I have been doing some tests with Azure Active Directory trial license in my data center. Our company has our own hosting services and physical hardware, and for now we would like to keep it that way (though we may investigate moving it all to cloud services in future).
我在我的数据中心做了一些Azure Active Directory试用许可证的测试。我们公司有自己的托管服务和物理硬件,目前我们希望保持这种方式(尽管我们可能会研究在未来将其全部转移到云服务)。
For now, we are trying to provide a single sign-on option for our customers using Azure AD. We already support this with CAS, but some customers are already using Azure AD internally and want to use this as the integrated Windows Authentication method with IIS & ASP.NET.
目前,我们正在尝试为使用Azure AD的客户提供一个单点登录选项。我们已经在CAS中支持了这一点,但一些客户已经在内部使用Azure AD,并希望将其用作IIS和ASP.NET的集成Windows身份验证方法。
How do I go about setting this up in a way that supports multiple tenants? I am having trouble figuring out how to do this at the IIS level, and am finding the literature a bit lacking with respect to a clear answer.
我该如何以支持多个租户的方式来设置它呢?在IIS级别上,我很难搞清楚如何做到这一点,而且我发现,对于一个清晰的答案,文献中存在一些缺失。
As best I can tell, I would have to create a VM (separate Windows Server instance) for each customer, that is configured to authenticate via Azure AD and passes the windows auth credentials to IIS. This is kind of annoying.
就我所知,我必须为每个客户创建一个VM(独立的Windows服务器实例),它被配置为通过Azure AD进行身份验证,并将Windows auth凭据传递给IIS。这有点烦人。
Is there a way that I can continue to run IIS and ASP.NET web apps on my own server, but use Azure AD for Windows Authentication with ASP.NET, where each IIS web app instance has its own separate Azure AD configuration?
我是否有办法继续运行IIS和ASP。在我自己的服务器上的网络应用,但是使用Azure的Windows认证和ASP。NET,每个IIS web应用程序实例都有各自的Azure AD配置?
Can I do this at the web app root folder level? (Perhaps by setting the authorization for that folder to grant permissions to users in that customer's Azure AD?)
我可以在web应用程序根文件夹级别上这样做吗?(或许可以通过设置该文件夹的授权来在客户的Azure广告中授予用户权限?)
My goal, for example, given this Windows Server configuration:
我的目标是,例如,考虑到这个Windows服务器配置:
- Host (IIS 8) "webhost"
- Web app "A",
c:\apps\a
, authorized users include AAD "A" users - 网络应用“A”,c:\应用程序A,授权用户包括AAD“A”用户
- Web app "B",
c:\apps\b
, authorized users include AAD "B" users - 网络应用“B”,c:\应用B,授权用户包括AAD“B”用户
- Web app "A",
- 主机(IIS 8)“webhost”Web应用程序“A”,c:\apps\ A,授权用户包括AAD“A”用户Web app“B”,c:\apps\ B,授权用户包括AAD“B”用户。
Users from customer A use this url: http://webhost/a
来自客户A的用户使用这个url: http://webhost/a
Users from customer B use this url: http://webhost/b
来自客户B的用户使用这个url: http://webhost/b
When user A browses to web app A, the integrated windows authentication should either challenge user for Azure AD "A" windows username & password, or, if already authenticated, show the user content from web app A.
当用户浏览web应用程序A时,集成的windows身份验证应该会挑战用户的Azure AD“A”windows用户名和密码,或者,如果已经进行了身份验证,则可以显示来自web应用程序A的用户内容。
When user B browses to web app B, the integrated windows authentication should either challenge user for Azure AD "B" windows username & password, or, if already authenticated, show the user content from web app B.
当用户B浏览web应用程序B时,集成的windows身份验证应该向用户询问Azure AD“B”windows用户名和密码,或者,如果已经验证过,则显示web应用程序B中的用户内容。
Thanks!
谢谢!
1 个解决方案
#1
2
You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token that is sent to the app on a channel that does not require windows integrated authentication. That's what allows your apps to be hosted anywhere, there is no infrastructural constraint on the app itself. Take a look at this sample for instructions on how to set up one app to trust an Azure AD tenant. You can apply the same process to all your apps, pointing them to different AAD tenants. Once you have done that: you can skip the interstitial auth page and get windows integrated auth by following the instructions here. I recommend you first get the sample to work, and only then focus on this last part. Tackling both things at once could be hard.
您可以在自己的服务器上运行的应用程序上使用Azure广告。您不需要在IIS级别上应用设置。当您使用Azure AD时,windows集成的auth将在客户端和Azure AD端点之间进行,这将导致一个令牌被发送到不需要windows集成身份验证的通道上。这就使得你的应用程序可以在任何地方托管,应用程序本身不受基础设施限制。看看这个示例,了解如何设置一个应用程序来信任Azure广告租户。您可以对所有应用程序应用相同的过程,将它们指向不同的AAD租户。一旦你完成了这个操作,你就可以跳过这个间隙的auth页面,通过下面的指令来获得windows集成的auth。我建议您首先让示例正常工作,然后再关注最后一部分。同时处理这两件事可能会很困难。
#1
2
You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token that is sent to the app on a channel that does not require windows integrated authentication. That's what allows your apps to be hosted anywhere, there is no infrastructural constraint on the app itself. Take a look at this sample for instructions on how to set up one app to trust an Azure AD tenant. You can apply the same process to all your apps, pointing them to different AAD tenants. Once you have done that: you can skip the interstitial auth page and get windows integrated auth by following the instructions here. I recommend you first get the sample to work, and only then focus on this last part. Tackling both things at once could be hard.
您可以在自己的服务器上运行的应用程序上使用Azure广告。您不需要在IIS级别上应用设置。当您使用Azure AD时,windows集成的auth将在客户端和Azure AD端点之间进行,这将导致一个令牌被发送到不需要windows集成身份验证的通道上。这就使得你的应用程序可以在任何地方托管,应用程序本身不受基础设施限制。看看这个示例,了解如何设置一个应用程序来信任Azure广告租户。您可以对所有应用程序应用相同的过程,将它们指向不同的AAD租户。一旦你完成了这个操作,你就可以跳过这个间隙的auth页面,通过下面的指令来获得windows集成的auth。我建议您首先让示例正常工作,然后再关注最后一部分。同时处理这两件事可能会很困难。