WSFederation or Active Directory Federation Services (ADFS) based authentication is a very common scenario in today’s enterprise applications. It helps in providing a consistent login experience to users irrespective of the services they are consuming. This article provides steps required to perform the following operations:
- Azure Virtual Network (VNET) configuration
- Azure Virtual Machine (VM) provisioning
- Active Directory configuration on Azure VM
- Active Directory Federation Services (ADFS) configuration in Azure VM
Important Points to Note:
This article forms a basis for a series of articles that will highlight the following important scenarios –
1. Implementing ADFS (or WSFederation) based authentication in ASP.NET MVC based application using Windows Identity Foundation (WIF or in Developer language – specifically using System.Identity.dll)
2. Using ADFS in an ASP.NET MVC application (Published)
3. Implementing Multiple ADFS (or WSFederation) based authentication in ASP.NET MVC based application using Microsoft OWIN KATANA (Published)
4. Hosting multiple ASP.NET MVC ADFS projects to Azure WebApps (formerly Azure websites) and Azure cloud Services (web role).
5. Making life simpler – Multiple WSFederation (or ADFS) authentication in ASP.NET MVC application using 3rd Party (Paid) Identity Server Provider Auth0
The entire article explains a step by step process of configuring ADFS on Azure VM. This typically involves the following steps to be carried out from the Azure Management Portal –
- Provision Azure Virtual Network and configure DNS server settings
- Provision Azure Storage, cloud service
- Provision Azure VM
Once the VM provisioning is done, the following steps need to be carried out inside the VM –
- Configure IIS
- Configure Active Directory domain Services
- Configure Active Directory Federation Services
So let’s get started right away.
Applicable Technology Stack
1. Windows Server 2012 R2 DataCenter
2. ADFS 3.0
4. Microsoft Azure subscription. Free trial is available here.
5. Self-Signed SSL Certificates
Important terminologies for Identity Management
Let’s take a step back and understand some important terminologies w.r.t identity management.
What is Federation and Federated Identity
The dictionary meaning of federation stands for To Unite. This is exactly what we do in our implementation. We unite the identity of user or in other words I can say we federate identity. When we federate Identity of a user, then it is also called as FEDERATED Identity. I am specifically explaining these terms because they are used so interchangeably that it confuses a lot of developers.
Now the question is what exactly do we mean by uniting or federating the identity and how do we do it?
To understand federated identity process, one should know what are Identity Providers.
What are Identity Providers and what do they do?
Websites on the internet are growing exponentially. These websites provide different services to users. For example, Gmail provides you mail services, Wikipedia provides knowledge services, Amazon and EBay provides online shopping services and so on. We can call these websites as Service Providers. Most of the time, if you wish to avail services from these service providers, then you need to be an authenticated or valid user of their website. So typically you register on websites with your personal details and are in-turn provided with a username and password using which you can login to these websites and can avail their services and this is where the problem lies.
Users have to keep a track of credentials related to each web site and it is very difficult for any human to remember all these credentials. This is the problem from an end user front, however from an organization or website owner’s perspective, they too have to maintain a huge database of user credentials, roles, authorization; which if you see is a cumbersome job and deviates them from the main objective of providing services to users.
Identity Providers help in such situations.
An Identity provider is an organization where users can have their account and can login to gain access to online service. Identity providers provide a security token that can be used to identify who the user is. The token issued by Identity Providers (IdP) are also known as Secure Token Service (STS). Example of identity providers are Gmail, Yahoo, Twitter, Microsoft and other similar social websites. Different service providers makes these Identity Providers logins available on their websites, so that users don’t have to sign up for each and every website and can use existing social login credentials to avail services from different websites.
Now these social sites are publically accessible and the private organizations cannot use them to provide access to corporate services within an organization. So it is important that corporates must use their own identity providing services to serve corporate employees.
This is where Directory Services come into picture.
What are Directory Services, Active Directory and Domain controller
A directory service is a mapping between names and values. If you see a word dictionary like Oxford, then for each word, you will find many different meanings and definitions. Similarly directory services in software systems map various network resources by name and its multiple values. So directory service is a naming service and it maps the names of network resources to their respective physical address. This frees user from remembering those physical addresses and instead use user friendly names that can locate that resource in a network. Therefore many vendors or companies have developed directory services based on a common standard. One of the popular directory services and one that is still used today is DNS (Domain Name System).
Domain Name System is a directory service developed for mapping names to resources in a network over Internet. So DNS is directory service used primarily for Internet.
But internet is public and cannot be used within an organization specific network. So what is needed here is to define directory service for an organization private network. This need is what gave birth to Active Directory (AD). Active Directory is a Directory Service from Microsoft for the Windows domain.
