Package helps in enabling windows authentication (using kerberos) in any cloud platform (when containers are not domain joined)
| Build | PivotalServices.AspNet.Auth.Extensions |
|---|---|
 |
- WebAPI
- MVC
- WebForms
- Other types like (.asmx, .ashx)
- All the above with Unity
- All the above with Autofac
- Supports Windows Authentication using Kerberos for ASP.NET Web applications (except WCF)
- Real samples are available here
- Extensions Package - PivotalServices.AspNet.Auth.Extensions
- Make sure your application is upgraded to ASP.NET framework 4.6.2 or above
- Uses Kerberos based authentication
- Supports all ASP.NET application types except WCF
- Install package PivotalServices.AspNet.Auth.Extensions
- In
Global.asax.cs, add code as below underApplication_Start
using PivotalServices.AspNet.Bootstrap.Extensions
using PivotalServices.AspNet.Auth.Extensions;
protected void Application_Start()
{
AppBuilder.Instance
.AddWindowsAuthentication()
.Build()
.Start();
}-
AddWindowsAuthentication()have optional parametersprincipalPasswordcan be used incase of pushing the secret from any external sources like vaultdataProtectionKeydefault value isdefault
-
Once you setup the service account and SPN (as mentioned below), you need to set
PRINCIPAL_PASSWORDwith the service account's password. -
PRINCIPAL_PASSWORDcan be set via environment variable or any other configuration sources (IConfiguration) you are using for the application (e.g. config server, yaml, json, etc.) as below. -
To whitelist any specific
pathlikeactuator/healthoractuator/info, you need to setWHITELIST_PATH_CSVwith the service account's password. -
WHITELIST_PATH_CSVcan be set via environment variable or any other configuration sources (IConfiguration) you are using for the application (e.g. config server, yaml, json, etc.) as below. -
By default
/cloudfoundryapplication,/cloudfoundryapplication/,/actuator,/actuator/are whitelisted
using PivotalServices.AspNet.Bootstrap.Extensions
using PivotalServices.AspNet.Auth.Extensions;
protected void Application_Start()
{
AppBuilder
.Instance
.AddWindowsAuthentication()
.ConfigureAppConfiguration((hostBuilder, configBuilder) =>
{
configBuilder.AddEnvironmentVariables();
//Add additional configurations here
})
.Build()
.Start();
}- If not exists already, add the
machineKeysection toweb.configas below. You can generate a new one from Developer Fusion. This is for data protection purposes.
<machineKey validationKey="B2FFA07BEA941CBFD2F2450A5BE4D8F6ABFFE624F3DBB35BC589D34C5647F65235634AEC71B5C1E2453BE8D466B6818A9438AC2FFE0C09024052FFF27C85EB3C"
decryptionKey="4AFFE5CFAE4F97BFAE7736E5A6B85E921EF209FA84F4BC665993E72393B080DC" validation="SHA1" decryption="AES" />
NOTE: The skeleton of the machine key section will be added while installing the package
- Add the application's url to trusted sites. If your application's url is
http://foo.bar, addhttp://foo.barinto trusted sites.
NOTE: Make sure you are browsing the application from a domain joined computer (same domain where the SPN is created)
NOTE: This is mandate for front end browser applications, but for services it is not required. In other words, if you want to access your application via browser, you need to have the SPN created, as mentioned below.
Identify the service account for which the application should be running under (imagine as your application running in IIS on an APP POOL, under a service account). If your application's url is http://foo.bar, then you have to create a SPN for the service account as http/foo.bar
Command Syntax(using the above sample SPN):
SetSpn -S http/foo.bar <domain\service_account_name>
To check to see which SPNs are currently registered with your service account, run the following command:
SetSpn -L <domain\service_account_name>
NOTE: You should have elevated privileges to execute the above command. Eventually this should be executed part of the deployment pipeline, for each application
| Feed | PivotalServices.AspNet.Auth.Extensions |
|---|---|
| V3 |  |
- Kindly raise any issues under GitHub Issues