We are blocked by our security team to go live with openam because of below issue. We have openam deployed in tomcat in server1 (Tomcat). We have agent and HTMLs in Server2. Agent redirects all the unauthenticated requests from server2 (Apache/httpd) where html is deployed to server1 where openam is deployed.
The problem is we don’t want to open server2 for public considering security risk. Is it possible for an web agent deployed on server1 to connect to openam deployed on server2 which is not a opened/externalized server? How we have to externalize the openam server, how to hide all console stuff and block all API calls?
It is possible to externalize the login interface of OpenAM, but you would need to write a custom login application for that. This custom app then could have direct access to the OpenAM server to perform the REST calls necessary to authenticate end-users.
Once you have the login UI in place on a public server, you can change the agent configuration to use that login UI for the Login and Logout URLs.
Related
I have recently switched my website from HTTP to HTTPS. For some external users, they do not have enough permissions to access via HTTPS and they still need to access via HTTP.
I want to keep both HTTP and HTTPS, but HTTP only for a specific group of users.
How to make this change in IIS 8?
Any ideas, please suggest.
You can try the following steps:
Step1: configure https.
Set IIS to work with HTTPS (http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/ )
Test HTTPS locally to make sure that it works.
In your firewall (to Internet), configure it so that it allows port 443 (https) to your IIS server.
This will allow ALL people to access your website using https, since we have not configured any restrictions.
Steps2: configure http.
Install WindowsAuthenticationModule if it is not already installed
In IIS Manager, click the website.
Double click Authentication in the middle pane
Select Windows Authentication and enable it
Select Anonymous Authentication and disable it.
Since the users on your local network is authenticated to AD, and the website is in their local zone, they should automatically authenticate and should not see the login box. People outside your network are not authenticated, hence should need to logon to access the website.
Is it possible to setup IIS Webdav with windows authentication and SSL on a non domain joined web server?
The web server is hosted in azure and accessible via https 443. The clients are domain users and need to authenticate with their domain credentials in order to read/write on the web server over the internet.
My logic tells me this is not possible as the web server doesn't have a authentication provider without being domain joined?
Many thanks for any answers...
I don't think you would be able to use Windows Authentication, but if you have LDAP access to your AD environment from the server, you could do Forms Authentication and authenticate the user via LDAP in the back end. It would require the users to type in their credentials though.
You can test access to any one of the LDAP ports in PowerShell with:
Test-NetConnection -ComputerName domain.com -Port 389
The LDAP ports are:
389: LDAP
636: LDAP over SSL
3268: Global Catalog - same as LDAP but reads the whole AD forest
3269: GC over SSL
Any one of those would do.
I want to extend IdentityServer 3 with a 'admin' part where users can manage things like users, clients, etc. This part should be secured by the same ID server implementation (same app in IIS). Do I have to build a separate app or can I extend the same ID server solution? How do I configure the OWIN start up then? When I have
app.Map("/Identity"....)
how do I add:
app.UseOpenIdConnectAuthentication
This results in an 'external' login provider, but that is not what I want. I also tried to add:
app.Map("/admin", config => config.UseOpenIdConnectAuthentiaction())
But that does not work as well, so:
How to have ID server and a client combined in one Solution?
Please help.
Have a look at IdentityManager provided by developers of IdentityServer. This will get you up & running very quickly.
Security Model
The security model can be configured to only allow users running on the same machine or can be configured to use any Katana based authentication middleware to authenticate users.
Hosting Options
IdentityManager is hosted as OWIN middleware. It can be configured with the UseIdentityManager extension method for Katana
This is how you "Get started"
Problem: I want users from my corporate client to authenticate with my web server by using their local LDAP credentials. Users have a local desktop client that can authenticate with the local LDAP server. My server and the LDAP server do not talk to each other.
I know it is possible to authenticate on a web server using LDAP if the web server relays the LDAP request to a LDAP server. (User/desktop client connects to web server, sends credentials and web server interacts with LDAP server for authentication)
But is there a way for a desktop client to authenticate with a local LDAP server and then connect to a web server sending a token that would grant access to the web server? (user auths with ldap, sends ldap response to webserver)
I am not talking Oauth, which requires both servers to talk. In this case, the LDAP server is isolated from outside contact.
The big problem here is that you should never trust the client, even if you have written it yourself. Something like public/private authentication would (probably) not work as well, since the problem is not the encryption, but making sure the message came as "OK" from the LDAP server. A rogue client could fake the OK and sign it anyway.
If I understand your problem correctly, you're looking for a way to make your desktop client talk to your web application using the user's domain credentials.
This should be easy to do using something like ADFS. If you run ADFS inside your clients Active Directory domain, your desktop client can get a token from it using Kerberos. It can then use this token to authenticate with your web application.
You will need to configure your web application to trust tokens issued by the ADFS instance in your clients domain.
ADFS may work, but it is unnecessary. You should look into using SPNEGO as it does not require a ADFS infrastructure.
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.