Does IdentityServer 4 support Win auth with multiple Active Directories? - active-directory

I've been reading the docs for Identity Server 4 (here) and it supports Windows Authentication and Active Directory.
Does it support multiple Active Directories?
Does it need to be configured somehow or Windows take care of it?
Thanks

That article is talking about running your application behind IIS. It's actually IIS performing the Windows Authentication, then passing the credentials to your application.
The answer to your question is "it depends". The server has to be able to authenticate your credentials. It can be from a different domain, but only if the domain your server is joined to trusts the domain the user account is on.
So if your server is joined to DOMAIN1, which is in an AD forest that has three domains: DOMAIN1, DOMAIN2, and DOMAIN3, then anyone with accounts on DOMAIN1, DOMAIN2, or DOMAIN3 can authenticate to your application.
Or if your server is joined to DOMAIN1, and DOMAIN1 has an explicit trust with DOMAIN4 (in a different AD forest), then users from DOMAIN4 can log in.

Related

Domain account for LDAP authentication without change ability

I have set up a Mediawiki for our small local domain (abc.local) on a linux VM (just for internal use). Our local domain controller is a Win Server 2008 R2. I've setup the Mediawiki LDAP Authentication extensions so that i can restrict editing of our Wiki to only domain Users. I've configured the Mediawiki LDAP configuration to use the domain Administrator credentials for this authentication.
Is there a way to create another account that can do this user authentication but can't change anything? Sort of like a "read-only" Administrator account?
thanks,
russ
An account can't be "read-only" and also "Administrator". It's one or the other.
"Authentication" can only ever be done with the user's own credentials. There is no special kind of account that lets you authenticate other accounts. All it needs credentials for is to look up accounts on the domain. So you only need a read-only account, which is basically any account that can authenticate on your domain.
So just create an account specifically for Mediawiki and use that.

How does IIS request information from LDAP?

When a user logs in to a SSO (Single Sign on) application, IIS makes a request to LDAP (Lightweight Directory Access Protocol) to get some user information for authentication. I am trying to find where the communication between LDAP and IIS happens (I am assuming that IIS sends a request to LDAP in order to get some user information). I have looked in the IIS Manager in windows and could not find the communication between IIS and LDAP. Does anyone know where I would be able to find the communication between LDAP and IIS?
If you're talking about Windows Authentication, then no, IIS doesn't use LDAP. It will use either Kerberos (preferably) or NTLM.
The mechanism is different for each, but basically, the user is already logged in on the client computer and sends their already-existing ticket to the server. The server just verifies the ticket with the domain controller. This means that the server must be joined to the same domain (or a trusted domain) as the user logging in.
For seamless SSO (where the user does not need to type in their username/password), the user must be logged into the client computer with the credentials they want to use on the website. If not, they will be prompted for credentials and the actual logging in will happen from the server.
If you cannot use Windows Authentication because the server is not joined to the same (or trusted) domain as the user, then you would have to implement LDAP authentication yourself. You would use Forms Authentication, ask for the user's username and password, and validate the credentials like this for example.

Windows 10 Organization Configured PC unable to Access Local Shared Drive

I've inherited a mess from the IT "professional" I replaced and have been unable to successfully lobby for resources to setup a proper domain. I have Windows 10 PC's that are configured as "organizational" PC's not Personal, which allows our users to sign-in with their office365 accounts.
However when they do this they are logged in via AzureAD\ Domain, I'm certain this is the reason they cannot access the shared drives my organization has been using. I would very much like to keep using this AzureAD setup but if I cannot access local network resources it won't work for me.
I've searched around but maybe I haven't been asking the right question to find a solution to my problem, or it's possible one doesn't exist which would be unfortunate.
Has anyone ran into this issue?
Is there a way to access non-AzureAD domain resources from an AzureAD\User Account?
You will need a DC (a virtual machine (VM) in the cloud or a physical server).
That DC has Azure Active Directory (AAD) Connect installed and configured on it. That creates an account in AD that synchronizes accounts and passwords with AAD.
When a computer joined to AAD logs in it sends the login request to AAD. AAD then validates that authentication request against the information synchronized from AD.
If you have workstations and laptops joined to AAD and they try to access a share on a server that is in a different domain than what AAD synchronizes with you are going to need to provide credentials that exist in the server which hosts the resources, you are trying to access.
There are a few right ways to do this as,
If the clients are in a single location and will always be in the same location as the DC then join them to the domain regularly. For clients that will be used in other locations join those computers to AAD and install AAD Connect in the DC.
If you want to move all the servers out of your office spin up a VM for your DC in Azure and deploy a cloud firewall in front of your VM. Create a Site-to-Site Virtual Private Network (VPN) between the cloud firewall and your office firewall. Now join computers that will always be in the office to the domain like normal, join computers that are going to be used remotely to AAD, and install AAD Connect on the DC.
Refer: Windows 10 AAD Azure ad domain joined & SMB share, where similar discussion has been done

