appropriate way to do it. I'd have a separate IIS server or web site for the 'gateway' and have a separate rule per tenant, rewriting the URL to whichever server they have been allocated.
But is this the right way to do it? How does everyone else do it?
I'd create a tool for allocating tenants to different servers, which would use some IIS api to update the URL Rewrite rules (which API?).
As #Lex-Li said in a comment, yes you can do a reverse proxy with ARR & URL Rewrite module and that's what I went with.
A couple of other handy links:
Scott Forsyth's blog post
Steps to redirect based on subdomain, using Server Farms
To update the rules via API, use IIS Administration API or update the config files directly (yuck!?). There's other APIs available too depending on needs.
We have an Asp.net webapplication in production running all these years. Now, the company is creating a new Domain and want the users from the new domain to have access to the Asp.Net web application. The server in which our application is hosted is still in the old domain and it is not going to be changed. The Infra team has given us new AD server name where the new domain resides and asking us to make our application to allow users from the new domain. As far as i know, we don't specify the AD server to authenticate in Web.Config except setting Authentication mode to Windows.
What we need is, we need to allow users from the existing domain and users from the new domain to have access to the application. Please let me know how to do this..Thanks in advance!
Regards,
Bala
You need a Kerberos cross-realm trust. One way should suffice.
I deployed my MVC 4 application on Azure, installed own CA, create self-signed certificate and certificate for server (https working good). How can I activate require client certificates signed by my CA and working only with it?
The two viable options you have, you already described in your comments.
One is to use Azure VM and IIS (I don't like it) - there you know what to do.
The other one is to use a Web Role (Cloud Service) and do the things described in the link you refer to. I advise you to take the Web Role path.
Or third option, is to wait until (if ever) Windows Azure Web Sites to unlock the required property in application host config. Check this SO question and it's answer on what you need to do in your web.config in order to achieve your goal. The catch is that access section under system.webServer/security is locked at application host config level, and can only be unlocked when you have Azure Web Role.
Just fyi, here is a list of overridable sections in your web.config when you use Azure Web Sites.
I have an ASP.NET app. I plan to run several instances of this app on the same server.
Each instance has its own domain, like www.app1.com and www.app2.com.
Each app instance has its own Admin area, that should be SSL protected. You can't install multiple SSL certs on the same machine and port number, so using https://www.app1.com/admin and https://www.app2.com/admin is a no-go.
I would then like to do the following:
Use my appname domain: www.appname.com with an SSL cert, and add an Application to that website in IIS for each client domain I have:
https://www.appname.com/app1/admin & https://www.appname.com/app2/admin.
But that would isolate session state between www.app1.com and https://www.appname.com/app1/admin - even though, they use the same Application Pool in IIS 7.
Is there a way to work around this?
One way I've seen to share session state across different ASP.NET applications is to use one of the other options for storing session state information. Unfortunately I don't have access to IIS 7 at the moment, but assuming it is similar, here's how you configure it in IIS 6:
IIS Management Console
Bring up properties for the applicable virtual directory
ASP.NET tab -> Edit Configuration
State Management tab
The "Session state mode" defaults to InProc, but you can change it for your various application "instances" to use the same SQL Server database.
You can use multiple SSL certificates on the same machine, they just need dedicated IP addresses.
Just a heads up, you don't necessarily need multiple IPs on your server to install multiple domain SSL certificates on a Windows Server in IIS 7. You just need to add them from the command line.
I got a UCC Standard SSL Multiple Domain certificate from GoDaddy and then just added all the domain names I needed to it. You basically just install it to one of the domains that you want and then share it between the others via the command line. My guess is that this is not a best practice for all situations, but it does solve your problem without forcing you to share the secure parts of the app.
Check out this link for directions:
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html
btw - the admin on each domain name will have to approve it. If the domain names on it ever change, it will invalidate the certificate in all your sites from IIS and all the admins will have to re-authorize the changes.