Windows domain is a form of computer network in which all user accounts, computers, printers, security principles are stored in a central database which might be present on one or more computers called as Domain Controller. This domain controller also responds to authentication requests and validates user credentials against database of directory service.
Now an organization may have many web applications within corporate network running on- premise to serve corporate users and their needs. Our wish is to provide a consistent login experience to all corporate users so that they can use their Active Directory credentials to login to payroll websites, salary website, Time and Expense websites, Leave management system, travel booking system or other business specific websites and so on. Therefore we will need to federate (or unite) the Active directory identity of the user and make all applications aware that user with AD (active Directory) credentials is a valid user and provide the user access based on his/her role or authorization. This process is commonly known as Single Sign-On (SSO).
With this background, let’s get back to federated identity.
What is WSFederation?
WSFederation is a specification developed by various leading companies and it defines how trusts should be established and how the information can be shared across domains. Specification in simple words can be thought of as an Interface. If we have an interface then we can create as many different implementation we want, similarly WSFederation specification is implemented by many organization. Microsoft has developed a software component that implements WSFederation specification called as Active Directory Federation Services (ADFS). So ADFS does the federation (or unification) of identity and Active Directory Domain Services (ADDS) hosted on Active Directory domain controller (ADDC) which does the required authentication of the user and issues token containing claims (means user information).
Probably that was a little too much of basics but I wanted to have you to have a basic background of Identity Federation. Understanding of these concepts makes any implementation easier. Now as part of this article we will configure ADFS on Azure virtual Machine.
To make this big exercise interesting I am going to use a fictitious example. Let’s say there is a company working in space travel domain in India called as Antariksh.com and they would like to configure the Active Directory and ADFS of their organization into Azure VM. Let’s get started.
Azure Services Provisioning
The following sections introduces the provisioning steps for Azure resources such as cloud service, storage, virtual network and Azure VM. If you do not have an account on Azure, get a free trial here.
Create Azure Cloud Service
Cloud service is mandatory to host/ create Azure virtual machine. Open Azure Management portal. Click on New > Compute > Cloud Services > Custom Create. Specify the name of the cloud service as antariksh. The final cloud service url would look similar to antariksh.cloudapp.net. Here’s a series of screenshots to depict this action –
Create Storage Account
Storage account is mandatory and required to store the backend VHD of virtual machine. To create a storage account, click on New > Data Services > Storage > Quick Create. Provide the name of storage as Antarikshstorage and create it. Refer to the following screenshot for other values –
After creation, the storage account will appear as shown here –
Define Azure Virtual Network (VNET)
This is the most important step. We will create VNET in Azure and register the virtual machine as DNS server. If you need to run Active Directory in Azure, then VNET is necessary.
Click on New > Network Service > Virtual Network > Custom Create.
Specify the name as Antarikshvnet and region as SouthEast Asia.
On “DNS Server and VPN connectivity” tab specify the name of DNS server as Antariksh DNS and IP address as 10.0.0.4. Keep the other options untouched.
The virtual network address space we will be specifying in this step will start from 10.0.0.0. As per the calculation of CIDR notations, the first 3 IP address are reserved so the 4th IP address will be assigned to the first VM provisioned under this VNET. Now in my case, my first VM is going to host Active Directory for company Antariksh and I am not going to add any new VM’s in the same VNET; therefore I can safely mark the address 10.0.0.4 as DNS server address before even provisioning it.
On the “Address Space” tab, change the default CIDR notation and make host identifier as 24. Also add one subnet for DNS and configure the address scheme as shown here:
Provision Azure Virtual Machine
Now we will provision the virtual machine in Azure and add it to the VNET subnet we just created in the step above.
Click on New > Compute > Virtual Machine > From Gallery.
The VM wizard will open. What you see on the screen displays the prebuild images available in Azure platform. Out of the available images, let’s select the highlighted image as shown below and click the Next arrow.
On the Virtual Machine Configuration page, the drop down shows the versions of OS available for our selected image family and it is sorted in ascending order. Select the first value available from “version release date” dropdown.
The “virtual machine Name” is the textbox whose value will be used for naming your VM. Put the value as antarikshdc as this VM will act as domain controller. Select the tier as “standard” and size of the VM as “A2 (2 cores, 3.5 GB memory)”. Then put the user name as antarikshadmin and password of your choice. These credentials will be treated as VM admin credentials. Once you provision Active Directory on antarikshdc VM, the same user name and password will be treated as domain controller admin in later stage. Click on Next arrow to continue.
