How does APIM work with Azure traffic manager? - azure-traffic-manager

In APIM we need to have a key that a client knows about:
ocp-apim-subscription-key
What happens when traffic manager round robins to another server? Does the client need to know about the second subscription key?

Similar to Azure Traffic Manager and OAuth 2.0 , since Azure Traffic Manager operates at the DNS level, it is not a part of the client-server communication. Any authentication and key handoffs are transparent to Traffic Manager.
Please refer to https://azure.microsoft.com/en-us/documentation/articles/traffic-manager-how-traffic-manager-works/#how-clients-connect-using-traffic-manager for more details

Related

How to configure OKTA + AWS Client VPN Endpoint + OpenVPN Client

I found this article that describes configuring to use the AWS VPN Client.
https://aws.amazon.com/blogs/networking-and-content-delivery/authenticate-aws-client-vpn-users-with-saml/
Our team is currently configured using the OpenVPN Client and we would like to keep using it -- (OpenVPN Client is so much better)
The issue seems to be where we Add the Application to OKTA. Our OKTA guy tells me there is no option to add OpenVPN as a client and that there is no "OIN template" to allow this.
Is there a solution to this problem ?
I have functioning AWS Client VPN that authenticates with Okta.
I contacted AWS support and was told that SAML/Okta authentication only works with the AWS provided client.

is it possible to implement kerberos authentication in azure web app?

We have an application which is hosted on the on-premises Windows server (IIS) server
now I created a windows server on azure and building a web app for it.where the application needs to authenticate the user by windows server (DC) using kerbrose protocol but I couldn't find any documentation regarding this from Microsoft's side
Is the above query possible to be implemented in the azure web app?
No, it's not possible. Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN.
For more information, follow this SO which also discussed about this.
If your intention is to join the VM hosting the website to a domain then as others have mentioned, this isn't possible.
However, doing Kerberos authentication itself within an Azure website isn't particularly difficult, but it does require manual implementation. Windows natively handles all of this for you on domain joined machines and and IIS exposes that functionality. Since you can't domain join you have to manually do all that heavy lifting and request and validate the tickets yourself.
This involves creating a service account in Active Directory and keeping the account password in sync. Once you have that you need to indicate to the browser that it needs to negotiate auth, which is done with the WWW-Authenticate: negotiate header on a 401 response. The client, if configured to send tickets, will send a ticket in the Authorization: Negotiate YII... request header on a subsequent response. At this point you need to shove that negotiate header and that original service account password into something that can validate Kerberos tickets. Windows SSPI will do this for you, but it's a pain. I built a library that'll do this for you: Kerberos.NET. YMMV with what works best for you.
All of that said, it may be more beneficial to switch over to a more modern authentication mechanism like OAuth/OpenIDConnect/SAML.
There are several ways depending on if you have to allow access to users who are associated with a on-premise Active Directory or not.
You should have a look at this service: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/
It will offer an Active Directory within Azure where you can domain join your VM to and then using Kerberos as authentication protocol (should work the same way like on prem).
The other option would be to create a new Active Directory within your Virtual Network (via 1 or 2 small Windows Server VMs where you create the AD).
The good thing if you are using Active Directory Domain Services would be that you could extend it to your on-prem Active Directory by synchronizing or federating your on-prem AD.
There are more informations regarding these scenarios here:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
For a Azure App Service - Web App you would connect it to your Azure Active Directory (AAD) and use the hybrid identity model to allow users who originate from an on-prem AD access to it:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Hope this helps a bit, it is a rather complicated topic you are digging into.

How to setup Azure web service for Dynamics 365

Good morning everyone,
My apologies if this post is too similar to this post:
Dynamics 365 and Azure integration
but I am struggling to understand exactly what is needed in order to setup a web service on an Azure server that is consumable by a Dynamics 365 plugin. Based on my research it appears that it goes as follows but I would like to see if any knows of a better guide.
1.) Construct the web service as normal on the Azure Windows Server.
2.) Register a proper DNS Domain name (friendly-name) and route it to the Azure server.
3.) Secure that Azure server/URL with a certificate.
4.) Call the web service from my C# Dynamics 365 plugin.
Is that everything or might I be missing something critical? Thank you!
4 might be an issue, given you want to use certificate based security, not sure that will work, you might need to use another mechanism, e.g. basic user name and password. Otherwise looks okay.
Plug-in isolation, trusts, and statistics
Web access
Sandboxed plug-ins and custom workflow activities can access the
network through the HTTP and HTTPS protocols. This capability provides
support for accessing popular web resources like social sites, news
feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving
those credentials.

Is it possible to use HTTPS/SSL in Wakanda Cloud?

My application will capture private customer data, requiring secure access for my clients.
Is it possible to use HTTPS/SSL in Wakanda Cloud?
HTTPS/SSL is not a current feature of Wakanda Cloud. However, HTTPS/SSL is a feature of Wakanda Server when you host it yourself.
The Wakanda Cloud Roadmap is on Trello, which lists SSL/HTTPS Support as a proposed feature.
You can vote on proposed features at Trello.
You can also submit additional feature requests at Trello
HTTPS is available in the Wakanda Cloud. I have a medium instance using HTTPS right now.

White list a program on Azure Database

I am working on a program that uses Azure for it's database. It works pretty good, except that I have to authorize every IP address that I access it from. So, if I go to a friends house I have to authorize that IP, and if I go to a coffee shop I have to authorize that IP...
I am hoping that there is a way to authorize the connection from the program, whatever IP it is coming from. Or, worse case senario, turn off that security measure.
DON'T.
The idea behind Firewalling your DB is to protect your data from anything that could have the SQL Server credentials should they somehow leak. It's for your own safety.
Instead, try to write a quick Web Service with ASP.Net WS/Jax RS/Rails/... to expose the DB data in a sane, secure and thoughtful manner. It's not hard and there are tons of tutorials and books on the matter out there.
Although NOT Recommended, but if you want to turn off this security measure you can allow connections to your SQL database from all IP Addresses by setting the IP address range to 0.0.0.0 - 255.255.255.255 in Azure Portal.
Another alternative would be to dynamically manage allowed IP addresses by using Azure Service Management API. You can manage Firewall rules using this API. You can read more about it here: http://msdn.microsoft.com/en-us/library/azure/dn505717.aspx
So what you could do is have a small service running in Azure. When your application starts, it sends the current IP address to your service and your service sets the IP address in the firewall rules. When the application terminates, it sends another request to your service and then your service removes that IP address from the firewall rule.
As #Machinarius so eloquently said DON'T. .NET already has a way of exposing data through OData services. You get SOAP or Json, LINQ queries, caching, security even down to the entity or operation level.
Exposing an EF model as an OData service is very easy. You can create an ASP.NET Web API OData endpoint using the "Web API 2 OData Controller with actions, using Entity Framework" template as described in the "Creating an OData Endpoint" tutorial.
To call the service from a client, you add a service reference to it and then use the proxy to execute LINQ queries. It could be something as simple as:
Uri uri = new Uri("http://localhost:1234/odata/");
var container = new ProductService.Container(uri);
var myProducts=container.Products.Where(....);
Check "Calling an OData Service From a .NET Client" for a detailed tutorial.
As an alternative, if you need to access your application from random places, why not have a VM configured in Azure with your application installed. And whenever you need your app, fire up that VM, RDP there and work via RDP. Would not need to update connection and much more secure rather then having to allow random IPs to access your database.
I realise this is not an answer to your question, but other stackoverflowers already provided a significant input on your problem. And I do agree with them all. Do not disable the firewall. It is for your own good!

Resources