How-To: AD auth on Linux w/ Apache/Nginx reverse proxy RRS feed

  • Question

  • User-648201923 posted

    I've been trying to figure out if it's possible to use AD for auth in an app served from a linux host.

    So far I've found these documents that might get me part way there.

    Host ASP.NET Core on Linux

    Securing Apache HTTPD with Microsoft Active Directory


    What I have in my lab setup is a ubuntu box running samba configured as an ADDC, and another which I want to host my app on that is a member of the domain.

    I have my development machine a member of the domain as well, and I can log in to computers in the domain with the same account.

    I'm not an expert in any of this stuff, I'm just learning, so please excuse me if I get terminology or concepts wrong.

    Is there any middleware that would work with such a setup? Stuff to use in Starup.cs which would work with Apache/Nginx as a reverse proxy configured to auth with ldap?

    Would it be possible to do single sign on with kerberos/ntlm somehow? I'd imagine that might have more to do with the browser/host though. I'd like to use the credentials from the computer running the web browser to authenticate into the web app without needing to enter a password. Idk if that's at all possible, but if it is, any direction I should look for how to set this up in an environment using both Windows and Linux hosts?



    I found this document Configure Windows Authentication in ASP.NET Core # Kestrel

    But it says: "Credentials can be persisted across requests on a connection. Negotiate authentication must not be used with proxies unless the proxy maintains a 1:1 connection affinity (a persistent connection) with Kestrel."

    Further it says: "Once the Linux or macOS machine is joined to the domain, additional steps are required to provide a keytab file with the SPNs"

    This post FireFox, Windows Security and Kestrel on ASP.NET Core, seems to provide some more insight into this.

    I think at this point, I'll have to either figure out:

    1) If I can configure either apache or nginx to " maintains a 1:1 connection affinity (a persistent connection) with Kestrel.", how to not use a proxy, not use negotiate, or if "An alternative to Windows Authentication in environments where proxies and load balancers are used is Active Directory Federated Services (ADFS) with OpenID Connect (OIDC)." is an option.

    2) Since the ubuntu box I want to serve an asp.net core app from is already a member of the domain, I'll have to make sure I have the keytab file set up correctly.

    Looks like I need to start experimenting with this stuff so I can learn more. Any input on if I'm on the right track here, or redirects to guides from people who have already gone through this, would be much appreciated.



    Friday, March 13, 2020 4:06 PM


  • User-474980206 posted

    typically when authentication is done by the reverse proxy (say in your example), the user credentials are passed to app via a  x-forward headers. you'd configure this with add module to the proxy that supports ad auth.

    as windows authentication  (kerberos on linux) requires a persistent connection for the out of band communication (also note http/2 is not supported), it must be done by the reverse proxy. also be sure kerberos is setup and working on your windows domain.

    the AspNetCore module in iis passes the windows token to the asp.net core app, and the middleware extracts this token. but as window tokens are only supported on windows, this only works when hosted on windows. you will need to write you own middleware, but its simple. just harvest the forward header value and create a principal. see any example of creating a custom principal.

    because windows authentication will not work with http/2, you might find it time to switch to oauth provider that supports AD. if your ad is an internal, then look at the identity server 4.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 13, 2020 4:38 PM