Reputation: 1217
.NET MVC5 w/ ADFS and Windows Authentication
I'm developing a prototype for an application that we plan to build in MVC5 using WIF 4.5 which will authenticate against an ADFS server. So far I have the ADFS implementation working, however there exists a requirement to allow users on the intranet to passively authenticate to a certain controller, say the Admin controller, while external users will authenticate on the Home controller using ADFS. At first glance I thought this would be a simple web.config setting, however it would appear that this is not the case now.
The ADFS is NOT on the same domain as the application, however I would want the windows authentication to happen on the domain the application is apart of.
My questions are, A) Is this possible, or am I trying to do something the framework was not meant to handle? B) How can I go about accomplishing this?
I've tried a few different combinations of
<location path="Admin">
<system.web>
<!--Having this here throws an error-->
<authentication mode="Windows"></authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>`
<system.web>
<authentication mode="None|Federated|Windows" />
<authorization>
<deny users="?" />
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
</system.web>
It appears that, if any authentication is being enforced, it is always the ADFS. I started the template out using On-Premises Organizational Authentication Option (ADFS) With ASP.NET in Visual Studio 2013 and fed in my metatdata from which the admin had provided. So my project is more or less a vanilla implementation off that template with a little bit of customization to consume the user object that I'm getting from the ADFS workflow.
The error I get that is referenced above when the authentication mode is set in the location node is
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
Which I gather is related to not having my virtual directory set as an application in IIS, but this is not the desired result. Furthermore when I did actually attempt to conform to this error I still did not have the authentication working properly.
Little more detail, after a bit more tinkering I've found that IISExpress settings (and ultimately IIS) will in fact need to be set which is okay. So Adding
<location path="WebApplication4/Admin">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
to my applicationhost.config did start prompting the browser for a username and password but I've also found that
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
seems to be what ends up completely hijacking my authentication, and forces everything to go through the ADFS server. I can manually call the methods for ADFS authentication, so what I would want to do is somehow tell a controller not to use this but instead use windows authentication. It would appear that if I simply comment those modules out however it will break my ADFS workflow, but then it will properly use Windows authentication on the Admin controller.
Upvotes: 0
Views: 2423
Answers (1)
Reputation: 2654
You cannot override the authentication method for a given location. You can only have one authentication method for your application.
As for Windows auth, it will only work if the server hosting the application is on the same domain as your intranet users, unless you have a trust between the domains.
If you have ADFS available in your intranet as well, you could establish federation between your 2 ADFS instances. You can then have authentication done for external/internal users.
For your authorization rules, you will then need to use claims to give access to the admin section. You will need to add a claims transformation module to add an Admin role claim when users are authenticated by your internal ADFS that you can use to set permissions on your controller.
As you can guess, this is not a trivial solution to implement, which will require more infrastructure setup on the internal side if you don't have ADFS there.
Another approach will be to provision your internal users in your app. This might be an easier approach if you only need to grant access to few users.
Upvotes: 1
Related Questions
- converting mvc 5 adfs to .net core adfs
- C# MVC ADFS Authentication
- How to implement single sign on MVC 2 using ADFS?
- Form based authentication using ADFS in .net MVC application
- ADFS 2.0 Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042
- ADFS Authentication in ASP.NET 5 MVC 6
- MVC5 Web app using ADFS On-Premises Organizational Auth and Visual Studio 2013 localhost development
- ADFS 2.0 windows authentication with custom roles
- How to use ADFS 2.0 with asp mvc 4
- MVC3 and Active Directory Federation Services