How to implement Windows Authentication with IdentityServer 4

iis asp.net-core identityserver4
The Tech Geek picture The Tech Geek · Dec 20, 2016 · Viewed 15k times · Source

How to correctly implement Windows Authentication with Identity server 4? Are there any samples to do that?

I looked at the source code of IdentityServer 4 and in the Host project in the AccountController I noticed that there is Windows Authentication checks and they are implemented as an External Provider. But I cant seem to work the configuration. Has anybody successfully implemented windows authentication with idsrv4 and how?

Answer

Dan picture Dan · Oct 10, 2017

For anyone coming across this in search results that is having trouble meshing the quickstart with the ASPNET Identity quickstart, here are the missing pieces.

For the most part you want to use the ASPNET Identity code, utilizing the SignInManager to do the heavy lifting. Once you get there and add the Window auth code from the quick start, you should get to the point where everything looks like it is working, but you get null at this line in the callback:

 ExternalLoginInfo info = await _signInManager.GetExternalLoginInfoAsync();

To get Windows treated as a real External provider, instead of adding "scheme" to the auth properties around line 163, you want to change the key to "LoginProvider":

properties.Items.Add("LoginProvider", AccountOptions.WindowsAuthenticationSchemeName);

I use a domain query to pull extra info on my users, looks something like this:

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
using (UserPrincipal up = UserPrincipal.FindByIdentity(pc, wp.Identity.Name))
{
    if (up == null)
    {
        throw new NullReferenceException($"Unable to find user: {wp.Identity.Name}");
    }

    id.AddClaim(new Claim(ClaimTypes.NameIdentifier, up.Sid.Value));
    id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name));
    id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));
    id.AddClaim(new Claim(JwtClaimTypes.Email, up.EmailAddress));
    id.AddClaim(new Claim(Constants.ClaimTypes.Upn, up.UserPrincipalName));
    id.AddClaim(new Claim(JwtClaimTypes.GivenName, up.GivenName));
    id.AddClaim(new Claim(JwtClaimTypes.FamilyName, up.Surname));
}

What claims you add is up to you, but you NEED one of type ClaimTypes.NameIdentifier for the SigninManager to find. SID seems like the best use to me. Last thing to change is the SignInAsync call to use the correct scheme around line 178-181:

await HttpContext.SignInAsync(IdentityConstants.ExternalScheme, new ClaimsPrincipal(id), properties);

Unless you are overriding the default Schemes that IdentityServer4 is using in .net core 2, this is the correct default scheme. And now your call to GetExternalLoginInfoAsync in the callback will work and you can continue on!

Related questions

ASP.NET Core 1.0 on IIS error 502.5

I just updated my server (Windows 2012R2) to .Net Core 1.0 RTM Windows Hosting pack from the previous .Net Core 1.0 RC2. My app works on my PC without any issues but the server keeps showing: HTTP Error 502.5 - Process Failure Common …

Read More
Publish to IIS, setting Environment Variable

Reading these two questions/answers I was able to run an Asp.net 5 app on IIS 8.5 server. Asp.net vNext early beta publish to IIS in windows server How to configure an MVC6 app to work on IIS? The problem …

Read More
How to fix error "ANCM In-Process Handler Load Failure"?

I'm setting up the first site in IIS on Windows Server 2016 Standard. This is a NET Core 2.2 application. I cannot get the site to show. I am getting this error: HTTP Error 500.0 - ANCM In-Process Handler Load Failure What can …

Read More