Azure and IIS Windows Auth - windows

I would appreciate any help that can be offered. I would like to achieve the following in Azure and having tried various tutorials using lots of different configurations I am still unable to achieve what seems quite simple.
I would like to set the default IIS homepage on an Azure VM to use Windows Authentication. I would like to Add a user or group from my local on-premise Active Directory, which is linked to an Azure Active Directory using 'Azure AD Connect'. Finally I would like to login to a client machine on my local on-premise Active Directory, and be able to browse to the Azure VM IIS default homepage without having to enter a username and password, as I am already authenticated having logged into the local Active Directory.
I am happy to try various setups and scenarios, so if you can help please shout up.
Thanks
Andy

Related

is it possible to implement kerberos authentication in azure web app?

We have an application which is hosted on the on-premises Windows server (IIS) server
now I created a windows server on azure and building a web app for it.where the application needs to authenticate the user by windows server (DC) using kerbrose protocol but I couldn't find any documentation regarding this from Microsoft's side
Is the above query possible to be implemented in the azure web app?
No, it's not possible. Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN.
For more information, follow this SO which also discussed about this.
If your intention is to join the VM hosting the website to a domain then as others have mentioned, this isn't possible.
However, doing Kerberos authentication itself within an Azure website isn't particularly difficult, but it does require manual implementation. Windows natively handles all of this for you on domain joined machines and and IIS exposes that functionality. Since you can't domain join you have to manually do all that heavy lifting and request and validate the tickets yourself.
This involves creating a service account in Active Directory and keeping the account password in sync. Once you have that you need to indicate to the browser that it needs to negotiate auth, which is done with the WWW-Authenticate: negotiate header on a 401 response. The client, if configured to send tickets, will send a ticket in the Authorization: Negotiate YII... request header on a subsequent response. At this point you need to shove that negotiate header and that original service account password into something that can validate Kerberos tickets. Windows SSPI will do this for you, but it's a pain. I built a library that'll do this for you: Kerberos.NET. YMMV with what works best for you.
All of that said, it may be more beneficial to switch over to a more modern authentication mechanism like OAuth/OpenIDConnect/SAML.
There are several ways depending on if you have to allow access to users who are associated with a on-premise Active Directory or not.
You should have a look at this service: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/
It will offer an Active Directory within Azure where you can domain join your VM to and then using Kerberos as authentication protocol (should work the same way like on prem).
The other option would be to create a new Active Directory within your Virtual Network (via 1 or 2 small Windows Server VMs where you create the AD).
The good thing if you are using Active Directory Domain Services would be that you could extend it to your on-prem Active Directory by synchronizing or federating your on-prem AD.
There are more informations regarding these scenarios here:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
For a Azure App Service - Web App you would connect it to your Azure Active Directory (AAD) and use the hybrid identity model to allow users who originate from an on-prem AD access to it:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Hope this helps a bit, it is a rather complicated topic you are digging into.

Deploying MVC 3 website on Windows Server 2003 with Windows Authentication

I have deployed an MVC 3 website on IIS of my Windows Server 2003 edition. I have set the authentication to Basic, Integrated, and Windows in order to enable site to use Windows authentication, and automatically log in into website if the user has launched the site from the same domain. If user access the site from another domain, it should prompt the Windows credentials and should allow user to log in.
However the problem is that, user is presented with Windows login prompt every time (irrespective to same or different domain), and also when user provides valid credentials it doesn't allow user to access the site.
What could be the problem here? Or, can anyone provide me proper guide to configure IIS to use Windows Authentication while deployed on Windows Server 2003?
What is the version of IIS you are using ? Could you try to force NTLM authentication and see whether it will change anything ? Followin technet article will tell you how to change to NTML http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true. Please backup the server/iis configs before attempting any modifications to the metabase

Basic authentication on IIS 7.5

I'm trying to run a simple ASP.NET application with basic authentication on an IIS server. Interestingly, the authentication works fine on almost all servers except my production server. When I deploy the application on that machine, it keeps prompting me over and over for the credentials. Unfortunately, it is a lab machine that I don't have access to and I'm not able to view the logs either.
It's an IIS 7.5 server running on a Windows 2008 VM server I guess, and the content folder (where the default app is pointing to) is on shared with us (we have write access to that folder and that's how we are deploying our applications).
Outside authentication settings on the server, what other things could be causing the issue? Please advise.
Most probably this is a access permission to resources used by the web application.
The reason you see this repeatedly login prompt is that the account doesn't have the needed permissions.
First you have to determine if you are using impersonation or not.
If you do impersonate, the authenticated accounts need the necessary permissions.
If you don't impersonate, the application pool account needs the necessary permissions.
So what's the needed permissions?
Well, that could be a lot of things, and we don't know the details of your application.
Do you connect to a database?
Then you have to make sure that current account context has the right permissions to connect to the DB.
Do you read images/files from disk?
Then you have to make sure that current account context has the right permissions to access those resources.
If it is file resources that you are accessing, I would recommend you to use Fiddler and determine which path(s) you'll need to address. It will tell you by those 404 errors.
EDIT: Make sure that your app pool account has the needed permissions for this DLL you mention. Where does it fetch this list from? Is it static in the DLL? Where's this DLL located?
Please also check the event logs on the server for any related errors at the time you try to logon.

Automatically logging into a website from the desktop

If we have a link on a users desktop to a website, is there any way to automatically log them into that website using their windows username and password?
I think you can do it using the Active Directory. Maybe this article can help you.
This: Retrieve UserName by Searching in Active Directory
The windows login system and the website have totally different mechanisms. You're windows password is stored locally on your machine however the website password is stored remotely on a server. hence it does not make sense to login on a website with your local password automatically.
You can do this only for local Intranets hosted on the current domain. If this is what your're after you need to set the authentication mode in the config file.
.NET Authentication

How to access VS 2010 TFS over the internet from remote office

We have a team member in a different country, and are trying to figure out the most viable option to provide them with access to our Team Foundation Server for Visual Studio 2010.
You can check this http://msdn.microsoft.com/en-us/library/bb668967.aspx
If they are part of your corporate LAN/WAN, they should be able to get access just like a local user. If they are external, you have a couple choices:
VPN: You could give them VPN access into your network, then they could access like a local user.
Expose: You could expose TFS to the outside world by allowing the appropriate ports through your firewall.
You can also take a look at the TFS Proxy, but honestly I haven't done anything with that yet.
Open up port 8080 and route that port to the appropriate server. You can also setup to use HTTPS.
When the remote user is not on the same domain, he gets prompted for the credentials. The remote user can use the Windows Credential Cache (Stored Usernames and passwords for Windows XP).
Best solution is to enable TFS through a VPN for WAN users. Through port mapping you can enable TFS application tier access, but the Sharepoint (Documents) and Reports may not work properly. So, the best method is to enable VPS with SSL, and let internet users connect to your TFS just like internal users
Best of luck!

Resources