One of the key features of AS is that you can combine it with arbitrary authentication methods. This basically allows to layer OAuth2 and our application and authorization model over any identity management system.
Recently the question came up which steps would be necessary to combine AS with plain Windows integrated authentication. That’s what I did:
- Downloaded the latest source code version from github
- Setup the vdir in IIS (IIS Express works as well) and enabled Windows authentication
- Set the ASP.NET authentication mode to Windows
- Removed the FAM as well as the system.identityModel configuration section
With that we have AS configured for Windows authentication and removed the WS-Federation plumbing. The last step would be to setup the claims transformation logic to a) transform the Windows account name into the sub claim and b) set the AS administrator role if the Windows user is an AS administrator. This is done in global.asax:
protected void Application_PostAuthenticateRequest()
{
if (HttpContext.Current.User.Identity.IsAuthenticated &&
HttpContext.Current.User is WindowsPrincipal)
{
var svc = DependencyResolver
.Current
.GetService<IAuthorizationServerAdministratorsService>();
var transformer = new NameIdToSubjectClaimsTransformer(svc);
var newPrincipal = transformer.Authenticate(
string.Empty, HttpContext.Current.User as ClaimsPrincipal);
HttpContext.Current.User = newPrincipal;
Thread.CurrentPrincipal = newPrincipal;
var session = new SessionSecurityToken(newPrincipal);
FederatedAuthentication
.SessionAuthenticationModule
.WriteSessionTokenToCookie(session);
}
}
This code will transform the WindowsPrincipal to an AS principal on the first authenticated request. From that point the SAM will use the transformed principal via the session token / cookie.
If you like to use the resource owner credential flow – you’d also need to implement a Windows specific version of the IResourceOwnerCredentialValidation interface (and wire it up in autofac.config). I leave that as an exercise – but the general approach would be to use Win32 LogonUser to verify the Windows username and password (instead of the WS-Trust default implementation).
HTH
leastprivilege.com 
Hi Dominick,
This is in continuation of my tweet where I asked about my custom AuthenticationManager not getting called automatically when using the System.Identity.Services.SessionAuthenticationModule HttpModule in an intranet scenario (WindowsAuthentication). I am trying to transform the WindowsPrincipal to a new one so as to add more claims.
Basically, I was wondering why mine wasn’t getting called? And if that is by design, do you know what the reasoning behind that was?
Moving forward, I see that this post has a work around. What are the pluses / minuses of this vs the technique outlined in a couple of VisualStudio magazine articles (http://bit.ly/1a75Ur6 & http://bit.ly/1fqXfz2) using the PostAuthenticate? Also, why PostAuthenticateRequest and not AuthenticateRequest?
Thanks so much! Your excellent intro and asp.net pluralsight courses really put it together for me.
Best,
Jason
@techfriction
The SAM never calls the ClaimsAuthenticationManager. It’s either the FAM when using WS-Fed or you call it yourself.
That’s what I did – and I wouldn’t call it a workaround – that’s just the normal procedure.
The PostAuthenticateRequest event is guaranteed to run after the authentication stage (Windows authentication in that particular case) – that’s why I chose it.
Thanks, Dominick. Sounds like I need to learn more.
Hi,
I am working with WEB API 2 and Bearer accessTokens. It is working OK, I receive the token after authentication and I can call my protected services passing the accessToken in the Header.
My doubt is how can I protect the accessToken from tools like fiddler or any other snniffing.
I can use HTTPS, but is there any other way to protect it from anyone trying to sniff my packages.
Thanks in advance
Well – if you can’t rely on SSL you have a much bigger problem. Fiddler is only effective because it “compromises” your local machine (with your permission of course).
That said – nothing stops you from adding additional countermeasure like MAC signatures – there is supposed to be an official spec at some point on how to do this – in the meanwhile something like Hawk could be applied.
Hi Dominick, Thanks for your answer.
What do you mean about MAC signatures ?
I am working with Javascript, this is a web application. Can I use it ?
I am reading about Hawk right now. Thank you very much
Hi Dom,
What does it mean when it say:
ID0006: The input string parameter is either null or empty.
Parameter name: Issuer
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentException: ID0006: The input string parameter is either null or empty.
Parameter name: Issuer
I have no idea where I can provider the issuer to the parameters
How can I Combining AuthorizationServer with ASP.NET Identity?
Could you be a bit more specific? And preferably on the github issue tracker. thanks!
hi Dominick, I’m new to this tool.
Please can you tell me where I can find the code for NameIdToSubjectClaimsTransformer? Does it implement an interface, When do I implement a transformer vs use built in?
Thanks,
Steven
It’s here:
https://github.com/thinktecture/Thinktecture.AuthorizationServer/blob/master/source/WebHost/Security/SubjectClaimsTransformer.cs
It is used to “adapt” to your identity provider. AS needs a subject claim internally – and in the transformer you can specify which external claim is the unique user identifier.
Dominick, I have a question or maybe I just have a mental block and not seeing it. If I wanted to set up with the ability to use either Windows Authentication or Membership Services Authentication what would be the steps that would need to happen? What services i.e. Identity Server / Authorization Server would be involved.
Well – that’s unfortunately not so easy. You probably want to IdPs then – one for your database users, one for Windows.
Pingback: Integrating AuthorizationServer with Auth0 | leastprivilege.com
When i include the Application_PostAuthenticateRequest() in the global.asax file it starts giving me error for NameIdToSubjectClaimsTransformer(svc). I don’t see this class in the solution please let me know how i get this class definition.
Hi Dominic, I would like to setup the identity server v3 – beta 3 to work with windows authentication i.e. when i request an “id_token” by calling the authorize endpoint at idSrv using defaultcredentials (current windows user credentials) in httpclient / webclient, I want the User object in the ApiController to have the already authenticated WindowsPrincipal from the httprequest. Currently when I look at the User Object in the APIController on the IdSrv it gives me an unauthenticated ClaimsPrincipal. Could you please provide step by step instructions on how to achieve it?
We don’t have out of the box support for that. But working on it.
Thank you for the prompt response. If I would want to implement it myself, how would I do it? Could you guide me in the right direction here at a higher level? What do I need to do implement this? Appreciate your assistance in this regard.
Is this something that is in your road map in the near future (next couple of months) or would it be next year?
It is related to this issue: https://github.com/thinktecture/Thinktecture.IdentityServer.v3/issues/483
so – soon.
Hi Dominick,
Can you point to some sample application using this approach? I want to supply tokens against windows integrated authentication to avoid users entering credentials manually inside the network.
The blog post is the sample. Everything outside of that is just standard OAuth2
This above blog post sample is for an ASP.NET client application using global.asax and all that. How would we do the same thing for a windows / WPF client application using httpclient or webclient passing in the current default credentials (current windows principal) and doing this in the latest prerelease of identityserver v3? Would this be solved by the PreAuthenticateAsync Sample (issue # 483) as well?
We don’t know yet. It is on our todo list.
Hi,
I’m little confused here were do I find the following configuration sections:
‘Removed the FAM as well as the system.identityModel configuration section’
FAM = WSFederationAuthenticationModule