Combining Thinktecture AuthorizationServer with Windows Integrated Authentication

One of the key features of AS is that you can combine it with arbitrary authentication methods. This basically allows to layer OAuth2 and our application and authorization model over any identity management system.

Recently the question came up which steps would be necessary to combine AS with plain Windows integrated authentication. That’s what I did:

  • Downloaded the latest source code version from github
  • Setup the vdir in IIS (IIS Express works as well) and enabled Windows authentication
  • Set the ASP.NET authentication mode to Windows
  • Removed the FAM as well as the system.identityModel configuration section

With that we have AS configured for Windows authentication and removed the WS-Federation plumbing. The last step would be to setup the claims transformation logic to a) transform the Windows account name into the sub claim and b) set the AS administrator role if the Windows user is an AS administrator. This is done in global.asax:

protected void Application_PostAuthenticateRequest()

{

    if (HttpContext.Current.User.Identity.IsAuthenticated &&

        HttpContext.Current.User is WindowsPrincipal)

    {

        var svc = DependencyResolver
                
.Current
                 .GetService<
IAuthorizationServerAdministratorsService
>();

        var transformer = new NameIdToSubjectClaimsTransformer(svc);

 

        var newPrincipal = transformer.Authenticate(
         
string.Empty, HttpContext.Current.User as ClaimsPrincipal
);

 

        HttpContext.Current.User = newPrincipal;

        Thread.CurrentPrincipal = newPrincipal;

 

        var session = new SessionSecurityToken(newPrincipal);

        FederatedAuthentication
          
.SessionAuthenticationModule
           .WriteSessionTokenToCookie(session);

    }

}

 

This code will transform the WindowsPrincipal to an AS principal on the first authenticated request. From that point the SAM will use the transformed principal via the session token / cookie.

If you like to use the resource owner credential flow – you’d also need to implement a Windows specific version of the IResourceOwnerCredentialValidation interface (and wire it up in autofac.config). I leave that as an exercise – but the general approach would be to use Win32 LogonUser to verify the Windows username and password (instead of the WS-Trust default implementation).

HTH

This entry was posted in ASP.NET, AuthorizationServer, OAuth, WebAPI. Bookmark the permalink.

26 Responses to Combining Thinktecture AuthorizationServer with Windows Integrated Authentication

  1. Hi Dominick,

    This is in continuation of my tweet where I asked about my custom AuthenticationManager not getting called automatically when using the System.Identity.Services.SessionAuthenticationModule HttpModule in an intranet scenario (WindowsAuthentication). I am trying to transform the WindowsPrincipal to a new one so as to add more claims.

    Basically, I was wondering why mine wasn’t getting called? And if that is by design, do you know what the reasoning behind that was?

    Moving forward, I see that this post has a work around. What are the pluses / minuses of this vs the technique outlined in a couple of VisualStudio magazine articles (http://bit.ly/1a75Ur6 & http://bit.ly/1fqXfz2) using the PostAuthenticate? Also, why PostAuthenticateRequest and not AuthenticateRequest?

    Thanks so much! Your excellent intro and asp.net pluralsight courses really put it together for me.

    Best,
    Jason
    @techfriction

    • The SAM never calls the ClaimsAuthenticationManager. It’s either the FAM when using WS-Fed or you call it yourself.
      That’s what I did – and I wouldn’t call it a workaround – that’s just the normal procedure.

      The PostAuthenticateRequest event is guaranteed to run after the authentication stage (Windows authentication in that particular case) – that’s why I chose it.

  2. Hi,

    I am working with WEB API 2 and Bearer accessTokens. It is working OK, I receive the token after authentication and I can call my protected services passing the accessToken in the Header.

    My doubt is how can I protect the accessToken from tools like fiddler or any other snniffing.

    I can use HTTPS, but is there any other way to protect it from anyone trying to sniff my packages.

    Thanks in advance

    • Well – if you can’t rely on SSL you have a much bigger problem. Fiddler is only effective because it “compromises” your local machine (with your permission of course).

      That said – nothing stops you from adding additional countermeasure like MAC signatures – there is supposed to be an official spec at some point on how to do this – in the meanwhile something like Hawk could be applied.

  3. Vu Nguyen says:

    Hi Dom,

    What does it mean when it say:
    ID0006: The input string parameter is either null or empty.
    Parameter name: Issuer

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ArgumentException: ID0006: The input string parameter is either null or empty.
    Parameter name: Issuer

    I have no idea where I can provider the issuer to the parameters

  4. baotao says:

    How can I Combining AuthorizationServer with ASP.NET Identity?

  5. Steven says:

    hi Dominick, I’m new to this tool.

    Please can you tell me where I can find the code for NameIdToSubjectClaimsTransformer? Does it implement an interface, When do I implement a transformer vs use built in?

    Thanks,

    Steven

  6. Dominick, I have a question or maybe I just have a mental block and not seeing it. If I wanted to set up with the ability to use either Windows Authentication or Membership Services Authentication what would be the steps that would need to happen? What services i.e. Identity Server / Authorization Server would be involved.

  7. Pingback: Integrating AuthorizationServer with Auth0 | leastprivilege.com

  8. kalamabdul says:

    When i include the Application_PostAuthenticateRequest() in the global.asax file it starts giving me error for NameIdToSubjectClaimsTransformer(svc). I don’t see this class in the solution please let me know how i get this class definition.

  9. Adnan says:

    Hi Dominic, I would like to setup the identity server v3 – beta 3 to work with windows authentication i.e. when i request an “id_token” by calling the authorize endpoint at idSrv using defaultcredentials (current windows user credentials) in httpclient / webclient, I want the User object in the ApiController to have the already authenticated WindowsPrincipal from the httprequest. Currently when I look at the User Object in the APIController on the IdSrv it gives me an unauthenticated ClaimsPrincipal. Could you please provide step by step instructions on how to achieve it?

    • We don’t have out of the box support for that. But working on it.

      • Adnan says:

        Thank you for the prompt response. If I would want to implement it myself, how would I do it? Could you guide me in the right direction here at a higher level? What do I need to do implement this? Appreciate your assistance in this regard.

        Is this something that is in your road map in the near future (next couple of months) or would it be next year?

  10. Manu says:

    Hi Dominick,
    Can you point to some sample application using this approach? I want to supply tokens against windows integrated authentication to avoid users entering credentials manually inside the network.

  11. Adnan says:

    This above blog post sample is for an ASP.NET client application using global.asax and all that. How would we do the same thing for a windows / WPF client application using httpclient or webclient passing in the current default credentials (current windows principal) and doing this in the latest prerelease of identityserver v3? Would this be solved by the PreAuthenticateAsync Sample (issue # 483) as well?

  12. We don’t know yet. It is on our todo list.

  13. scubaboy50 says:

    Hi,
    I’m little confused here were do I find the following configuration sections:
    ‘Removed the FAM as well as the system.identityModel configuration section’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s