locked
Active Directory Authentication in Azure RRS feed

  • Question

  • Hi,

    I am a newbie in Azure. I have an application where i want to authenticate users from Active Directory (located in-premises). My Application is hosted on cloud.

    Can anyone help me in sharing some code, or tutorial links so that i am able to use it. Basically the Idea of using ACS for authentication is not quiet clear.so i need your help people...

    Thanks in advance..

     

    • Moved by DanielOdievich Tuesday, September 28, 2010 9:09 PM forum migration (From:Windows Azure)
    Tuesday, June 22, 2010 6:50 AM

Answers

All replies

  • The Windows Azure Platform Training Kit has a hands-on-lab on "Federated Authentication in a Windows Azure Web Role Application."
    Tuesday, June 22, 2010 7:12 AM
  • Hi Neil Thnx for replying.

    Correct Me if I am wrong but i asked for something by which I can authenticate and also get information from the Active Directory like the UserGroups, OU's etc.

    Can you please tell me how can this be achieved? Will I be able to extract this information by using the Service Bus?

     

    Thanks in advance...

    Tuesday, June 22, 2010 10:36 AM
  • Hi Rahul,

    the basic concept behind federated authentication is that your application does not have to worry about implementing authentication and the user will not have to worry about a new login for each service he/she uses. In addition, the security design goal is, that a service is not reading through a complete directory, but rather get's a simple "yes, this is really john doe"-info from the adfs.

    If you need further "claims" from the active directory, this can be achieved through claims based security, also supported by ADFS. Meaning, with a user coming to your service, you will get the "yes" and i.e. the business role of the user.

    It seems, that you want to do more than that here and try to gather information from the AD. So perhaps, a good approach would be

    1) ServiceBus (as you mentioned), pushing on-demand information needs to an on-premises service

    2) on-premises service that can talk to AD, cache information and whatever is appropriate in your scenario.

    3) a service-endpoint in the cloud that serves as a synch-service to the on-premises client, if you need to do more than realtime chunk-by-chunk exchange between your cloud app and the AD.

     

    Does that help you qualify an approach ?

     

    Kind regards,
    Markus

    • Edited by MarkusEilers Tuesday, June 22, 2010 11:19 AM clarity
    Tuesday, June 22, 2010 11:18 AM
  • Hi Markus

    Thanks for your reply. Your approach is a fairly good one, I was thinking in the same direction but my main concern is the 3rd Point that you suggested.

    This is my main concern, I am not able to understand how exactly I can a service which can play 2 roles:

    a) sending User Credentials to On-premises service, for authentication and

    b) Retrieving data from the on-premises service back to cloud application.

    Can this be done both from one single service on cloud or do i need to build 2 separate clod services one for sending data to on-premises service and one for receiving data from it. Please clarify and also share some samples if you can.

    Thanks

    Tuesday, June 22, 2010 12:10 PM
  • Hi Rahul,

    I'm also trying to develop a small app that authenticates user from on-primise active directory. Once user is validated, then need to retrive some data from on-primise data base using some service end-points. If you are done with your app, can you please share some samples.

    Thanks in advance!

    -VR

    PS: Thanks Markus for the info. I will explore using federated authentication.

    Thursday, September 16, 2010 7:08 PM
  • Hi Venkat,

    What I did was to deploy a webservice in the on-premises active directory and used the azure service bus to call that webservice. Once I was able to connect, I returned the Data regarding from the  Active Directory successfully. Not a good approach, but it works for the time being.

    Meanwhile I have shifted my focus on working with ADFS now. So If I progress on that, I will let you know.

    Thanks

    Wednesday, September 22, 2010 5:43 AM
  • Hello Rahul,

    How is your ADFS investigation progressing? Are you finding it adequate to your challenge? Do you need any help?

    Thank you,

    D


    Daniel Odievich | Windows Azure platform Security Evangelist, US BMO/DPE
    Friday, October 1, 2010 10:45 PM
  • Hi Daniel,

    My ADFS progress was good but I got stuck at the ADFS proxy.

    The Scenario is like this : I have an ADFS server which also has Active Directory Installed on it. This server, I want it to be disconnected from Internet, so that It is not accessible. Next I used an ADFS Proxy server which will communicate with the ADFS server to authenticate the user.

    Now my problem is that..the federation Metadata XML points to the ADFS server. Hence when the User is redirected from the ACS to get authenticated, it gets redirected to the ADFS server (because of the Fed XML) and since the ADFS server is not online, i get an error, Page not found. So Basically I need some kind of a federation metadata which points to the proxy server.

    How can I achieve that, can you help me with that.

    Thanks a lot.

    Monday, October 4, 2010 5:08 AM
  • Hello Rahul,

    I am a bit confused. Are you saying that you have domain controller that you hid from the internet behind firewall of some sorts, and then you have a ADFS proxy machine in the perimeter network? Yes, if you pointing federation metadata at the domain controller, it certainly won't be available, since proxy server is the one that's exposed, not the DC.

    I think you will need to have the ADFS federation server installed on the DC, and ADFS proxy installed in perimeter network, connected to ADFS federation server.

    Have you reviewed these items for theory:

    Provide Users in Another Organization Access to Your Claims-Aware Applications and Services http://technet.microsoft.com/en-us/library/dd807099(WS.10).aspx
    Checklist: Implementing a Federated Web SSO Design http://technet.microsoft.com/en-us/library/adfs2-checklist-implementing-a-federated-web-sso-design(WS.10).aspx, specifically
    Checklist: Setting Up a Federation Server http://technet.microsoft.com/en-us/library/dd807086(WS.10).aspx and
    Checklist: Setting Up a Federation Server Proxy http://technet.microsoft.com/en-us/library/dd807100(WS.10).aspx?
     
    I think you may find these MSDN magazine overviews helpful:
    http://msdn.microsoft.com/en-us/magazine/cc163520.aspx#S9 - explains purpose of Federation Proxy in simpler-then-TechNet terms

    Daniel Odievich | Windows Azure platform Security Evangelist, US BMO/DPE
    • Edited by DanielOdievich Monday, October 4, 2010 5:26 PM minor edits for clarity
    • Marked as answer by DanielOdievich Wednesday, December 22, 2010 2:50 AM
    Monday, October 4, 2010 5:24 PM