I'm using Visual Studio 2013, .NET 4.5. and trying to find out if it's possible to authenticate against Azure Active Directory with a web app using windows authentication instead of organizational authentication? I don't need a separate sign on page or registration, so rather than send them to an azure login page I would like to just bring up the browser prompt to athenticate.
It appears that the organizational authentication option relies on the reply url from the azure login page. Windows authentication works against a windows active directory but wondering if anyone has ever successfully used it against AAD?
As long as your AAD tenant is federated with your onpremises AD and your user is accessing from within the corporate network, where Windows auth works, you can absolutely do that. You can skip the interstitial page by simply specifying in advance the domain of your tenant. See http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/
No, Windows authentication depends on Kerberos (or NTLM), which needs an Active Directory domain to authenticate the user in. Azure Active Directory does not handle Kerberos tokens.
You can have your users authenticate against ADFS using the Kerberos protocol and federate the security token in ACS.
Related
I am facing a hopefully simple problem:
I need to create a wrapper app that contains a WebViewer control and should display a page in Azure portal.
I am developing the app in VS 2017 on a virtual machine which belongs to the domain 'DEV'. I would like to achieve that if a user from 'PROD' domain starts the app on their computer in the 'PROD' domain, they will be authenticated to AAD/Office 365 via SSO and can view the page in Azure (not a site in azurewebsites.net, but a site that needs you to be authenticated - i.e. portal.azure.com!).
I was not yet able to test the app on 'PROD' domain, but according to the answer below it would work, wouldn't it?
https://stackoverflow.com/a/9593258
If not can I go through the steps in the white paper mentioned and SSO the user manually (chapter 5.3, I assume)?
EDIT
Took me while, but here it is - I got SSO working, sort of...
In the end it seems that using a WebViewer control allows SSO but it still requires you to at least once enter your user name (user#tenant.com, for example) but you don't need a password. This might not be an optimal solution, nevertheless it is OK.
Thank you Wayne Yang for your support.
For your sceanrio, the user can SSO in PROD domain if the device has AAD joined.
But this should SSO to the joined AAD tenant. I also assume that you want to SSO to Azure portal with the ADFS. So, it also needs integrate ADFS with the AAD.
Why?
First, if your application try to sign in Azure portal via pop-up a broswer, and it needs SSO. AAD join can achieve this. If a device joined AAD, it will obtain a refresh token to your device. For windows 10 , IE and Edge can use the refresh token to SSO AAD endpoint.
Second, If you want to use ADFS, you must integrate ADFS with Azure AD. In this way, AAD authentication endpoint will redirect to your ADFS to approach SSO with your local domain.
Reference:
How to configure hybrid Azure Active Directory joined devices
Federate multiple instances of Azure AD with single instance of AD FS
Azure AD Connect and federation
Hope this helps!
My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,
Last few weeks I'm trying to solve one BIG problem with Azure Active Directory and Oauth authorization.
Now we have Azure AD tenant and API application in that tenant. We use it for Oauth and Office 365 API. Everything is ok, except one thing - our users cant change their passwords by themselves, they have to write administrators (>10K users). We want to enable ADFS and give them ability to change password.
We tried few times to enable ADFS and change auth type from Managed to Federated, but after that users cant log in our app.
If they click "log in" in our application it opens URL like:
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=...&resource=https://outlook.office365.com/
When they try to sign in there they get error:
"User account ... from external identity provider ... is not supported for application ..."
AND!
If they sign in first in ADFS and after that sign in application - everything is ok.
So, what should we do to rnable ADFS and use API applications?
Sorry for bad description and bad english.
I am developing a web application with Windows Azure Active Directory (WAAD) authentication support. In WAAD I added a user which already has a Microsoft Account.
I use SAML 2.0 protocol for authentication request.
In my app upon accessing a protected resource, I redirect the user to:
https://login.windows.net/<id>/saml2/SAMLRequest=...&RelayState=...
This is URL I copied from the WAAD management console:
The decoded SAML token looks like:
<samlp:AuthnRequest ForceAuthn="false"
ID="b6f579bb-c7fc-49b1-a8f1-bbe2ad99da5d"
IsPassive="false"
IssueInstant="2014-07-25T06:38:11.303Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:Issuer>....onMicrosoft.com</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
This is working great, I am redirected to
https://login.microsoftonline.com/...
https://login.live.com/...
However, upon autheticating with a Microsoft Account user (which is also imported into WAAD), I get this error message:
ACS20031: Sign-in with LiveId is not supported for this application.
What am I missing?
On the WAAD web admin console I did not see such a setting. I tried both Single Tenant / Multitenant options
Is there a possibility to login with a simple WAAD user (not LiveId) with foobar#<tenantid>.onmicrosoft.com ?
To my knowledge no.
Up to today, the only way to get users signed-in with Live ID to your Application are the following:
Use Azure Active Directory Access Control Service (or better known as ACS)
Use the LiveID Web Authentication SDK
Use the Azure Active Directory with a remark. The remark is:
** You can only use LiveID to sign-in with Azure Active directory, if you first provisioned that user in your directory tenant. Provisioning happens when you create a new user in your Azure Active Directory Tenant and in the process of adding, add it as a LiveID e-mail. Then you will have this user in your AAD but marked as "Sourced From" -> "Microsoft Account":
The type of federation you are trying to enforce currently only works for Microsoft Internal applications, and not for customers. The only federation service that currently works for Customers is the Access Control Service.
Here you can read a bit about the future of ACS and the plans to merge these federation capabilities into next versions of AAD. But we still haven't got to that future.
I have a website (azure), that has a login page for the user to insert it's username and password.
Currently, the login is using LDAP to autenticate the user.
Now the client wants to use/activate the single sign on functionality, but using their Windows Server Active Directory (they don't want to use the Azure Active Directory).
Is this possible to do? Whats the best approach?
These are the two options I know:
You can use Microsoft Active Directory Federation Services (aka ADFS). This is a component that should be installed in your customer infrastructure and talks with the AD, your website will talk WS-Federation with ADFS. Authenticating a user means basically redirecting the user to a ADFS, if the user is in the LAN and is already authenticated to AD, ADFS will login automatically, but if is outside it will prompt user credentials.
Another approach will be to use a third party authentication broker. Auth0 is an authentication broker that you can add from the azure store, you will need to create an AD "Connection", which will require to install an small MSI on your customer infrastructure. For this case it works more or less like ADFS but your application talks OAuth with Auth0 rather than Ws-Federation so in lot of cases it is easier to implement.
Disclaimer: I work for Auth0.