Question: using OBO flow to call legacy web service protected by on premises AD

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET

https://aka.ms/msal-net

MIT License

1.38k stars 338 forks source link

Question: using OBO flow to call legacy web service protected by on premises AD #3423

Open leungkimming opened 2 years ago

leungkimming commented 2 years ago

I have a successfully logon AAD (via ADFS) on a Blazor client using msal. I used the jwt as bearer header and was able to call an on-premises .net 6 API. Both the Blazor client and API are registered in AAD. So far so good.

Now, the API need to obtain data from a legacy web service written in .net framework protected by IIS NTLM/Kerberos AD authentication (same domain as ADFS). It is a typical "2 hops" scenario. Is it possible to use the msal OBO flow or otherwise, to obtain a Kerberos ticket on behalf of the user and call the web service? We are willing to adopt modern identity solutions but most data are hosted in legacy IIS web services.

Thank you in advance.

bgavrilMS commented 2 years ago

We do have some support for legacy Kerberos. I am not an expert in this, as a sister team contributed the scenario, and we haven't had questions about it so far. So, bear with me.

I believe your sceanario is like this:

Let me break it down:

you need to register a service principal in SP
in MSAL, you can use WithKerberosTicketClaim(service_principal_name, KerberosTicketContainer.IdToken)
user logs in
the IdToken has an extra claim called xms_as_rep which contains the kerberos ticket and some metadata
MSAL will actually save the ticket in Window's tiket container so that you can access cached tickets quickly

We have a console app that showcases this: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/tests/devapps/KerberosConsole/Program.cs#L38 ... it's not a proper sample yet.

Also note that we've only enabled this on the public client. Probably ok for you to try things out, but we may need to extend to confidential client.

leungkimming commented 2 years ago

Hi Bogdan Gavril, Thank you for your information and link, which are very helpful.

For your scenario in the picture, after obtaining the Kerberos Service Ticket, we can save it to a cache and later pickup it by the legacy App and present it to Azure File. Since Azure File is under AAD, it can easily validate the ticket issued by AAD and grant access to the legacy App.

For my scenario, following your steps, I may be able to obtain the Kerberos Service Ticket. However, I need to present it to an on-premises file server under our on-premises AD, not AAD. Is it still possible for the on-premises server to validate the Service Ticket issued by AAD and not the on-premises AD?

neallinAPJ commented 2 years ago

@bgavrilMS Hi Bogdan Gavril, why I can't find xms_as_rep in the IdToken? Does you has any idea?