2

I built my own API in .NET Core 2 and uploaded it to Azure. We are using AD Connect and I configured my App to use AAD Authentication like it is described here: https://learn.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

We only want to use the App from inside our companies network, where everybody is already logged in with his AD-Credentials. Therefore SSO should be available for us. However, I have no idea how to configure my .NET Core 2 app to make use of this. On the internet I find a lot about OpenId or OAuth 2.0 etc, but this does not help me, because we only want normal Windows Authentication.

Any ideas, how I have to configure my .NET Core 2 App correctly?

I already added this service:

        services.AddAuthentication(auth =>
        {
            auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            auth.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddOpenIdConnect();

and added Authentication Middleware:

        app.UseAuthentication();

Its very likely, that my configuration does not work like this. Any ideas or helpful links, how I can archive, what I want?

Improve this question
3
  • Unlike the name suggtests, AzureAD isn't a true AD in sense of one used in domain controllers or other LDAP based systems. Azure AD is actually an OpenID provider, issuing JWT tokens. As such you can't just log in via NTLM (which doesn't mean you can't use NTLM, but then you need Weblistener iirc (doesnt work with Kestrel) Commented Apr 26, 2018 at 12:32
  • Not just web listener, you can host behind IIS too and get integrated authentication. Commented Apr 26, 2018 at 12:43
  • Well, I could use Weblistener. Is there a link you can post, where I can see how to configure my app? Commented Apr 26, 2018 at 12:44

1 Answer 1

Reset to default
2

we only want normal Windows Authentication.

If I understand correctly, you just want to use your local AD accounts credentials to authentication. If you just want this, you can just Hybrid configuration via AAD Connect. According to the linked document you post, you're using Easy Auth to integrate your App with Azure AD. So, you don't need to add the code logic about Authentication.

how I have to configure my .NET Core 2 App correctly?

Since you're using EasyAuth, you don't need to configure authentication logic code in your app inside.

Any ideas or helpful links, how I can archive, what I want?

For your scenario, it's simple to achieve it which can let you login the App with your local AD accounts.

  1. Integrate your On-premise AD with Azure AD by AAD Connect. Set up AAD connect and configure it with one SSO option. E.g.Pass-through Authentication. Also, you can use ADFS to authentication and its experience is more like on-premise. This is totally depends on your scenario.

  2. Sync your On-premise AD to AAD.

  3. Publish your App to Azure web App service. Configure Easy Auth for it.

  4. Test it with logining the App via your on-premise Accounts.

Reference:

Azure AD Connect user sign-in options

Configure your App Service app to use Azure Active Directory login

Please let me know if this helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Okay, I read a little about Easy Auth and now I did everything like you proposed. In my code I removed everything about Authentication. I even removed the "forwardWindowsAuthToken" option from my WebConfig. However, the controllers that are protected with Authentication like this: [Authorize(Roles = "mg.ourdomain.com\\Domain Users")] do return an error 500. Unprotected Controler actions work. Configuration of Easy Auth worked perfectly and the user gets asked to allow the app permissions after trying to navigate to the controllers action method. But I still have an error 500...
Hi, @David. Have you configured hybrid envrionment with AAD connect?
Hey, I now enabled my log and I see the following error message: System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. And now I will google, what hybrid environment actually is :-)
All our users are synced successfully to AAD Connect. Password hashes are also synced.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.