0

Is it possible to integrate Windows Azure Pack with Active Directory and have domain users authenticate Tenant Portal using Single-Sign On? Can anyone point to some good articles.

Note: I know WAP supports ADFS but I'm looking for plain AD support !!

Sri Kanth
  • 476
  • 2
  • 14
  • As @Nomadic Paradox said WAP is claims-based via federation. It will not do AD auth directly for tenants. That's up to you to get working. Using the Thinktecture IdP will work fine, but there are some important bits missing. See my comment below. – Steve May 17 '14 at 20:12

1 Answers1

1

The Windows Azure Pack Tenant Portal uses claims-based authentication. It delegates all authentication to a Security Token Service (STS) that must:

  • Support WS-Federation
  • Expose a Federation Metadata endpoint
  • Be capable of generating JSON Web Tokens (JWT) with at least ‘UPN’ and optionally ‘Groups’ claims

To use Active Directory credentials (NTLM/Kerberos authentication) you would need a STS that meets these requirements and can use Active Directory as an Identity Provider (or will federate to one that can.)

Examples include AD FS 3.0 (as you point out) and the STS that ships with WAP for use by the Management Portal. In theory, you could use the Management Portal STS for the Tenant Portal as well, but the documentation explicitly cautions against this, warning that doing so 'will cause tenant scenarios to break'.

See this article for a full explanation of this and links to more resources: http://msdn.microsoft.com/en-us/library/dn479300.aspx

Adam D
  • 161
  • 1
  • 8
  • I have tried the below things for WAP tenant but failed: 1. Integrating AD with thinktecture Idp and creating custom JWT tokens (Error: Tenant site refused tokens) 2. Replacing ASPNetMembershipProvider with ActiveDirectoryMembership provider in Tenant Auth Site. Wish there could be an easy way to authenticate domain users without ADFS. Still breaking my head against using thinktecture to do the STS job using AD – – Sri Kanth May 12 '14 at 04:22
  • I'd guess you've seen this already, but here is a detailed overview on setting up thinktecture v2 with WAP. It shows using Live, Google, and Facebook as identity providers rather than AD, but if your issues are caused by configuration between thinktecture and WAP this may help. http://msdn.microsoft.com/en-us/library/dn479270.aspx – Adam D May 12 '14 at 14:54
  • Unfortunately the documentation is missing a few key points. Take a look here: http://syfuhs.net/2014/02/07/windows-azure-pack-authentication-part-3-using-a-third-party-idp/ – Steve May 17 '14 at 20:09
  • Also, ADFS 2 will NOT work with WAP. You need to use ADFS 3 as that's the only version that supports JWTs. – Steve May 17 '14 at 20:14
  • @Steve, you're absolutely right about AD FS and JWT. I've edited my answer. – Adam D May 19 '14 at 14:53