Re: ADFS Development Issues

The reason for using DirectoryServices is that I'm going to abandon
ADFS altogether for now. To be brutally honest, I have a deadline to
meet which is a little to close for comfort! So cannot really afford
trying to figure out to "hack" the ADFS to get my token etc. At least
with DirectoryServices I can get my auth from my windows app up and
running a bit quicker and I can revisit it again if necessary.

I do have a question for you on AD paths though. I have seen many a
post with issues on this (most of which you also seem to be involved
in!) but I still cannot seem to get mine connecting. The address I am
using is:

LDAP://TestADFS.testadfsdomain.com.au/DC=WIN2K3R2EE,DC=testadfsdomain,DC=com,DC=au,CN=Users

Where TestADFS.testadfsdomain.com.au is my server where AD resides and
testadfsdomain.com.au is my domain. Obviously you can ignore the
"ADFS" references as the machine names haven't changed since I started
with the ADFS stuff! Also, I should point out that I am trying to
connect from a different domain than the AD domain.

My issue is that it fails with "An operations error has occurred". I
suppose my main question is how do I figure out what the correct
address is? I basically "robbed" a C# function off the net to connect
to my AD and converted it to VB.Net. I added in the
AuthenticationTypes.Secure, because you mentioned in another post that
it may be required. The function I am now using is:


Public Function IsUserAuthenticated(ByVal strAdPath As String,
ByVal strDomain As String, ByVal strUserName As String, ByVal
strPassword As String) As Boolean
Dim isAuthenticated As Boolean = False

Try

Dim dirEntry As DirectoryEntry = New
DirectoryEntry(strAdPath, strDomain & "\" & strUserName, strPassword,
AuthenticationTypes.Secure)

Dim obj As Object = dirEntry.NativeObject
Dim dirSearch As DirectorySearcher = New
DirectorySearcher(dirEntry)
dirSearch.Filter = "(SAMAccountName = " + strUserName +
")"
dirSearch.PropertiesToLoad.Add("cn")
Dim searchRes As SearchResult = dirSearch.FindOne()

If (searchRes Is Nothing) Then
isAuthenticated = False ' not authenticated
Else
isAuthenticated = True ' authenticated
End If

Catch ex As Exception
MessageBox.Show(ex.Message)
End Try

Return isAuthenticated
End Function


Just wondering what I'm missing here.

Thanks for all the help!

Conor.


On Apr 21, 2:14 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Your prediction was pretty predictable. :) Right now, there aren't a lot
of people deep into ADFS yet and I've kind of taken it upon myself to try to
make sure that the fledgling community gets off the ground.

One thing to keep in mind is that if a website is protected by ADFS V1, then
the only authentication method it will accept is either an ADFS
authentication POST or a request containing valid _WebSsoAuth cookies.
There isn't another way to fake your way around that. You also can't
generate that data programmatically, the federation server has to do it for
you. This is because the POST data contains a signed SAML token that only
the FS has the ability to sign. The _WebSsoAuth cookie is basically the
same data but in a compressed format.

So, I don't see how System.DirectoryServices does you a bit of good here.
You use that for doing LDAP queries and operations, but it isn't going to
get you a signed SAML token. The only way I can see to make this happen is
to programmatically "screen scrape" the ADFS login process so that you can
get the resulting signed SAML token and/or cookie from the FS that you need
to log in.

To handle the other application that also uses ADFS, you would have to
reverse engineer via "screen scraping" its ADFS login using the same
techniques. If you have valid credentials that you have already collected,
then you can definitely do this. It just isn't elegant like it might be
with a pure web service call, as you are going to have to create a bunch of
HttpWebRequest objects that do GET and POST and use data from the previous
executing as input into the next one. It will be a little icky.

In the future with the Active Profile version of ADFS and WCF, you'll be
able to configure your WCF service client to just "use federation" and
having programmatically retrieve a valid token for authentication via SOAP.
It will "just work", assuming you can provide credentials (which you would
likely prompt the user for in your case). You've probably got more than a
year to wait for that capability to see the light of day in production
though. :(

Best of luck to you!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"CJ" <conorjgallag...@xxxxxxxxx> wrote in message

news:1177040813.495656.221010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



Hi Joe,

I had predicted you would be the first to reply to my post! You seem
to be a resident ADFS expert in the newsgroups. Thanks for getting
back to me on this.

I thought that what I was trying to do wasn't really possible. As you
said I could hack the logon process, but I completely agree that this
should be avoided if possible. So I think I may have to go back to the
drawing board and try to directly interrogate the AD itself using
System.DirectoryServices. Not quite sure how this is going to work
yet, will have to have a look at the functionality this provides, have
a think about it and how it fits into our project structure. Any
pointers on this would be appreciated!

