how to windows-authenticate in asp.net app using remote domain/AD? SSO

Question

my ASP.NET (webform) solution is running on our local company servers. a new customer want's automatic logon when they are accessing this webapp from the PC in their remote company domain. how? I have heard some have made it.

it's like when the IIS and client browser is in the same domain we can use "windows authentication" on IIS. But here the domain with the users are in a remote domain, location. another companys intranet.

I have seen the LdapConnection / NetworkCredential classes. But there I must pass a username and password. OK thing but not my case.

I guess some code most be made in my web app but maybe some more must be configured between my IIS and the remote customers domain server. Customer is OK with this, we just don't know what to do. maybe it's not "windows-authentication" we need here. The goal is just that users in PC in that remote domain will get authenticated in my web app without writing user/pasword.

I hope the question is clear. Thanks for any help. Some places I see "Active Directory Federation Services" but don't know it.

Answer 1

It certainly is possible to use "Active Directory Federation Services" to achieve what you want, however it is by no means a trivial exercise.

All of the steps required to properly configure/deploy ADFS (4 servers, multiple load balancer's, specific certificates to name a few) and then the changes required to your asp.net application, are far too extensive, to ever address directly in a Stack Overflow question.

If you want to know more about ADFS, and how to implement it in an asp.net application, you should start with these technet articles.

ADFS 2.0

ADFS 3.0

Implmenting Claims in Asp.Net

Having said that, if you simply want to implement some form of more friendly authentication, consider using Azure B2B or another cloud based identity system. They are far easier to implement securely, and will likely cost you less in the long run.