locked
Azure AD Authentication & Legacy ASP.NET 3.5 Web Forms Applications RRS feed

  • Question

  • User-2120644463 posted

    Hello,

    We are in the process of moving various infrastructure to Azure and are looking to properly weigh our options when it comes to some of our legacy .NET 3.5 Web Forms applications.  We are hesitant to upgrade them considering the strong possibility of breaking changes (at the very least, Oracle related issues).  The applications use Forms Authentication and store the post-authentication cookie via FormsAuthentication.SetAuthCookie().  The authentication occurs either through LDAP or CAS.

    What I am wondering is whether or not it is possible to have a newer application that performs authentication through Azure AD and then writes a post-authentication cookie for the legacy applications to work with.  With Azure AD using newer protocols I am unsure if the legacy applications will be able to understand the end result of the Azure AD Authentication.  The newer application would theoretically perform the authentication and would also be responsible for retrieving AD Groups in which the older applications would then use for authorization.

    Does this sound like a feasible option, or is it simply not possible?  Any insight is welcome.

    There is a similar question referenced below so I do apologize if this question seems redundant.  The referenced question did not contain some details that this question has so I thought it would be best to post my own.

    Integration owin identity project with other mvc project in same solution
    https://forums.asp.net/t/2151203.aspx?Integration+owin+identity+project+with+other+mvc+project+in+same+solution

    Thanks

    Friday, January 18, 2019 9:05 PM

All replies

  • User1724605321 posted

    Hi DanielAnderson ,

    In general , you need SSO in that both apps have an active AAD cookie set in the user's browser for the login.microsoftonline.com domain . I haven't test your scenario , But i would suggest you use one authentication server(AAD) and it will automatically implement SSO with Owin support .

    Best Regards,

    Nan Yu

    Monday, January 21, 2019 5:39 AM
  • User-2120644463 posted

    Nan Yu,

    I should clarify - we also want to avoid extensive hand-written authentication code as that may be just as problematic and time consuming as upgrading from 3.5.  Given that .NET 3.5 doesn't have native OWIN support, this gives me the impression that we would either need a separate and newer application to perform the authentication using built-in libraries or we would have to effectively upgrade the applications.

    Hypothetically one could create the authentication code necessary for the legacy applications to work with Azure AD directly.  However, if that is the only viable option, it would be better to upgrade the applications and use existing .NET libraries to facilitate the Azure AD authentication.  We're trying to avoid both upgrading and extensive coding if at all possible, hence the question.

    Thanks

    Tuesday, January 22, 2019 7:29 PM
  • User1724605321 posted

    Hi DanielAnderson ,

    If you can't use Owin , you need to handle the redirect yourself , Please refer to below document for code flow :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

    Generally , you can follow the steps :

    1. Redirect user to AAD authorize endpoint to let user enter their credential .
    2. After AAD redirect back to your application via redirect url  , you need to get the code from url .
    3. use code to acquire access token by sending the code to AAD token endpoint .

    Best Regards,

    Nan Yu

    Wednesday, January 23, 2019 1:59 AM