none
Active Directory Authentication using Windows Azure Connect RRS feed

  • Question

  • Hi,

    I am building a solution wherein a web application, hosted on-premise, is accessed  from within an Azure role. The web application should allow active directory credentials to be used for authentication. 

    The on-premise intranet machine where the web application is hosted and Azure role are domain joined using Windows Azure Connect.  Is it necessary to have Windows Azure Connect endpoint installed on the active directory server too?

    Please share if you have any inputs on this.

    -regards,

    Gaurav

    Monday, February 27, 2012 7:39 AM

Answers

  • Hi,

    Using ADFS is an option, but it will take quite a few work unless ADFS has already been setup. And since it is service to service communication, delegation is required.
     
    In your case, if all you need is to connect from Windows Azure to a local service using Windows authentication, you can use Windows Azure Connect. Yes, the domain controller need to join the Connect group. I would like to suggest you to check http://msdn.microsoft.com/en-us/library/windowsazure/gg433029.aspx for more information.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework


    Tuesday, February 28, 2012 3:43 AM
  • Gaurav,

    Yes you need to install connect endpoint agent you get from management portal on you AD server. Once you install connect agent on AD server, it will appear under Activate Endpoints section on Azure management portal Then you need to add AD server in the same Azure Connect group under local computers section where your roles are added and make sure you select the check box "Allow connection between endpoint in group".

    Some more checkpoint - Make sure that IPv6 enabled on AD server. Open firewall port outbound for TCP 433

    The DNS server should be configured to listen on all IP address. You can verify this by going to DNS manager, right click on your server -Properties - tab "Interfaces".

    I recommend you create a separate Organization Unit (OU) in Active Directory server for your Windows Azure Role instances so that they can be easily managed.

    Refer - http://blogs.msdn.com/b/windows_azure_connect_team_blog/archive/2010/12/10/domain-joining-windows-azure-roles.aspx

    Hope it helps.


    Mark As Answer if it helps you | My Blog

    Friday, March 2, 2012 12:39 PM

All replies


  • I think in your scenario, the application hosted in Azure is trying to access an on-premises application that accepts  AD credentials only. Right? In that case,

    Is the Windows Azure Connect used solely for the puropose of authentication? If the answer is yes, the recommended solution is to upgrade the web sites to be claims aware and use federated authentication using ADFS or both ACS and ADFS.




    Srini

    Monday, February 27, 2012 2:40 PM
  • Hi Srini,

    I am using Azure Connect as the solution is basically a load testing rig with the load test agent running on cloud and the app which is being load tested running within the intranet. The app accepts only AD credentials. Do I need to have the Windows Azure Connect endpoint installed on the active directory server too?

    -regards,

    Gaurav

    Monday, February 27, 2012 5:52 PM
  • Hi,

    Using ADFS is an option, but it will take quite a few work unless ADFS has already been setup. And since it is service to service communication, delegation is required.
     
    In your case, if all you need is to connect from Windows Azure to a local service using Windows authentication, you can use Windows Azure Connect. Yes, the domain controller need to join the Connect group. I would like to suggest you to check http://msdn.microsoft.com/en-us/library/windowsazure/gg433029.aspx for more information.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework


    Tuesday, February 28, 2012 3:43 AM
  • Gaurav,

    Yes you need to install connect endpoint agent you get from management portal on you AD server. Once you install connect agent on AD server, it will appear under Activate Endpoints section on Azure management portal Then you need to add AD server in the same Azure Connect group under local computers section where your roles are added and make sure you select the check box "Allow connection between endpoint in group".

    Some more checkpoint - Make sure that IPv6 enabled on AD server. Open firewall port outbound for TCP 433

    The DNS server should be configured to listen on all IP address. You can verify this by going to DNS manager, right click on your server -Properties - tab "Interfaces".

    I recommend you create a separate Organization Unit (OU) in Active Directory server for your Windows Azure Role instances so that they can be easily managed.

    Refer - http://blogs.msdn.com/b/windows_azure_connect_team_blog/archive/2010/12/10/domain-joining-windows-azure-roles.aspx

    Hope it helps.


    Mark As Answer if it helps you | My Blog

    Friday, March 2, 2012 12:39 PM
  • Hi,

    I will mark the reply as an answer. If you find it no help, please feel free to unmark it and follow up.

    Thanks.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework

    Monday, March 5, 2012 11:35 AM