I have connected an Azure VM with Azure AD Domain Services. I am trying to set up sso for IIS web app which authenticates users using Integrated Windows.
I have followed the guide to setup the Application Proxy and I am stuck at Delegating KCD. https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/
Has anyone tried to authenticate users with Integrated Windows Authentication via Azure AD SSO?
This is not possible as in Azure AD Domain Services you don't have access to the domain controller so you can't configure KCD for the connector.
Disclaimer - I worked in the App Proxy team :-)
Related
I have an internal web application (ASP.NET) that I want to expose to the internet, preferably thru Azure Application Proxy. The requirements are to use an existing external keycloak server for user authentication, the keycloak server is hosted separately from our Azure. I have read that Azure Application Proxy requires Azure AD ( not sure about this), but it is not clear if Azure AD can be connected/use an external Keycloak server.
My question is can Azure Application Proxy be made to work with an external KeyCloak service to authenticate and authorize users, or is there some other way to expose the internal web application to the internet with Azure and an external Keycloak server.
Using Azure is not a fix requirement, but it is preferred.
Using the external Keycloak server is required.
Thanks in advance for any help with this.
We are using on-prem and Azure cloud separately and planning to make connection between on-prem AD and Azure AD by using Azure AD connect or Pass-though authentication (preview).
My question is, If we use Azure AD connect or pass-though ,will there be any need to use Azure application proxy in any case?
Under what scenario/application integration, both application proxy and Azure AD connect/pass-through will be required?
If we use Azure AD connect or pass-though ,will there be any need to
use Azure application proxy in any case?
By default, there is no need to deploy a proxy for Azure AD connect. It depends on your local network, if your On-prem server(AAD connect installed) can connect to the internet direct, we should not deploy the proxy.
Under what scenario/application integration, both application proxy
and Azure AD connect/pass-through will be required?
This table describes the ports and protocols that are required for communication between the Azure AD Connect server and on-premises AD:
More information about hybrid identity required ports and protocols, please refer to this official article.
If your on-prem network can't open those ports, we need to deploy a proxy for it.
I am trying to make Windows Authentication (with Kerberos/NTLM) work in a Web App hosted in IIS using Azure AD Federated users but seems it does not work. Below are the whole infrastructure details:
I have an Azure AD (e.g. skj.onmicrosoft.com) with Azure AD Domain Services Configured
I have an on premises Windows AD (e.g. skjtest.com) which is federated with the Azure AD. The on-prem users are available in AAD, SSO works but the password hash is not synced with AAD.
A VM is created in Azure and joined to the AAD Domain skj.onmicrosoft.com
I created a Web App which uses Windows Authentication and hosted in IIS present in the above Azure VM
When I try to login using an AAD user (e.g. aaduser1#skj.onmicrosoft.com) to the web app, it works all fine using both Kerberos and NTLM
However when I try to login using a federated identity (e.g. feduser1#skjtest.com), it fails showing a 401 Unauthorized Status code.
Here my question is, is this at all possible to make the Windows Auth (with Kerberos or NTLM) work with the Federated identities? If yes, please let me know the ways I can achieve this.
What could be the ways to integrate a web application ( on-prem) to another web application (Azure) using azure AD authentication( happening in the background), with out the user being prompted for credentials.
It depends on how your on-premise application authenticated. Based on the description, you want to implement the single sign-on for the on-premise application with the application which protected by Azure AD.
In this scenario, you can deploy ADFS on-premise and make the on-premise web application authenticate by the ADFS. Then we need to enable the trust from the ADFS to Azure AD. After build the federated trust, when the users try to access the web application which protect by Azure AD will redirect to the ADFS, and if the users already authenticate the on-premise application they will not required to enter their credential again. Here is a figure to demonstrate this progress and you can refer more detail about it from this link.
And now, we can use Azure AD connect to integrate your on-premises directories with Azure Active Directory easily. You can refer the video on this link about different settings for this tool.
How to deploy an MVC application with LDAP authentication and AZURE SSO?
Azure AD domain services ( preview) enables applications that use LDAP ( on enterprise on premises ) to be hosted on azure. If authenticating to LDAP as well as azure AD is requirement( not sure if this is the exact use case) this is something you can look at
https://azure.microsoft.com/en-in/documentation/articles/active-directory-ds-overview/