Connecting to SQL Server using Windows authentication by multiple users through Client-Server App

Need help with connecting to SQL Server using Windows authentication by different users logging in to the clients using their domain account. We have thousands of users and is there a easy way to use a specific AD service account even though users login to these client machines using their windows account. I see some examples of that online if using IIS. But we need this to work with a client server app. Please help if there is a workaround. Thanks!
Typically you would either provision SQL Logins for the AD Groups containing the users, or (less secure) use a SQL Login with user/name and password embedded in the application configuration.

SQL Server login for SharePoint site login errors SSO

I'm having a very confusing error between SharePoint and SQL Server 2k5.
My SQL Server acting as backend to my MOSS farm has several logins in it which correspond to the web front end servers in my farm, with the pattern: {my-domain}{my-machine}$
Now, those accounts do not exist in AD anywhere, despite the login name syntax, and were generated somehow (assume by MOSS, but can't confirm). One (and only one) of the servers is throwing login failures every 2 minutes; that server was the first in the farm and holds most of the services, just not search and indexing.
I did a number of traces in SQL Profiler, and all I can tell is that the failure is a type 16 error on 'master'; so the login exists but doesn't have rights to 'master'.
Having found that, I went back in and gave it progressively greater rights on Master, including db_owner, and eventually making it a sysadmin. Still no joy, same error.
Diggin further w/ tracing, I found that the actual failure was due to the SSO db not existing; probably b/c it wasn't configured in MOSS. When I tried configuring the error, I got a "Sorry, you're not authorized to do that" error in Central Admin, even though I was logged in as the farm admin, who's also a forest-level admin w/ rights to everything I can think of.
Turning off SSO as a windows service worked, but I'm concerned about my inability to configure it in MOSS, so I dont' want to leave that as a solution.
I'm out of ideas, anyone else have thoughts or experience on this?
Thanks
The {my-domain}{my-machine}$ account is an alias for the NETWORK SERVICE built-in local machine account. NETWORK SERVICE is a low privilege predefined account that was introduced in Windows 2003. It has network credentials and can therefore connect to remote databases (as long as they're within the same domain).
It sounds like you've created your SharePoint web applications with the default application pool identity. This will create the logins named {my-domain}{my-machine}$ in SQL Server. So yes, SharePoint created the SQL logins, but they're based on the built-in NETWORK SERVICE machine accounts on the servers in your farm.
I'd check that the account you're using to configure SSO has the rights to create the SSO database. Have a look at the table in Plan for single sign-on. It lists all the privileges required for all the different types of SSO accounts. For the configuration account, the document lists:
SSO configuration account:
Must be a user domain account. Cannot be a group account.
The user account must be a server farm administrator.
Must be a member of the Administrators group on the
encryption-key server computer.
Must be a member of the following SQL Server security roles on the
computer running SQL Server:
Dbcreator
Securityadmin
Must be either the same as the SSO administrator account, or be a member
of the group account that is the SSO
administrator account.
If that doesn't help, follow Alex Angas' advice and post this question to serverfault.com.
Try and follow this to configure SSO:
http://technet.microsoft.com/en-us/library/cc262932.aspx
We had this same problem - the source of your "Not authorized to do that" message when you configure SSO is that you need to be logged into Sharepoint Central Admin as the SSO user (in our case, it was DOMAIN\SSO_Proxy). This allowed us to make the changes we needed.
Good luck!

Resources