Windows authentication for admin

[pawepaw]

Hello,

Is it possible to authenticate user in identityServer.admin portal using windows authentication? I wanted to give it a try but simply switching value of windowsAuthenticate to true in csproj doesn't work. I understand that it's based on owin authentication so I've found two libraries which provides windows authentication for owin:

1. https://github.com/ghalebbadran/WinodwsAuthenticationOwinMiddleware
2. https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm

I am able to authenticate sample application to use above middlewares but i'm unable to make it working with admin. I followed example with ADFS and configured adminHostConfiguration but it isn't working. Any clue?

[christophebourguignon]

Hi, I have exactly the same problem. Any idea ?

[brockallen]

Are you using the HostAuthentication mechanism?

[pawepaw]

Yes I'll post source code of my startup file in few minutes.

[pawepaw]

It looked like this:

       var factory = new IdentityAdminServiceFactory();
        factory.Configure();

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = "Cookies",
            LoginPath = new PathString("/api/account/ntlmlogin"),
            ReturnUrlParameter = "redirectUrl",
            Provider = new CookieAuthenticationProvider()
            {
                OnApplyRedirect = ctx =>
                {
                    if (!ctx.Request.IsNtlmAuthenticationCallback())
                    {
                        ctx.Response.Redirect(ctx.RedirectUri);
                    }
                }
            }
        });

        app.UseNtlmAuthentication()

        var identityAdminOptions = new IdentityAdminOptions()
        {
            AdminSecurityConfiguration = new AdminHostSecurityConfiguration()
            {
                HostAuthenticationType = "Cookies",
                NameClaimType = "name",
                RoleClaimType = "role",
                AdminRoleName = "Admin",
            }
        };

        identityAdminOptions.Factory = factory;

        app.UseIdentityAdmin(identityAdminOptions);

        // configure web api
        var config2 = new HttpConfiguration();
        config2.Routes.MapHttpRoute("DefaultApi", "api/{controller}/{id}", new { id = RouteParameter.Optional });
        app.UseWebApi(config2);

Also tried to change UseNtlmAuthentication with authenticationType Cookies and setting default authenticationType to Cookies but with no success.

[brockallen]

We're still not sure how we want to do the authentication/security for this. IdMgr did it by letting the host choose, but many people were confused by it. So this is still a work in progress.

[pawepaw]

I've seen that underneath AdminHostSecurityConfiguration is Oauth2 authorization server. It seems complicated and confusing. Maybe it'd be better if there will be more documentation with samples.

[madhavabhyankar]

The way I handled this was by setting up my AD user in IdentityServer3. To get the AD creds I used https://github.com/IdentityServer/IdentityServer3.WsFederation. Once the AD user had the right role, I was able to work with Admin

[pawepaw]

Yap but this is ADFS. It's shown in official demo how to setup id mgr/admin with adfs. I wanted to use pure AD/windows auth.

[zhangxd6]

@madhavabhyankar could you elaborate about the your approach? It seems to me that admin is trying to use the authorization endpoint on the same host(base url). I intend to host identity server and admin server separately.

[pawepaw]

You don't need to host admin and server on the same host. You just need to have access to identity server database.

[zhangxd6]

my intention is to use hosted identity sever to authenticate and authorize the access to the database

On Feb 27, 2016, at 6:17 AM, pawepaw notifications@github.com wrote:

You don't need to host admin and server on the same host. You just need to have access to identity server database.

— Reply to this email directly or view it on GitHub.

[pawepaw]

Don't get what you want to do. You want to authorize access to database using identity server?

[zhangxd6]

right.

On Feb 27, 2016, at 5:31 PM, pawepaw notifications@github.com wrote:

Don't get what you want to do. You want to authorize access to database using identity server?

— Reply to this email directly or view it on GitHub.

[madhavabhyankar]

@zhangxd6
May be this will help https://github.com/madhavabhyankar/IdentityServerWithWindowsAuthWSFed.git