There is a third-party Systems, Its authentication is through IIS Windows Authentication(Integration AD).
Now,I want to realize single signon with sharepoint. I know Sharepoint 2010 has a SSS services
and I can config it. My Question : Even though I can get the account and password, how can I give them to third-party System, then sign on the System's specified web pages.
Related
We have an application which is hosted on the on-premises Windows server (IIS) server
now I created a windows server on azure and building a web app for it.where the application needs to authenticate the user by windows server (DC) using kerbrose protocol but I couldn't find any documentation regarding this from Microsoft's side
Is the above query possible to be implemented in the azure web app?
No, it's not possible. Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN.
For more information, follow this SO which also discussed about this.
If your intention is to join the VM hosting the website to a domain then as others have mentioned, this isn't possible.
However, doing Kerberos authentication itself within an Azure website isn't particularly difficult, but it does require manual implementation. Windows natively handles all of this for you on domain joined machines and and IIS exposes that functionality. Since you can't domain join you have to manually do all that heavy lifting and request and validate the tickets yourself.
This involves creating a service account in Active Directory and keeping the account password in sync. Once you have that you need to indicate to the browser that it needs to negotiate auth, which is done with the WWW-Authenticate: negotiate header on a 401 response. The client, if configured to send tickets, will send a ticket in the Authorization: Negotiate YII... request header on a subsequent response. At this point you need to shove that negotiate header and that original service account password into something that can validate Kerberos tickets. Windows SSPI will do this for you, but it's a pain. I built a library that'll do this for you: Kerberos.NET. YMMV with what works best for you.
All of that said, it may be more beneficial to switch over to a more modern authentication mechanism like OAuth/OpenIDConnect/SAML.
There are several ways depending on if you have to allow access to users who are associated with a on-premise Active Directory or not.
You should have a look at this service: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/
It will offer an Active Directory within Azure where you can domain join your VM to and then using Kerberos as authentication protocol (should work the same way like on prem).
The other option would be to create a new Active Directory within your Virtual Network (via 1 or 2 small Windows Server VMs where you create the AD).
The good thing if you are using Active Directory Domain Services would be that you could extend it to your on-prem Active Directory by synchronizing or federating your on-prem AD.
There are more informations regarding these scenarios here:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
For a Azure App Service - Web App you would connect it to your Azure Active Directory (AAD) and use the hybrid identity model to allow users who originate from an on-prem AD access to it:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Hope this helps a bit, it is a rather complicated topic you are digging into.
I have deployed an MVC 3 website on IIS of my Windows Server 2003 edition. I have set the authentication to Basic, Integrated, and Windows in order to enable site to use Windows authentication, and automatically log in into website if the user has launched the site from the same domain. If user access the site from another domain, it should prompt the Windows credentials and should allow user to log in.
However the problem is that, user is presented with Windows login prompt every time (irrespective to same or different domain), and also when user provides valid credentials it doesn't allow user to access the site.
What could be the problem here? Or, can anyone provide me proper guide to configure IIS to use Windows Authentication while deployed on Windows Server 2003?
What is the version of IIS you are using ? Could you try to force NTLM authentication and see whether it will change anything ? Followin technet article will tell you how to change to NTML http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true. Please backup the server/iis configs before attempting any modifications to the metabase
I have a REST web service running on a Windows 2003 Server. I want to prompt my users from a mobile app to enter their Windows domain credentials. I want to send those credentials to the web service, and cache them for a few days. It appears I can cache the credentials using the low-level Credentials Management functions but everything I've seen so far implies they're made to be called from an interactive session. What's the best way to cache these credentials in a web service?
MORE INFO: The reason why I need to cache the credentials in the Web Service is because I need them to access some back-end resources (i.e. SQL Server, etc.)
You don't typically cache things in a web service.
How are you prompting them to enter their credentials to begin with? That app / piece should cache the information.
It appears that Windows Identity Foundation provides a better mechanism to accomplish what I want. I'll be looking into that.
is there any way to use windows authentication in ASP.NET without needing a windows account? I need a virtual directory to be passworded using the browser authentication prompt.
If you're using Windows Authentication, you need a Windows account to authenticate against.
If you're up for the challenge, you can set your application up to use ADAM (Active Directory Application Mode). It'll give you way to have accounts that are application specific rather than Domain Wide.
I am just starting out with Team Foundation Server 2008, and one of the hangups I've experienced is the following:
I create a new Team Project, as well as a Project Portal (which I believe is just a Sharepoint site). When I go to view the project portal in the browser, it prompts me for a username and password. I want it to use digest authentication (meaning it just uses my current domain credentials). I have this working on the Team Foundation site itself, but I cannot seem to get it working at all on the Project Portal sites that TFS creates for me.
Any thoughts? I've already attempted to set digest authentication on the Default Website as well as the Sharepoint Central Administration (v3) site, both of which did not fix my problem.
EDIT: I am running this on Windows Server 2003.
Check whether the pool account running the TFS sites is in your domain.
Your host may also not be in the 'Safe sites' / 'Intranet Zone' config in Internet Explorer, you can make it a trusted site and mark in the advanced options to send username and password.