Accessing ADFS from outside corporate network - azure

I'm trying to authenticate a SPA against an active directory.
My understand till now is:
- using ADFS as an STS for getting tokens
- using ADAL.js for simplifying communication with ADFS
In order to setup a prove of concept, I created a virtual machine on Azure based on windows server 2016. Then installed an AD and an ADFS.
ADFS works correctly when I am on the virtual machine, I can see its metadata url on https.
Now I would like to develop my SPA from my development machine, but I cannot reach the ADFS endpoint from outside Azure.
The question is: is it correct/allowed trying to authenticate from a computer outside that network?
I read many possibilities without finding a solution:
- using an express route for establishing a VPN
- using an ADFS proxy
- joining the AAD
Thank you.

Definitely - I do it all the time.
No - you don't need Express Route / Proxy.
In your VM configuration in Azure under "Overview", are you using the DNS name you see there.
Under "Networking", have you enabled http and https?

Related

Connect another server on azure App Service

I have a website on the namecheap server and an application on microsft azure deploy on Azure App Service I would like to send post requests from my namecheap server to azure which contains the application my questionis this possible and also isn't there a security risk?
thank you for your help
Web programs are accessed through HTTP Requests. The security risk you mentioned does not exist.
In webapp, the security of web application data is what we need to care about.
After passing the authentication, the data can be curd according to the authority to ensure the security of the program.
It is recommended that you deploy the azure webapp program to increase the authentication function, such as jwt token.

Use Azure AD to Authenticate Website running on VM

Right now we have AD set up so access to our App Service is authenticated. But we need the website to have local access to some special applications. Since we can't install applications on an App Services, I THINK that means we need to run the website on a VM.
If that's the case, I'd like to not lose the ability for Azure AD to authenticate access to our VM. I'm sure we can use Azure AD to authenticate us while we RDP to the server, but can it also be used for when we expose our Web Application over HTTPS from the server?
Since we can't install applications on an App Services, I THINK that
means we need to run the website on a VM
Even though a VM is the simplest one, you do have other options to at least consider. Here is Microsoft's documentation comparing the various options along with scenario based recommendations.
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Quick Note:
Amongst the options discussed, avoid Cloud Services (classic) as far as possible, as they are legacy and on their way out. Also, if you still choose Virtual machine, do consider Virtual Machine Scale Sets for better scale and management options.
I'm sure we can use Azure AD to authenticate us while we RDP to the
server, but can it also be used for when we expose our Web Application
over HTTPS from the server?
Yes, it can be used even when you expose your web application over HTTPS from the server. Exposing over HTTPS would only involve opening up the port through NSG rules and SSL settings for your application in IIS. This will not impact you ability to RDP into the VM.

Constrained delegation (Kerberos) only working using localhost

We have developed a WebAPI application that runs on IIS 6.2. That API uses Integrated authentication. So, the operations will be executed in the user context of the user that is calling the API.
Apart from that, because some of that operations execute remote actions to another server in the platform. We used constrained delegation (kerberos) to manage the Kerberos double hop and be validated in the remote server as the user calling the API.
We made the configuration changes in the IIS (regarding enabling Windows authentication) and we enabled "Trust this computer for delegation to any service (Kerberos only)" in the AD for the server running the IIS.
The current status is, if we access the API using localhost, everything is working as expected. However, if we access using the FQDN or even 127.0.0.1, it fails with unauthorized when the API call executing the remote operation behind the scenes returns.
Does anyone know what we can fix such configuration issue?
Thanks
Sounds like you did everything right...except didn't or haven't set the SPN properly in AD for the principal (computer/server object) referring to the web service running on the target server. For example, the server name is server1, and the AD and DNS domain name is acme.com. Then the SPN for the server in AD would need to be HTTP/server1.acme.com. Ref: Setting up Kerberos Authentication for a Website in IIS

Windows authentication on remote server over LDAP

I have two servers. First one is a server with ASP app on it and the second one is an LDAP auth server. I need to login on app server over LDAP on the second server and I need to use windows auth (NTLM or Negotiate). As I know based on my research to login on the server using active directory domain from other server they must be in the same local network. This can be established by VPN. But the thing is that I can't use a VPN. Can it be established somehow? I'm currently trying to configure IIS to not identify my user on my current domain and serve the credentials to remote server over LDAP using .Net. Sorry if I have a wrong understanding about something, I'm still newbie in windows auth and AD. Correct me if I wrong in something.
I'm using ASP.NET Core RC2 and IISExpress 10 on my local machine and my target framework is 452 due to using some old modules.
On remote app server I'm using IIS 8.5

ReturnUri to Localhost

During development the team prefer to develop against a local database and local IIS Express web server.
We tried to configure an address of http://localhost:<port>/ in the Azure AD B2C application configuration as a return URI, but this isn't permitted (technically it should work, although I can see why it isn't permitted). So at the moment, when anyone signs in, it returns them to the test server URL.
We'd like to be returned to our local development server instance. Is there any way that people know of to achieve this?
You can use localhost, but make sure to use https:
https://localhost:<port>
See also this answer: DNS URLs in Azure AD B2C don't work
Just a self signed certificate is enough to make this work. We use this a lot (together with B2C) for our development machines.

Resources