Link to home
Start Free TrialLog in
Avatar of r_m_case
r_m_case

asked on

Setup IIS website to use ADFS authentication

We have an ADFS 3.0 environment setup (Server 2012 R2) and another web server running IIS 10 (Server 2016). We would like to make the IIS site use the ADFS environment for authentication. Is there a supported way of doing this? In other words we want the user to go to website.domain.com and then be redirected to ADFS.domain.com and then once authenticated the user will be sent back to their original URL (website.domain.com).

We have found where a .NET script can be written to make a specific page use ADFS authentication, but we would like to make the whole directory and any files within the site require ADFS authentication.
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Denying anonymous users should do the trick.  Once they are authenticated from ADFS they'll get in without an issue.
Avatar of r_m_case
r_m_case

ASKER

We already have only Windows Authentication turned on in IIS. But if they visit website.domain.com they don't get redirect to ADFS to authenticate. Instead they get the boring username and password popup box produced by IIS. We would like them to be able to visit website.domain.com and then if they are unauthenticated it takes them to ADFS for the authentication.
ASKER CERTIFIED SOLUTION
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have followed those instructions as closely as I can. This appears to simply protect the .aspx web pages created in visual studio. This does not protect the entire website. For instance if I place a picture on the website I do not have to authenticate before going to that picture. IE https://website.domain.com/Login.aspx is protected but https://website.domain.com/Picture.png is not. We would like the whole site and all files within the site to be protected.

Basically just like if you were to enable Windows Authentication within IIS, but instead of having IIS handle the authentication we want the ADFS server to handle the authentication.
are you running it locally or have you published to the server?  

Can you post your web.config?  (feel free to change usernames, passwords, urls, etc)
Attached is the web.config file. ADFS runs on another server called sso. We have the webserver nmweb01 published in the sso ADFS server.

I take it that you are saying it should be possible to protect the whole site (including files and not just web pages) using this method?
web.config
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for all your help.

Now I receive the following error when I try to to go the page

Server Error in '/ADFS-Test3' Application.
A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11988358
   System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection) +226
   System.Web.HttpRequest.get_Form() +60
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +26
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +158
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +85
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1586.0
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok. I got some different errors after following your last link. I have resolved the other errors after some research.

Now the only thing I notice is when I try to access the site on a non domain system I simply get  a "Forbidden: Access Denied" message instead of being directed to the logon page of the ADFS SSO server. Any ideas on that part?
You're using pass thru which means ADFS is expecting windows authentication.  For a non-domain machine there's no way to determine what user is actually using the machine.

Here we use a split DNS for those outside of the network and those internal.  External users are redirected to a web proxy using the forms authentication side of ADFS . . . while those on the internal network are using the pass thru link so they don't have to log in.

Do you get redirected for your images now though?
It looks like the picture is working near as I can tell. However even using pass through shouldn't i at least get the plain username and password prompt if I am unauthenticated?

We can do normal authentication in IIS. We are looking to have the IIS website use ADFS so our domain machines use SSO and then any non domain machine gets the pretty looking ADFS sign in page. We have 10 other sites on ADFS currently and this is how those sites work. If you visit those sites on a non domain computer it goes to the pretty looking sso (ADFS) website with a username and password field.

Is that not possible? I feel like we are super close.
That depends.

Are those non domain machines connected to the internal network?

Essentially you're talking about setting up the web proxy as I described.

When you detect a non-domain machine, it needs to be forwarded to the external ADFS page.  We do this at our place by having 2 different servers, and then DNS points to each server for the same alias (eg: adfs.domain.com . . . points to 1 ip internally and another for external users).

I'm not sure if you can detect and route non-domain machines using the same network or if they're on an entirely different subnet.
... Let me backup a little bit.

We have a many working sites through ADFS and an ADFS webproxy. So here are the multiple ways to access said site and the results the end user sees:

  • Go to website on internal network on domain computer > User is automatically authenticated via ADFS and taken to website
  • Go to website on internal network on a non-domain computer > User is prompted with a generic username and password box from ADFS and then taken to the website once they enter in the credentials
  • Go to website on external network on a domain or non-domain joined computer > User is prompted with pretty login forms based authentication

This is the ultimate goal of this IIS website. But currently if I visit the IIS site from a non-domain computer on the internal or external network I simply receive Access Denied I don't ever get prompted for a username and password.
I don't know if this will help a little more but here are some of my non standard settings in IIS.
  • Authentication is set to Anonymous
  • .NET Authorization is set to Deny Anonymous Users and Allow All Users
  • I added the URL rewrite as you suggested however for some reason that does not appear to be working
  • SSL settings are set to Require SSL and Accept Client Certificates
  • The website is in an App Pool of its own
  • Inside the app pool Load User Profile is set to True
  • also the Identity is set to LocalService
For the redirect
Did you install the re-write extension?  Also do you have bindings for both http and https?
The only other thing I have is a domain user for the pool, but not sure if that would help with the access denied.  Does the localservice have permissions to the IIS folder?
Yes the re-write extension is installed. Yes we have bindings set for port 80 and port 443. I am messing around with the app pool user currently but not having much luck.
Ok. I got everything working after fixing some certificate issues. However I did just find that the files in that web folder still do not require authentication to view. Any ideas?
What's the security on the folder?
Creator Owner - Full Control
System - Full Control
Administrators - Full Control
IIS_IUSRS - Read, Write, & Execute
TrustedInstaller - Full Control
Network Service - Read  & Execute
IUSR - Read & Execute
Users - Read & Execute
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Confirmed that that's on my side as well.  Sorry I missed that when I was doing the diff!
Marked wrong comments
No issues or problems.  Glad it all worked out!