I'm researching whether or not it makes sense for my company to use Azure for some outward facing applications. We need it to integrate with Active Directory so that it knows who they are without having to login to the site, kind of a single sign-on. Has anyone done anything like this or what tools I'd need to use to do it?
To elaborate a little, currently all of our intranet apps use Window Authentication with AD groups to determine who has what access and what level of access they have to the apps. So, once they log onto their machines, they don't have to login again to access any of our home grown apps. We're looking at using the Cloud but we want to keep the same login paradigm if at all possible. Ideas?
Thanks,
Jeremy
You can federate AD to Azure - you will need at least 1 server (on premise) running Windows Server 2008 R2 to get the ADFS bits (code name was Geneva). Then on the Azure side, you use the Azure App Fabric authentication. See MSDN.
An observation on Pat's answer:
*Then on the Azure side, you use the Azure App Fabric authentication. See MSDN
That is not necessarily correct. In the simplest form, which looks like what Jeremy needs, the web site on Windows Azure would simply trust the local ADFS server on-premises. To do this you would use WIF (Windows Identity Foundation).
This scenario is extensibly described in multiple documents. Check Here
A scenario in which you would use Windows Azure AppFabric (the latest CTP) is one in which the app would trust multiple identities simultaneously, and Appfabric would act as an "Identity Hub".
Related
We are using the ADFS activity report to migrate our applications to AAD. Everything shows as Ready and when we click on the Ready link, the text says "We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so." By the last statement, it seems like the application is automatically created now. Is that the case? If so, how long does it take to create the application and does it keep the same name as in ADFS?
• The message that you encountered “We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so.” Means that the application is a SaaS application available in Enterprise application gallery in Azure AD. This does not in anyway mean that the application has been created automatically, it just means that the application is ready to be migrated to Azure AD and is fully available as a SaaS application in Azure AD gallery and doesn’t need any further relying party configuration migration from the on-premises ADFS server.
• Since the message is displayed only for SaaS apps readily available in Azure AD gallery and are equally configured as a relying party trust in ADFS, its configuration information is readily migrated through the ADFS Connect health application to Azure AD and it can be configured in the cloud itself with admin account access needed for the SaaS application’s account for SSO and SAML authentication configuration required through Azure AD.
You can find the image below for your reference, it shows the ‘Dropbox’ application as ready for migration from ADFS to Azure AD: -
Through the above option enabled, you can easily configure your application’s SSO configuration in Azure AD. If all the configurations are up and running, it will happen instantaneously within a few minutes of time.
Kindly refer to this link for more information on migrating federated apps from ADFS to Azure AD: -
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
I think the report is still in preview and it is missing a create application button.
All the documentation only shows the reports & not the create process.
Also this migration tool, is a repackage of the powershell test commands:
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
So I assume you need to create the application manually based on the report.
We use LDAP and our local SQL Server databases to authenticate our users, using Apache Shiro as the app is developed with Apache ISIS. Users in the SQL Server database are REST consumers, while LDAP contains only business users. Lastly, I was instructed to move my LDAP users to MS AAD.
Is there an architecture that allows me to keep both users? Business users will access the app through the MS OpenConnect portal. At the same time, other applications can continue using DB authentication to consume REST APIs.
Yes, it's possible. Actually, the essential of your questions is "how to enable multiple authentication manner s in web app". Since AAD authentication is claimed based, very different from LDAP, so you will need to change your code for sure to upgrade from LDAP to AAD.
Regarding multiple authentication, I don't know the platform you're using. Here is an sample for ASP.NET CORE for your reference:ASP.NET Core: Supporting multiple Authorization
Is it possible to develop a basic client/server Forms app (suppose I could develop the server side as a service, but would rather not) that can prove that a user account within a 2012 R2 Active Directory domain can authenticate with an application residing on a server on a trusted 2003 domain, using NTLM? If so, what specifically within my application would I need to do to force such a behaviour?
The detail:
I am responsible for performing an upgrade of Active Directory from 2003 to 2012 R2 (raising of the Forest and Domain Functional Level). There is a legacy application which does not support Kerberos authentication and a lot of doubt that this mission critical application will still work after the domain upgrade. To complicate the matter, the user accounts are in the domain to be upgraded and the application backend is hosted on a trusted domain that will not be upgraded.
I am required to first of all test the process and outcome within a test lab (replica of the live environment). I am unable to replicate the application as it is to big and complicated to do so. One of the tests I need to satisfy is to verify that a user can be authenticated by a trusted domain using NTLM (not Kerberos).
It turns out that you can use the age old DOS "NET USE" command to verify NTLM authentication. "NET" only uses NTLM :)
Need help with connecting to SQL Server using Windows authentication by different users logging in to the clients using their domain account. We have thousands of users and is there a easy way to use a specific AD service account even though users login to these client machines using their windows account. I see some examples of that online if using IIS. But we need this to work with a client server app. Please help if there is a workaround. Thanks!
Typically you would either provision SQL Logins for the AD Groups containing the users, or (less secure) use a SQL Login with user/name and password embedded in the application configuration.
We currently have a WinForms application that accesses our SQL Server database through Entity Framework. The solution was built with database-first methods. Our database is hosted in Microsoft's Azure SQL services.
We need to secure the application connection to the database but the application will reside on employee laptops that need to work from anywhere. Currently the firewall is open to any IP because obviously the IP address for employees change depending on where they are located.
We need to introduce a web services layer but I don't want to run an entire website just to provide a web service to authenticate against. Creating an entire MVVC between the database and a web service, configuring packages, authentication, etc. just seems a bit much just to wrap the EF / DB communication with AD authentication.
How can we add a web service layer that is seamless for Entity Framework that will allow for Azure AD authentication? Is there an Azure service that works with EF to provide SQL Server access with better authentication? What options are out there that we don't know about?
Update: Adding a little to narrow down the question...
Is there a solution or Azure service that can provide a secure web service layer between EF (easily) and our SQL database? For example, does EF work with Azure Web Apps or Azure Mobile Apps without needing separate models for the web services layer?
Thanks in advance for any help.
You can use token-based authentication as explained here and here.
A file-based authentication is also available as explained here.