Skip to content
This repository has been archived by the owner on Dec 14, 2017. It is now read-only.

Windows authentication for admin #17

Open
pawepaw opened this issue Jan 20, 2016 · 14 comments
Open

Windows authentication for admin #17

pawepaw opened this issue Jan 20, 2016 · 14 comments
Labels
question

Comments

@pawepaw
Copy link

pawepaw commented Jan 20, 2016

Hello,

Is it possible to authenticate user in identityServer.admin portal using windows authentication? I wanted to give it a try but simply switching value of windowsAuthenticate to true in csproj doesn't work. I understand that it's based on owin authentication so I've found two libraries which provides windows authentication for owin:

  1. https://github.com/ghalebbadran/WinodwsAuthenticationOwinMiddleware
  2. https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm

I am able to authenticate sample application to use above middlewares but i'm unable to make it working with admin. I followed example with ADFS and configured adminHostConfiguration but it isn't working. Any clue?
@christophebourguignon
Copy link

Hi,
I have exactly the same problem. Any idea ?

@brockallen
Copy link
Member

Are you using the HostAuthentication mechanism?

@pawepaw pawepaw closed this as completed Jan 21, 2016
@pawepaw pawepaw reopened this Jan 21, 2016
@pawepaw
Copy link
Author

pawepaw commented Jan 21, 2016

Yes I'll post source code of my startup file in few minutes.

@pawepaw
Copy link
Author

pawepaw commented Jan 22, 2016

It looked like this:

       var factory = new IdentityAdminServiceFactory();
        factory.Configure();

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = "Cookies",
            LoginPath = new PathString("/api/account/ntlmlogin"),
            ReturnUrlParameter = "redirectUrl",
            Provider = new CookieAuthenticationProvider()
            {
                OnApplyRedirect = ctx =>
                {
                    if (!ctx.Request.IsNtlmAuthenticationCallback())
                    {
                        ctx.Response.Redirect(ctx.RedirectUri);
                    }
                }
            }
        });

        app.UseNtlmAuthentication()

        var identityAdminOptions = new IdentityAdminOptions()
        {
            AdminSecurityConfiguration = new AdminHostSecurityConfiguration()
            {
                HostAuthenticationType = "Cookies",
                NameClaimType = "name",
                RoleClaimType = "role",
                AdminRoleName = "Admin",
            }
        };

        identityAdminOptions.Factory = factory;

        app.UseIdentityAdmin(identityAdminOptions);

        // configure web api
        var config2 = new HttpConfiguration();
        config2.Routes.MapHttpRoute("DefaultApi", "api/{controller}/{id}", new { id = RouteParameter.Optional });
        app.UseWebApi(config2);

Also tried to change UseNtlmAuthentication with authenticationType Cookies and setting default authenticationType to Cookies but with no success.

@brockallen
Copy link
Member

We're still not sure how we want to do the authentication/security for this. IdMgr did it by letting the host choose, but many people were confused by it. So this is still a work in progress.

@pawepaw
Copy link
Author

pawepaw commented Jan 22, 2016

I've seen that underneath AdminHostSecurityConfiguration is Oauth2 authorization server. It seems complicated and confusing. Maybe it'd be better if there will be more documentation with samples.

@iBoonz iBoonz added the question label Feb 2, 2016
@madhavabhyankar
Copy link

The way I handled this was by setting up my AD user in IdentityServer3. To get the AD creds I used https://github.com/IdentityServer/IdentityServer3.WsFederation. Once the AD user had the right role, I was able to work with Admin

@pawepaw
Copy link
Author

pawepaw commented Feb 26, 2016

Yap but this is ADFS. It's shown in official demo how to setup id mgr/admin with adfs. I wanted to use pure AD/windows auth.

@zhangxd6
Copy link

@madhavabhyankar could you elaborate about the your approach? It seems to me that admin is trying to use the authorization endpoint on the same host(base url). I intend to host identity server and admin server separately.

@pawepaw
Copy link
Author

pawepaw commented Feb 27, 2016

You don't need to host admin and server on the same host. You just need to have access to identity server database.

@zhangxd6
Copy link

my intention is to use hosted identity sever to authenticate and authorize the access to the database

On Feb 27, 2016, at 6:17 AM, pawepaw [email protected] wrote:

You don't need to host admin and server on the same host. You just need to have access to identity server database.


Reply to this email directly or view it on GitHub.

@pawepaw
Copy link
Author

pawepaw commented Feb 27, 2016

Don't get what you want to do. You want to authorize access to database using identity server?

@zhangxd6
Copy link

right.

On Feb 27, 2016, at 5:31 PM, pawepaw [email protected] wrote:

Don't get what you want to do. You want to authorize access to database using identity server?


Reply to this email directly or view it on GitHub.

@madhavabhyankar
Copy link

@zhangxd6
May be this will help https://github.com/madhavabhyankar/IdentityServerWithWindowsAuthWSFed.git

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@brockallen @zhangxd6 @iBoonz @madhavabhyankar @christophebourguignon @pawepaw