stackoom
  简体   繁体   中英

Windows Integrated Authentication with Mono

 原文  2014-01-14 12:09:23       c#/ authentication/ nginx/ mono

Question

I am trying to develop a MVC application on Mono which requires windows integrated authentication (using Active Directory). When LDAP user tries to access the website it should not ask for the username and password again. Is this possible? When we set "Windows" authentication instead of "Form" in Web.Config, I believe IIS takes care of the authentication on windows. This did not work with Mono + Nginx of course. Any help is appreciated, thanks

1 answers

solution1
 0 ACCPTED  2014-01-14 18:34:40

You are right, this will not work the way you expect it since that particular configuration of the Web.config is handled by IIS on windows.

I will describe two alternatives.

1- apache mod_auth_kerb

You can put your application behind an apache proxy that uses mod_auth_kerb. The setup is very complicated the first time. You have to generate a keytab file with a service account from a windows machine joined to the domain and then copy it to the linux machine.

This is an example configuration: 

ProxyPass        / http://localhost:9005/ #your backend
ProxyPassReverse / http://localhost:9005/ #your backend
ProxyPreserveHost On

## Rewrite rules
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]

## Request header rules
## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader
RequestHeader set X-Forwarded-User %{RU}e

<Location />
   AuthName "Kerberos Login"
   AuthType Kerberos
   Krb5Keytab /path/to your keytab/HTTP.keytab
   KrbAuthRealm DOMAIN.LOC
   KrbMethodNegotiate on
   KrbSaveCredentials off
   KrbVerifyKDC off
   KrbServiceName HTTP/YOURAPP.AD2008R2.LOC
   Require valid-user
</Location>

This will proxy to your application and it will just append an extra header X-Forwarded-User with the username.

Then, if you need the full profile you will have to query active directory using .Net classes.

2- using an authentication broker

There are few authentication brokers that support this scenario and abstract you from the configuration.

Disclaimer: I work for Auth0

The setup with Auth0 is; your application see Auth0 as an OAuth identity provider, and on Auth0 you configure the connection to AD. The setup of AD, requires to deploy an msi to a server joined to the domain.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Integrated Windows Authentication - Logout Autofill an Integrated Windows Authentication ADFS - Windows integrated OR Forms authentication Custom Authentication along with Integrated Windows Authentication Windows integrated (NTLM) authentication vs Windows integrated (Kerberos) Windows Integrated Authentication on Windows 10 Universal Applications AngularJs, WebAPI, JWT, with (integrated) Windows authentication Windows Integrated Authentication not working on first page load Integrated Windows Authentication breaks File.Exists login into Jira using Integrated Windows Authentication or NTLM
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM