During development the team prefer to develop against a local database and local IIS Express web server.
We tried to configure an address of http://localhost:<port>/ in the Azure AD B2C application configuration as a return URI, but this isn't permitted (technically it should work, although I can see why it isn't permitted). So at the moment, when anyone signs in, it returns them to the test server URL.
We'd like to be returned to our local development server instance. Is there any way that people know of to achieve this?
You can use localhost, but make sure to use https:
https://localhost:<port>
See also this answer: DNS URLs in Azure AD B2C don't work
Just a self signed certificate is enough to make this work. We use this a lot (together with B2C) for our development machines.
Related
I am developing a small demo API for my organization. I use Azure AD for authentication for the API (and the OpenAPI docs). Everything works perfectly in my local development environment and I don't have the hassle of SSL since the oauth2-redirect is localhost. I am now ready to make my demo accesible inside my organization's network. However, Azure App Registration mandates that a oauth2-redirect link has to be https (or localhost which is why it works perfectly for me). I can understand why, but I am eager to demo my API and so, if at all possible, I would like to avoid the hassle of setting up a reverse-proxy, configuring TLS etc. So my question is - if I use https://10.x.x.x.nip.io/oauth2-redirect what are the security implications of this? I fear they are major unfortunately. I guess nip.io could sniff my authorization if they wanted to?
This is not strictly an answer, since it doesn't discuss the security implications of nip.io. However, if TLS is an issue for a demo it is automatically configured for an Azure App Service. For small demos it is therefore very convenient to deploy as an Azure App Service especially if you protect it behind a private link.
I'm trying to authenticate a SPA against an active directory.
My understand till now is:
- using ADFS as an STS for getting tokens
- using ADAL.js for simplifying communication with ADFS
In order to setup a prove of concept, I created a virtual machine on Azure based on windows server 2016. Then installed an AD and an ADFS.
ADFS works correctly when I am on the virtual machine, I can see its metadata url on https.
Now I would like to develop my SPA from my development machine, but I cannot reach the ADFS endpoint from outside Azure.
The question is: is it correct/allowed trying to authenticate from a computer outside that network?
I read many possibilities without finding a solution:
- using an express route for establishing a VPN
- using an ADFS proxy
- joining the AAD
Thank you.
Definitely - I do it all the time.
No - you don't need Express Route / Proxy.
In your VM configuration in Azure under "Overview", are you using the DNS name you see there.
Under "Networking", have you enabled http and https?
Right now we have AD set up so access to our App Service is authenticated. But we need the website to have local access to some special applications. Since we can't install applications on an App Services, I THINK that means we need to run the website on a VM.
If that's the case, I'd like to not lose the ability for Azure AD to authenticate access to our VM. I'm sure we can use Azure AD to authenticate us while we RDP to the server, but can it also be used for when we expose our Web Application over HTTPS from the server?
Since we can't install applications on an App Services, I THINK that
means we need to run the website on a VM
Even though a VM is the simplest one, you do have other options to at least consider. Here is Microsoft's documentation comparing the various options along with scenario based recommendations.
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Quick Note:
Amongst the options discussed, avoid Cloud Services (classic) as far as possible, as they are legacy and on their way out. Also, if you still choose Virtual machine, do consider Virtual Machine Scale Sets for better scale and management options.
I'm sure we can use Azure AD to authenticate us while we RDP to the
server, but can it also be used for when we expose our Web Application
over HTTPS from the server?
Yes, it can be used even when you expose your web application over HTTPS from the server. Exposing over HTTPS would only involve opening up the port through NSG rules and SSL settings for your application in IIS. This will not impact you ability to RDP into the VM.
We have developed a WebAPI application that runs on IIS 6.2. That API uses Integrated authentication. So, the operations will be executed in the user context of the user that is calling the API.
Apart from that, because some of that operations execute remote actions to another server in the platform. We used constrained delegation (kerberos) to manage the Kerberos double hop and be validated in the remote server as the user calling the API.
We made the configuration changes in the IIS (regarding enabling Windows authentication) and we enabled "Trust this computer for delegation to any service (Kerberos only)" in the AD for the server running the IIS.
The current status is, if we access the API using localhost, everything is working as expected. However, if we access using the FQDN or even 127.0.0.1, it fails with unauthorized when the API call executing the remote operation behind the scenes returns.
Does anyone know what we can fix such configuration issue?
Thanks
Sounds like you did everything right...except didn't or haven't set the SPN properly in AD for the principal (computer/server object) referring to the web service running on the target server. For example, the server name is server1, and the AD and DNS domain name is acme.com. Then the SPN for the server in AD would need to be HTTP/server1.acme.com. Ref: Setting up Kerberos Authentication for a Website in IIS
Using this tutorial to connect to azure ad directory and wanted to know if it was necessary to use ssl?
Yes, all authentication endpoints should be HTTPS
In general, you should always secure any API or web site with TLS (in this case, using HTTPS). It is increasingly easy to obtain and use certificates.
For development scenarios, you may use an HTTP reply URL only if the host is localhost.