Use On-Premise AD for Authentication in asp.Net Core Web API

Question

We have a Web Application (Vue3/Typescript) which gets its data from a web API (asp.net core). Web Application and Web API are hosted via IIS on the same server so we implemented CORS policies. When the users opens the web application in a browser we want to authenticate the user against an on-premise AD using Single-Sign On (SSO) via the web API. The AD exists in the same network. We do not want to save any information about the user in the web API longer than the session exists. So there are no tables for saving users, roles or anything else. The roles should be configured in the AD to specify who has access to the web API and may call certain endpoints.

I already read the articles on Microsoft Docs but did not fully understand everything. After reading the articles I still struggle to answer the following questions:

• Do I always need an identity?
• Where do I implement the information about the AD against which I want to authenticate the user?
• What is the difference between implementing Azure AD (AAD) and on-premise AD when it comes to configuring the application?
• Which roles play OpenId Connect (OIDC) and OAuth, are the necessary or optional?
• Do I get a JSON web token (JWT) from the on-premise AD?

I added the the authentication middleware in the Startup.cs but that is as far as I got.

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<IISServerOptions>(options =>
    {
        options.AutomaticAuthentication = false;
    });

    services.AddDbContext<MyDbContext>();

    services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
 
    services.AddAuthentication();                

    services.AddCors();

    services.AddControllers();

    services.AddMvc();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseCors();
        
    app.UseSession();

    app.UseAuthentication();

    app.UseAuthorization();

    app.UseEndpoints();
}

The following graphics shows the goal we try to accomplish but we are not sure if/how it is possible since we do not want to store any user information in the application DB.

Answer 1

Do I always need an identity?

If you are using on-premise AD, no.

Where do I implement the information about the AD against which I want to authenticate the user?

That's what I'm trying to work out as well. It seems all MS examples are trying to push everyone to use Azure, and the rest are for the cloud/cross domain. Did you ever work it out?

What is the difference between implementing Azure AD (AAD) and on-premise AD when it comes to configuring the application?

If its on-premise and AD, then you don't have deal with cloud related config, dependencies, issues, etc.

Which roles play OpenId Connect (OIDC) and OAuth, are the necessary or optional?

They are for when you use an external provider for authentication. Not needed for on-premise AD.

Do I get a JSON web token (JWT) from the on-premise AD?

No, that's really for cross domain. You wouldn't need JWT and to be passing a token around. JWT still needs to store authentication details somewhere (to be repeatedly accessed and checked on each request). Which is what you would use AD directly for instead. On-premise AD is your stored authentication (and authorisation) repository.

Did you ever find a working solution to do on-premise AD authentication from a .Net Core WebApi app? Should be common, but there doesn't seem to be a clear example anywhere online that isn't infected with Azure, cloud, JWT or Identity dependencies and complications (and there must be). I have come across many others asking the same question and no answer. I will keep looking and trying to piece together my own solution.

Answer 2

Do I always need an identity?

The identity stores the user's profile, Apps run with the app's identity for all requests, using the app pool or process identity, then, we can implement Authentication and Authorization.

Where do I implement the information about the AD against which I want to authenticate the user?

The best way to implement Active Directory Authentication in ASP.NET Core is using the Windows authentication. However, that will only work if the server you run is joined to the domain (or a trusted domain).

What is the difference between implementing Azure AD (AAD) and on-premise AD when it comes to configuring the application?

The Active Directory (AD) is a group of on-premises features included in Windows Server, such as: Active Directory Domain Services, Active Directory Certificate Services. More detail information see this article.

Azure Active Directory (Azure AD): Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Azure portal, or SaaS applications.

The difference between AAD and On-Primise AD, see Compare Active Directory to Azure Active Directory

Which roles play OpenId Connect (OIDC) and OAuth, are the necessary or optional?

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core. IdentityServer4 enables the following security features: Authentication as a Service (AaaS), Single sign-on/off (SSO) over multiple application types, Access control for APIs and Federation Gateway. You could try to use it in your asp.net core application, refer this article.

Do I get a JSON web token (JWT) from the on-premise AD?

Do you mean you want to enable both JWT and AD authentication? If that is the case, when you valid the user using JWT, you should also validate the user's credential(username/password) against Active Directory.