I want to rely on Windows Identity foundation for my web site and web services authentication. Is ACS available for Windows Server? Do I have to rely on Azure or can I run it at my hosting environment?
The functional equivalent of ACS on-premises is ADFS (Active Directory Federation Services). Look at V2. It is a component of the OS.
I say "equivalent" because it is an STS, but there's no parity between ACS and ADFS. Some things are the same, but not everything.
Related
I'm working on on-premise web application (front end hosted on IIS) that currently uses traditional form-based authentication. Our client wants the application to support "single sign on", which basically means he wants the users to automatically log in to the application. AFAIK there are two ways I can take to achieve the desired effect:
Most articles that I found suggest using some kind of Identity Provider system (like Active Directory Federated Services), which my application can communicate with over SAML/OIDC in order to obtain user's claims.
On the other hand, I could set up IIS to use Integrated Windows Authentication and get user claims directly from Active Directory through Kerberos/NTLM. This approach seems easier.
Given that my application will not be used outside of intranet, it is hosted in environments using Microsoft products (Active Directory, Windows Server, users using Windows machines), is there any reason I should consider the first approach?
I am quite new to azure and need a quick pointer to how to host an asp.net website in Azure VM. Thanks for your help in advance.
A little background...
We were using a windows server 2012 R2 and were hosting the site in IIS 6. This was an intranet site. Now we are migrating to public cloud so that it is accessible over internet. For this we have acquired an Azure VM (Windows OS). We have installed Visual studio 2013 and SQL server 2012 here. I have installed azure core SDK too.
Here are my questions:
What do I use instead of IIS to host? (Because I am not able to find any related app in azure VM)
Do I need to buy any more licenses for the same?
Should I host it in IIS only and because it is in public cloud, will it be accessible over internet?
Appreciate your help!
Since you have chosen the Infrastructure as a service ( IaaS) route you have to simply replicate the setup that you have on premises.
if IIS component is not there you just have to enable it in windows features.
If you do not want to use IIS you can explore self hosted asp.net applications.
Since you have chosen the Windows server VM image and created the VM you do not need to pay for anything additional for windows license.
By default only 2 endpoints( ports) will be open in a Windows VM. 1 for remote desktop and other for powershell remoting.
refer this post for enabling endpoints for you hosted applications.
https://learn.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-classic-setup-endpoints
You have two options basically
Use Azure Paas - Here you would host your existing application as a Cloud service using a web role and a Azure SQL Database. This might mean some changes to the existing application but would need less management from you. You can find the migration steps here
Use Azure Iaas - This is pretty much what you are trying to do. Host your application to a VM and manage all the required software (IIS,Sql server etc) on your own. Although this option might be easier in terms of migrating your application it involves managing the infrastructure on your own. Here is a link on how to install IIS on a Azure VM.
You don't need any additional licenses since you are paying for the VM which includes all required licenses. In case you decide to use SQL Server as Iaas you can also use your existing SQL Server license when running SQL Server on an Azure VM.
I am working on ASP.NET web application that will be used on intranet and need to implement authentication using Active Directory domain accounts.
From what I understand there are 2 possible options:
Integrated Windows Authentication
Windows Digest Authentication
Can I use either of them? It is clear that Windows Digest Authentication supports authentication using Active Directory domain accounts. Integrated Windows Authentication definitely can use local Windows accounts but I am not sure about AD accounts.
I can now answer my own question because I completed my implementation for this: Integrated Windows Authentication can use AD account just the same way as local Windows account.
We have a ASP.NET MVC web application configured to use ACS and deployed on the Windows Azure.
The application has all ACS settings like realm in the web.config file.
Is it possible to have all ACS settings or at least realm setting in the Windows Azure cloud service configuration file? so that it can be modified directly from the portal at any time and there is no need to re-deploy the application?
Any help on this will be appreciated.
Yes. Vittorio describes a solution in his blog post at http://www.cloudidentity.com/blog/2011/05/31/EDIT-AND-APPLY-NEW-WIF-S-CONFIG-SETTINGS-IN-YOUR-WINDOWS-AZURE-WEBROLE-WITHOUT-REDEPLOYING/.
I have a web application (developed in ASP.net 4.0) hosted in IIS 6.0 on Windows Server 2003 R2 machine. Integrated Windows Authentication is turned on for this web application.
I have hosted a web service (developed using WCF) in IIS 7.5 on Windows Server 2008 R2 machine. 'Windows Authentication is enabled for this web application too.
I log on to my local machine using my windows domain account. When I browse the web application, it asks me my domain username and password. In web app, I get my identity correctly.
From my machine (using some other Winform app), if I call the same web application (of a web service), service code executes under my windows identity.
So Integrated Windows Authentication works fine independently for both the web apps hosted in separate IIS on different machines.
Problem comes when the web application is browsed from my local machine and web page calls the service internally. In this case, "service does not run under my windows identity" as expected. It either runs under identity of the application pool of either asp.net web app or the web service's web app.
I don't want my web service to take responsibility of authenticating the user. It would use simple basicHttpBinding. It will just read name of the user using CurrentPrincipal or HttpContext etc. Validating user's identity should be done by the IIS only.
Can someone help me to pass on my windows identity from one IIS to another?
You need to set up kerberos delegation as identity won't be passed to another machine by default.
https://web.archive.org/web/20190419225807/https://blogs.technet.microsoft.com/askds/2008/11/25/fun-with-the-kerberos-delegation-web-site/