This does lead me to a further question though if you don't mind
helping me a little more? We have a situation where we spawn another
third party website in a new browser (not the same third party web app
that passes us the logon details as per original post). We need this
site to be automatically authenticated by our windows application so
that the user will not be prompted for the details. This site will be
using ADFS (claims aware style) so I am wondering how do we get the
windows application to do this? We will obviously have the username
and password from our logon screen so will just need a way to stop the
automatic popup of the logon form. Is there a way we can create these
credentials and push then through so that we can auto logon? (Note:
This will be a pop up browser so it will be IE handling it and not a
built in webbrowser control)

Can you give me any advice on this?

Thank you for your help!
Conor.

On Apr 20, 2:43 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
You are asking for trouble with this type of design becauseADFSV1 is
only
intended to be used with browser clients, not programmatic "active"
clients
like a web service proxy. Theissueis that the WS-Federation Passive
Requester Profile (PRP), which is whatADFSV1 implements, uses a protocol
based on redirects and possibly uses forms-based authentication to
collect
credentials. Typically, web service proxies don't handle this type of
thing
well. The redirects might work, but forms auth is proprietary. Also,
the
proxy client might get redirected to the home realm discovery page, which
is
not really something the proxy client can deal with.

A future version ofADFS, V2 most likely, will support the WS-Federation
Active Requester Profile (ARP). ARP has first class support for web
services and will integrate with .NET 3.0/WCF using the federation
profile.
However, that isn't shipping yet.

The Windows token integration method doesn't really help you with the web
services integration, as it doesn't change how the log in behaves. It
really just affects how the security context for the authenticated user
is
generated on the server. This should really be an implementation detail
for
the server based on how it needs to work. I recommend you avoid using
token-based integration unless you really really need it though as it
limits
your flexibility. Claims-based integration is the way to go if your
options
are open.

If you wanted to try to make something work from a Windows forms client
usingADFSV1, you need to find a way to hack the login process to the
federation server before you make a web services call. Essentially, you
would need theADFS_WebSsoAuth cookie(s) and append them to your web
service proxy before making the calls.

To do that kind of hacking, your forms app would likely need to
authenticate
with the federation server and execute theADFSform POST that takes the
SAML token issued by the federation server and gets the resulting cookies
issued by the server. I think you actually have to do this twice, but it
might only be once if there is a single federation server involved.
Basically, you just need to reverse engineer the HTTP traffic done by
theADFSlogon and recreate that using the HttpWebRequest class. It will
be
icky, but doable.

If you can avoid doing this, that would be even better. You can make
this
work, but it is a hack and will potentially be hard to support. ADFSV1
just isn't designed to support this use case.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"CJ" <conorjgallag...@xxxxxxxxx> wrote in message

news:1176986462.122148.268590@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi,

I am looking for some advice on how to develop a certain type ofADFS
Authenticating application. Let me try expalin how the application
must work! I will simplify it for the purpose of this post.

Firstly, we have a client - windows xp (and possibly some vista)
We have a Web Server - Windows server 2003 R2 EE
And a Federation server - Windows server 2003 R2 EE
The Client (Windows XP) will be running a Windows Forms application.
The Windows Forms application is developed using VB.Net and .NET
Framework 3.0. (Some of this is C#, so feel free to give C# examples.
All help/advice appreciated)
This windows forms application will communicate to the webserver by
means of webservices.
The webservices on the webserver need to be secured usingADFS.

I have successfully got a Claim Aware web application working using
theADFSStep by Step guide. I haven't got the Windows Token side
working as theADFSstep by step guide describes this side using
sharepoint.

I also got a web service successfully authenticating usingadfsas
well. Basically, on the web server I pretty much just made a copy of
the sample claim app and published the web service files into the same
web application. Now when we navigate to our service.asmx file we get
asked for authentication details. This works exactly how I expect it
to do, but it's using the claims aware method.

The problem is that this won't work with windows forms. The first
problem, that I got around, was that I couldn't create a web reference
to the web service becuase the address was changing when I was
navigating to the service.asmx. I got around this by temporarily
removing the HTTPModule in the web config, creating the reference, and
putting the HTTP Module back in. The second problem I had was when I
create a new webservice object in windows forms app it doesn't display
a logon screen (which I expected to happen). This obviously causes
trust errors when trying to call the web methods. So basically I need
to figure out how to "pre-authenticate" and send through our
credentials... or something to that effect.... to allow us to call our
web services.

I'm thinking we may have to go down the Windows Token route to do
this? But I'm new to this so don't quite know where to start. It seems
that claims-aware applications seem to automatically request for auth
details which is not quite what we want. We need something with a
little more functionality that will allow us to control the
authentication process. For example, one of the features we require is
to prompt the user to change their password on first sign in if their

...

read more »- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: ADFS Development Issues
    ... One thing to keep in mind is that if a website is protected by ADFS V1, ... site to be automatically authenticated by our windows application so ... like a web service proxy. ... generated on the server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: server authentication & ASP authentication
    ... on to the client workstation with an authorized Windows account. ... SQL Server with Windows authentication. ...
    (microsoft.public.sqlserver.security)