Now on this page of Virtual Machine configuration, we need to provide a cloud service which we created earlier as described in the section “Create Azure Cloud Service”. Therefore select the value as antariksh in cloud service drop down. This automatically brings the value as antarikshvnet in dropdown “Region/Affinity group/ Virtual Network” and selects DNS-Subnet in “Virtual Network Subnets” dropdown. In storage account dropdown, select the previously created storage as antarikshstorage. For “Availability sets” and “endpoints”, keep the default values as it is. Click on Next arrow to continue.
On the agents and extension tab, keep the default settings as it is. Ideally we should be selecting some of the important extensions we need, but for demo purpose it is not required and out of scope for this article.
Click on highlighted checkmark in the above screenshot to start Azure VM provisioning process. This will ideally take 10 to 15 minutes to make VM ready to use. After successful VM provisioning, you will see the status of the VM as running as shown here -
Next important step is to verify if the VM has got IP as 10.0.0.4. This is required because the same VM we will configured or promoted as Domain Controller so this VM should have this IP only because during VNET configuration, we provided the same IP for Antariksh DNS. To verify that, open VM details page from management portal and select “dashboard”. On the right hand side you should see the IP address as shown below –
Add HTTPS endpoint
The https endpoint is required to enable https connectivity to and from azure VM. To add an endpoint, select “endpoints” tab from Azure VM and click on “Add” button at the bottom. Select the option as “Add a stand-alone endpoint”. Name as Https, protocol as TCP, public and private port as 443. Keep “create a load balancer set” and “enable direct server return” options as unchecked. Click on checkmark to create https endpoint.
Configuration and Customization of Azure VM
This section highlights steps required to make your server act as a Active Directory domain Controller and host ADFS.
Connecting to VM
To connect to VM, we need to make a Remote Desktop Connection to VM. When we provisioned VM, the required RDP endpoint was added automatically with private port as 3389. The public port can be any random port. To download the .RDP (Remote Desktop Connection) file for VM, select the antarikshdc vm from management portal and a “Connect” button will appear at the bottom. Click on it and you will prompted to save the .rdp file.
Configure Active Directory
This step explain steps required for Active Directory services configuration on AntarikshDC VM. In this section, we will also promote AntarikshDC VM as domain controller. Use the RDP file that we downloaded from the previous section and double click on it. You will prompted for a user name and password. Provide username as AntarikshDC\antarikshadmin. The Password will be the one you had given earlier. If any warning about connectivity occurs, just click on the Yes option to continue. After login, server manager will automatically open in Azure VM.
Select “Add role and Features” option. A pop up will appear. Click Next on “Before you Begin” tab. Then select “Role-based or feature-based installation” option and click Next. Select AntarikshDC as shown below in “Select Destination Server” page and click Next.
Select “Active Directory domain Services” option on “Select Server Roles” screen and if a pop up appears for adding features, then simply click on “Add Features” button. Then click Next to continue.
On “Select Features” and “Active Directory domain Service” window, leave the default selection as it is and click Next to continue. On “confirm installation selections” window, select the check mark “restart the destination server automatically if required” and click on Install button. Azure VM may get restarted to complete the installation.
This completes the configuration of Active Directory services. Now connect to Azure VM again if the RDP is disconnected due to automated restart. Important, now DO NOT CLICK on CLOSE button. Rather click on “Promote this server to a domain controller” button.
This opens the Active Directory domain services configuration wizard. Select option “Add new forest” and provide the value in “Root domain name” as antarikshdomain.com and click Next to continue.
On Domain controller options screen, type in the password in DSRM fields and click Next to continue. A warning may appear indicating that “Authorative Parent Zone cannot be found…” Please ignore it, leave DNS delegation settings default and click Next to continue. On “Additional Options” screen, the system will auto populate name of the NetBIOS as ANTARIKSHDOMAIN. Click Next to continue.
Note - The “Paths” screen shows the path for storing information of Database, Log files and SysVol. Ideally we should attach a Data Disks to Azure VM, create formatted drive out of it and provide this data disks based drive name as a path for storing this information. Storing all this information on C drive of Azure VM in production environment is not a good idea.
But of course as part of this POC, I will store it on C: drive and there is no harm in doing so as this setup is only for demonstration purpose. So keep the default value as shown below and click Next to continue.
On “review options” page, keep the default screen as it is and click Next to continue. On “Prerequisites Checks” screen, the message appears as highlighted below. Click on Install to start with installation. Azure VM will get restarted in this activity.
Now the VM has been restarted and you need to connect again to complete rest of the activities.
Important - Now if you try to connect Azure VM using username as AntarikshDC\antarikshadmin and password you had given then it won’t work. This is because the domain has been already been configured on AntarikshDc VM. Therefore you need to use Domain controller admin credentials now and your original Azure VM admin credentials automatically gets promoted as overall domain admin credentials. Therefore here onwards, to connect to your Azure VM, you need to use username as AntarikshDomain\antarikshadmin and password remains same as before. In this setup, Antarikshdomain is the NetBIOS name that got configured automatically in previous steps.
