Reputation: 969
Windows NT token with ADFS to get Remote user Roles
I created a ADFS windows NT enabled tokenapp Configured IIS 7 to enabled windows NT token in authentication and reply url as https://adfsweb.treyresearch.net/tokenapp
I added this app into the adfsresource application as Windows NT token based application.
Using this web.config file (http://blogs.technet.com/b/adfs_documentation/archive/2006/08/03/444865.aspx#DSDOC_BKMK_667328988_f5db_446a_9261_00b4)
The default.aspx.cs as below.
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Security.Principal;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Label1.Text = HttpContext.Current.User.Identity.Name;
WindowsIdentity i = (WindowsIdentity)HttpContext.Current.User.Identity;
IdentityReferenceCollection irc = i.Groups;
foreach (IdentityReference ir in irc)
{
Label2.Text += ir.Translate(typeof(NTAccount)).Value.ToString() + "; ";
}
}
}
It works as long as I log in from adfsresources domain with treyresearch,net user.
If I use this tokenappp url from adatum.com domain I get a error, and on event log of adfsresource server i have this error:
Event code: 4011
Event message: An unhandled access exception has occurred.
Event time: 11/29/2011 7:20:26 PM
Event time (UTC): 11/30/2011 1:20:26 AM
Event ID: ac49318023ee4ba4ab7ab6e0bca78522
Event sequence: 5
Event occurrence: 2
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/adfs-1-129670890061718750
Trust level: Full
Application Virtual Path: /adfs
Application Path: C:\Windows\SystemData\ADFS\sts\
Machine name: ADFSRESOURCE
Process information:
Process ID: 1892
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: https://adfsresource.treyresearch.net:443/adfs/ls/clientlogon.aspx
Request path: /adfs/ls/clientlogon.aspx
User host address: 192.168.10.133
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Custom event details:
Does this means that I need to have Windows trust on top of ADFS trust to be using windows NT token for remote domains? if so there is no point in having ADFS trust, if i also need to have windows domain trust.
I can get my claim app to work correctly from remote domain, but I added this new tokenapp after all the trust policy export import was completed http://technet.microsoft.com/en-us/library/cc731103%28WS.10%29.aspx
I have also followed and verified this info below http://technet.microsoft.com/en-us/library/cc734929%28WS.10%29.aspx
Upvotes: 0
Views: 1057
Answers (1)
Reputation: 46720
A word of warning - that article that you reference was written in 2006 and talks about web agents - in other words it's ADFS 1.
ADFS 2 is pretty much a new product. It came out in 2010 and no longer has the concept of agents.
The ADFS "feature" that comes standard with Windows Server 2008 is 1 not 2. You have to download 2 and install it.
Appendix A: Reviewing AD FS 2.0 Requirements states "AD FS 2.0 does not support Windows NT token–based applications."
It does, however, support C2WTS (Claims to Windows Token Service).
Upvotes: 1
Related Questions
- Get token from ADFS
- ADFS authentication with windows credentials
- active client - get token from resource partner adfs using idp token
- Token based authentication using ADFS
- Implement ADFS with asp.net roles
- Authentication to ASP.NET Web Api using ADFS
- How to retrieve claims from ADFS (Active Directory Federation Services)
- How to access AD FS claims by User's credential?
- Setup identity in RP with ADFS token
- ADFS 2.0 windows authentication with custom roles