Windows authentication RRS feed

  • Question

  • I've just noticed, that when creating a new service fabric web API and changing the authentication to windows, the generated template has only two changes:

    - [Authorize] attribute on the controller added 

    - launchSettings.json, under iisSettings has other values for "windowsAuthentication" and "anonymousAuthentication"

    But the service still uses kestrel, which if I've not missed something, does not support windows authentication.

    IIS setting does not have any impact on SF application, right?

    Is it a "bug" in the template, or is there a way to use windows authentication in SF service using kestrel?

    Wednesday, March 27, 2019 8:48 AM


  • Hi Sebastian. I am looking into this and will update you shortly. 
    Wednesday, March 27, 2019 9:22 PM

All replies

  • Hi Sebastian. I am looking into this and will update you shortly. 
    Wednesday, March 27, 2019 9:22 PM
  • Hi Sebastian. I dug into this offline with our product team and here is what we found. I will just include some of the main bullet points: 

    - The SF web templates don’t support changing authentication to anything except “No Authentication”. In fact, we are working with the ASP.NET team to disable the “Change Authentication” option on the New ASP.NET dialog. Users need to make the required changes manually if they want to use different auth.
    - launchSettings.json is only applicable to Visual Studio’s.
    - It appears within Visual Studio’s there is a UI workflow to “generated template” when configuring “windows security” Which doesn’t sounds like it would be intended to help to “Secure a standalone cluster on Windows by using Windows security”

    - Maybe try to “Run a service as a group Managed Service Account”
    - SF doesn’t know anything about what IIS is hosting, but using a Windows Containers to host your application on IIS within the container, would allow SF to be aware of the container which is hosting IIS.
    - You can use windows GMSA to secure a standalone clusters, and to run your service as GMSA.
    - My assumption is the SF hosting service is what would allow Windows Auth to work as a Guest.exe, Reliable Service|Actor, or within a container; although Kestrel doesn’t support it directly 

    Monday, April 1, 2019 3:14 PM
  • My question was not about securing the cluster, it was about securing web api calls to asp.net core service hosted on SF.

    But the part about "SF web template not supporting changing authentications" answers my question, thanks.

    Wednesday, April 3, 2019 8:47 AM