Authenticate From ASP.NET Application To On-Premise AD

This article describes how an ASP.NET application can be authenticated with On-Premise Windows AD.

We need a middleware service, ADFS, for authenticating from ASP.NET applications to on-premise AD. You need to first install both AD and ADFS in your server. These are the services that come under Windows Server optional features. The application used here is a normal ASP.NET application.
 

Configure Windows AD Service

 
This service should have the bare minimum configured as mentioned below.
 
Valid Domain
 
Should have a valid domain in the Active Directory, like the below sample domain.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Valid AD Users
 
Should have valid users registered in AD. We created a sample jaishmathews@scg.test.com.
 
Authenticate From ASP.NET Application To On-Premise AD
 

Configure Windows ADFS Service

 
This service should have the bare minimum configured as mentioned below.
 
Configure Basic ADFS Properties
 
We configured the below basic ADFS properties for our application. Federation Service display name will be displayed on the common ADFS Login page. The Federation Service name would be used in application to receive the ADFS metadata information. And, the Federation Service identifier would be uniquely identifying your ADFS service.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Configure ADFS Certificate
 
The authorization certificate should be purchased from the proper authority and should be added under Trusted Root Certification Authorities.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Authenticate From ASP.NET Application To On-Premise AD 
 
Configure Relying Party Trusts
 
Here, where you mention your client application identity and mention them under Relying Party Trusts, the application will launch with a URL https://localhost:44360, which has been mentioned as a Relying Party Trust by us.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Configure Claim Issuance Policy
 
Here, we will configure AD LDAP rules which will tell a mapping of LDAP properties against ADFS claim properties what client applications will get. We configured certain LDAP properties like below for the application.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Test ADFS Locally in Server
 
Here, you should test the ADFS by running https://adfsvm.scg.test.com/adfs/ls/idpinitiatedSignOn.aspx, which is a URL automatically configured after ADFS installation. If all is good, you should get a page like below to test the ADFS login.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Below, I am trying to log in using the account I created in AD i.e. jaishmathews@scg.test.com. 
 
Authenticate From ASP.NET Application To On-Premise AD
 
Please notice the below screen as it’s saying that I have logged in. Now, you are ready to use your ADFS service.
 
Authenticate From ASP.NET Application To On-Premise AD
 
NB: For 2016, the above-mentioned testing page hasn’t been enabled by default and so you manually run below PowerShell scripts to enable it before trying to run these pages.
  • Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage
  • Set-AdfsProperties –EnableIdpInitiatedSignonPage $True 

Client Application Consume ADFS Service

 
Now, you are using a client application and trying to connect to the above mentioned ADFS, remotely. You will run your application remotely.
 
Locate ADFS Metadata
 
This is an XML Ref.; you can see in the below location of ADFS “EndPoints” tab. 
 
Authenticate From ASP.NET Application To On-Premise AD
 
You need to append this XML path with your official ADFS name. So, for our application, we used the URL. https://<<ADFS name>>/FederationMetadata/2007-06/FederationMetadata.xml
 
You should able to download above file locally using a browser to make sure that your connection to ADFS would be successful.
 
Create a Client Application
 
Create a normal ASP.NET application and during project template selection, change the authentication like below.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Inside "App_Start\Startup.Auth.cs, you can see that the configuration code has been automatically added like below.
 
Authenticate From ASP.NET Application To On-Premise AD
 
This code will make to hit the ADFS service and prompt its login page if application not logged in already.
 
Run Client Application
 
Now, run your application and make sure that it’s loading with the same URL what we have configured in ADFS.
 
Authenticate From ASP.NET Application To On-Premise AD
 
The application should automatically route to ADFS login page and we skipped a security warning in application, as our certificate is a free sample certification.
 
Authenticate From ASP.NET Application To On-Premise AD
 
Now, you should see the same login page is coming up, what we tested inside Serve. It’s time to enter your UID/PWD what has configured in AD service, i.e., jaishmathews@scg.test.com and click the "Sign in" button.
 
Authenticate From ASP.NET Application To On-Premise AD
 
You should be authenticated remotely in ADFS and automatically route to the application URL from ADFS login URL, like the below application page.
 
Authenticate From ASP.NET Application To On-Premise AD
 
You can also read the returned ADFS claim, which has the details you have configured inside ADFS claim rule. Below are the details returned for the application, which has a format of multiple key-value pairs. Each key is in a URL format. For the application, as you can see below, we got values for the below Keys.
  • nameidentifier
  • emailaddress
  • name
  • CommonName
  • Authenticationmethod
  • authenticationinstant
 Authenticate From ASP.NET Application To On-Premise AD
 
We have the below code inside Home\ShowClaims.cshtml to read the claim details.
  1. @model IEnumerable<System.Security.Claims.Claim>  
  2. <dl>  
  3. @foreach (var claim in Model)  
  4. {  
  5.    <dt>@claim.Type</dt>  
  6.    <dt>@claim.Value</dt>  
  7. }  
  8. </dl>  
We used System.Security.Claims.Claim collection and then used Type and Value to display.
 
I attached the source code here for reference purposes. It won't run until you replace with your ADFS and use your own certificate.