Create and configure IIS on Azure VM
ADFS need to deliver features like Login page or Login box while accessing it. To enable ADFS with such features, we need to configure the Web Server too. To configure IIS, click on Server Manager “Add Roles and Features” options. Click Next to continue on “Before you begin”, “Installation Type” and “Server selection” tabs. On “select Server Roles” checkmark the option against “Web Server” and if pop up appears for notifying about features, then simply click on “Add Features”. Then click Next to continue further.
Keep on clicking Next by accepting the default settings until you reach “confirm installation selections” option. Select the option of “Restart the destination server automatically if required” and click in Install to complete the installation.
Create and configure SSL certificate
Active Directory Federation Service (ADFS) uses HTTPS. To make https work, we need certificates provisioned from Certificate authority. As a part of this exercise, we will use self-signed certificate to serve our certificates need. To create self-signed certificate we have 2 options.
1. Using IIS
2. Using MakeCert command
Both of these options provides self-signed certificate. However there is one problem. IIS or MakeCert creates newer kind of certificates which are not compatible with ADFS. So if you use the certificates created by above methods for ADFS configuration, then you may face an error -
The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
Therefore to generate certificate compatible for ADFS, follow the steps mentioned in blog post - http://sanganakauthority.blogspot.com/2014/06/the-certificates-with-cng-private-key.html
This post describes steps required to generate “Microsoft Strong Cryptographic Provider” based certificate that are compatible with ADFS.
Very Important - Make sure that using the command, you generate a certificate matching the name of cloud service. So in our case it will be named as antariksh.cloudapp.net only. Please do not use a name other than cloud service name for the certificate.
Warning – Never use self-signed certificates in production environment.
Once the certificate is generated then export it as antariksh.cloudapp.net.pfx file and make sure that you remember the password you provided during certificate .pfx export. For exporting certificate and locate them in My store of local machine refer to the link - http://sanganakauthority.blogspot.in/2012/02/install-certificate-in-local-computer.html.
The certificate generated using the above technique will not have any Friendly Name associated to it, and it can help you to identify your certificate if there are multiple certificate with the same name in My Store of local machine.
Configure Active Directory Federation Services
This is the most important step. In this step, we are enabling the AntarikshDC VM to send security tokens.
To start, open “Server Manager” and click on “Add Roles and Features”. Click Next to continue on “Before you begin”, “Installation Type” and “Server selection” tabs. In “server roles” window, select the option “Active Directory Federation Services”. Click Next to continue.
Keep on clicking Next by accepting the default settings until you reach “confirm installation selections” option. Select the option of “Restart the destination server automatically if required” and click on Install to complete the installation. Important, now DO NOT CLICK on CLOSE button. Rather click on “Configure federation service on this server” button.
This opens “Active Directory Federation Services configuration Wizard”. Select option as “Create the first federation server in a federation server farm” option and click Next to continue.
The current admin of the domain will get automatically populated. Do not change it! Click on Next to continue.
“Specify Server Properties” screen asks for SSL certificate. All the certificates present in Local Machine > My (Personal) store will appear there. Select the one we created earlier with same name as cloud service URL. “Federation Service Name” will get auto populated. Then enter the value Antariksh Domain in display name textbox. Click Next to continue.
On “Specify Service Account” window, click on Select. A pop up will appear. Put the name as “AntarikshAdmin” and click on “Check Names” and then click Ok to add the administrator as service account. Specify the password and Click Next to continue.
On “Specify configuration database”, select the option of “create a database on this server using windows Internal Database” and click Next to continue.
Continue to click Next on “review Options” and “Pre-requisites checks [if green check mark appears]” window. Then click on Configure button to complete ADFS configuration.
Lo and Behold! This completes the configuration of ADFS in Azure VM.
In a forthcoming article, we will see how to Configure ASP.NET MVC application to consume Azure VM configured ADFS OR on premise ADFS authentication using WIF (Windows Identity Foundation). Stay tuned!
C# and .NET have been around for a very long time, but their constant growth means there’s always more to learn.
We at DotNetCurry are very excited to announce the pre-order of The Absolutely Awesome Book on C# and .NET. This is a concise technical eBook and will be available in PDF, ePub, and mobi.
Organized around concepts, this eBook aims to provide a concise, yet solid foundation in C# and .NET, covering C# 6.0, C# 7.0 and .NET Core. Use these concepts in your next .NET Project or to crack your next .NET Interview.
Click here to Pre-Order this eBook at a Discounted Price!