I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.
Related
I am looking for some guidance on how I can use an Azure B2C custom policy to federate to a legacy Authentication Server. Here is the current flow that I would like to implement in the custom policy.
This protocol looks like a hybrid Oauth1 and the "actors" involved are:
Browser based user
Application Server
Authentication Server + protected resources
The Application server is preconfigured with an application id and an application secret provided by the Authentication Server. The Authentication server is also configured with a callback URL (pointing to the Application server). - Similar setup to OAuth.
Flow:
Step 1: The user requests a resource from the Application server by performing a GET on the application server (e.g. GET /resource
Step 2: The application server calculates an attribute using the preconfigured client secret and redirects the browser to the Authentication Server.
Step 3: If the Authentication Server determines that the user needs to be authenticated and may prompt the user for a username/password. This is transparent to the application server.
Step 4: The Authentication Server verifies the application server-provided attributes sent in Step 2 and responds by redirecting the user to the preconfigured application server callback URL. This request will additionally include a number of attributes set by the authentication server.
Step 5: The browser redirects the user to the application server’s callback URL and the application server uses the attributes received in Step 4 to calculate a resource request token
Step 6: The application server uses this request token to request protected resources and responds to the user's original request.
I am looking for ways to implement the above. Do I build this using a custom policy with an Oauth1 Technical profile Or an OIDC technical profile or something else?
The only way to do this is to create some middle layer than talks OpenId Connect to AAD B2C and talks the proprietary protocol to your legacy system.
Azure AD B2C can then make an open id connect request to your web server and it can do whatever it needs. Just have it respond back to B2C in an open id connect way.
I have an Azure Application Gateway sending user (HTTPS) traffic to a single backend web server, which is hosting an ASP .Net Framework 4.8 web application in IIS 10; users sign-into the web application using Windows authentication. The Application Gateway is not using cookie-based affinity (as there is only one web server). ASP .Net is using a SQL Server session state database:
<sessionState mode="SQLServer" stateNetworkTimeout="30" timeout="30" allowCustomSqlDatabase="true" sqlConnectionString="Data source=***********************;Database=ASPState;Integrated Security=SSPI;Persist Security Info=True" />
When users sign into the web application, as it is using Windows authentication, they are automatically authenticated using their Windows credentials, so they do not have to enter their user id and password. However, they will sometimes be signed in as the wrong user (someone else who is already signed-in). This only happens when using Application Gateway, and does not happen if the users go direct to the web service URL (bypassing Application Gateway).
When this bug happens, the application logs suggest that ASP .Net is getting the session id for the wrong user, i.e., the session id of the other user who is already signed-in. In Global.asax.cs, Session_OnStart the following gets logged:
Session.SessionID = sessionId for the wrong user
HttpContext.Current.User.Identity.Name = Windows userid for the wrong user
Session.IsNewSession = True
HttpContext.Current.User.Identity.IsAuthenticated = True (this is to be expected because Windows authentication is being used, so the user is already authenticated by IIS)
My guess is that Application Gateway is not persisting the user's Windows identity correctly between requests.
We have a corporative KeyCloak server which sits on Azure Account “A”.
We are now developing an ASP.Net Core Application that is on Azure Account “B”. This application is behind an Azure WAG.
The users access the application from the internet through the WAG and hits the Azure WebApp:
"https://myexternaldomain.com" => "https://myinternalazuredomain.azuresites.net".
As expected the users is redirected to Keycloak corporate server ("https://sso.corporate.com"). Once the user is logged in, he is being redirected to the callback address "https://myexternaldomain.com/oauth/callback".
At this moment we get a exception “Correlation Failed”, “Unknown Location”.
Architecture and Exception below:
Architecture and Exception
We believe that the problem is related to the address the users is using ("https://myexternaldomain.com") being different from the actual address the server is on ("https://myinternalazuredomain.azuresites.net"). And this makes even more sense when we take into account that it was working fine before the addition of the WAG.
Can you guys give us some insight?
Thanks
Best Regards
Take Care
There were a couple things that needed to be done to get KeyCloak + AppService to work in this scenario.
We had to add the same Certs to Wag and AppService, so KeyCloak would understand it as the same request.
Also the network team misconfigured the WAG, and some of the headers were not being forwarded, and KeyCloak would not accept the given Auth Token as valid for the current request.
I created an Azure Mobile App Service which is currently accessible 'Anonymously'
Anonymous access is enabled on the App Service app. Users will not be prompted for login.
To make it secure I can enable App Service Authentication which will ask users to log in
But this is not what I want - The data in this app is only accessed by Application without the need of each and every user to login to my app before using it.
So you might say, in this case, Anonymous access is fine but I want to restrict it with something at least like an API Key so I will have access to the API which my app can use to access the data to prevent random requests as anyone can just go and use Postman and start getting data without any authentication.
So in short, I don't want individual user authentication, but at least an API Key to ensure only requests made from my app are authenticated and nothing else.
I am using the following in my mobile app to create a connection and also doing Offline sync etc
MobileServiceClient client = new MobileServiceClient(applicationURL);
Any idea how do I do that?
FYI. My server side backend is in C#
Since you are using Azure Mobile Apps, for your requirement, you could leverage Custom Authentication for building your CustomAuthController to login and generate the JWT token for a specific user without user interaction. The core code snippet for logging would look like as follow:
MobileServiceClient client = new MobileServiceClient("https://{your-mobileapp-name}.azurewebsites.net/");
client.LoginAsync("custom", JObject.FromObject(new{Username="***",Password="***"}));
Note: As the above tutorial mentions as follows:
You must turn on Authentication / Authorization in your App Service. Set the Action to take when request is not authenticated to Allow Request (no action) and do not configure any of the supported authentication providers.
And you must explicitly add [Authorize] attribute for your controllers / actions which need to be authorized access. Details you could follow Authentication in the Backend.
I am building an online application using AngularJS on the front-end, hosted in an MVC 5/Web API application (basically a single-page application). However I have a hard constraint: the application's data will be held in a private network. I have to build a second Web API application inside the private network that exposes the web application's functionality. Further, the user authentication needs to happen inside the private network API (so the private network API will act as the authentication provider), as this is where the user tables exist.
The app in the DMZ is basically going to act as a proxy to the web API in the private network. So every request received in an ApiController in the UI API will be calling the private network API, ideally passing the token on received in the initial request.
From an authentication perspective, this is what I need:
User navigates to the site, can see only certain pages (I want to use MVC filters in the view controllers to control access).
They will log in once with a username and password.
After login the user can navigate to application pages and as a result the pages will call into the DMZ API for data.
This DMZ's API controllers will be calling into the private network API.
Both APIs whould be able to identify and apply authorization on their controller methods, based on the user's credentials.
If I didn't have a need for the second tier of API I would just use the MVC Single User Authentication implementation, which provides support for both cookie (UI) and token (API) authentication.
Any help providing insight into how I can do a similar thing with the above scenario would be much appreciated. (I guess my requirement is a bit like Windows impersonation for the UI web app).
See below for a high level view of the static architecture:
You may want to look at Azure service bus relays, which are designed to bridged the corporate firewall and call on-premise APIs.
Your WebAPI service would authenticate against the service bus to be allowed to call your service through it. You can pass user credentials using a bearer token in the request.
I'm not sure, but you may need to change your backend service implementation to use WCF though. You can find an explanation of the use of relays in Microsoft Dynamics in this link.