Windows Authentication from a different domain

Bir soru sorun

13 Mart 2012 Salı 08:48

0

I have a Website running in our domain which has Windows Authentication enabled. I want this website open to public via Azure and still authenticate users based on their Windows credentials.

I am considering 2 options.

1. Host the Website on Azure and follow AD FS techniques to achieve Windows Authentication

2. Do not host the Website on Azure, but map (or domain alias) to a server (which has the Website) in our domain which is open to public.

I need your advice on this guys. Which is better? Can I achieve Windows Authentication if I go with option 2. How would option 1 be implemented?

Thanks much in advance
- Yanıt
- Alıntı

Tüm Yanıtlar

13 Mart 2012 Salı 09:48

0

Hello.

Chech these links:

http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx

http://blogs.msdn.com/b/card/archive/2011/01/05/single-sign-on-to-windows-azure-using-wif-and-adfs-whitepaper-released.aspx

http://blogs.msdn.com/b/willpe/archive/2010/10/25/windows-authentication-adfs-and-the-access-control-service.aspx
- Yanıt
- Alıntı
13 Mart 2012 Salı 10:35

0

That helps Alexander. Thanks.

And what about option 2 - Not hosting the website on Azure but map to a server hosting the website on domain. Will this still qualify for enabling Windows Authentication?
- Yanıt
- Alıntı
13 Mart 2012 Salı 12:50

0
Hi prudhvi,

I would go for a third option. Have the application run in Azure and use the Windows Azure AppFabric Access Control Service (ACS) to externalize the authentication part. That way, your application doesn't need to know where the authenticated users come from (Windows Live, GMail, ADFS, ...).

There are plenty of resources and examples on how you can integrated ACS with ADFS (and other identity providers) with your Azure application:
- http://acs.codeplex.com/wikipage?title=ACS%20Content%20Map
- http://claimsid.codeplex.com/releases/view/67606
If you go for option 2, you'll just go back to the 'prehistoric' setup where you have the server in your domain. Because this means you'll need to provide for the licenses, the hardware, the high availability, maintenance, ...

Sandrino
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
- Yanıt Olarak Öneren Sandrino Di Mattia 14 Mart 2012 Çarşamba 09:44
- Yanıt Olarak İşaretleyen Arwind - MSFTModerator 21 Mart 2012 Çarşamba 10:40
- Yanıt
- Alıntı
13 Mart 2012 Salı 15:11

0

Yes, it will be ok. But i agree with Sandrino about option 3, i think you should think about it.
- Yanıt
- Alıntı
14 Mart 2012 Çarşamba 04:52

0

Thanks Sandrino, that helps.

I will go ahead with the third option and will post again how the implementation went. Hopefully with a detailed step-by-step guide that can help the community.

Thanks much people.
- Yanıt
- Alıntı
14 Mart 2012 Çarşamba 05:00

0

Sandrino,

I agree with your comments on option 2. If all the catches - licenses, hardware and maintenance are achieved and taken care of, will it qualify for enabling Windows Authentication?

Thanks
- Yanıt
- Alıntı
14 Mart 2012 Çarşamba 06:41

0

Yes, if the server has a connection with your domain (ie: if the server is in the domain, if the server can access the domain controller through vpn, ...)
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
- Yanıt
- Alıntı