Specify Domain Server For HttpClient Kerberos in .NET - kerberos

I can successfully call a SPNEGO web service on WebLogic/Java (on subforest1.forest1.company.com) from a C# application using HttpClient running on the same subforest. It reverts to NTLM if I run from a different subforest and forest (subforest2.forest2.company.com).
Can I tell HttpClient to use a specific domain controller on a different subforest (machine1.subforest1.forest1.company.com)?
Also, I figured out how to specify a SPN using System.Net.AuthenticationManager.CustomTargetNameDictionary.Add(uri.AbsoluteUri, spn) but I haven't figured out how to find the default SPN.

Related

Possible to do Shibboleth authentication on local dev environment?

I have a Java/Spring application that is running on a Tomcat server. The application uses Shibboleth/SAML for getting user access and it works fine.
However I would like to run/debug the application on my local dev environment(on local Tomcat). I wonder if it is possible to set up something and get prompted by the same service provider so that I can log into the application like it is on the production environment.
From https://stackoverflow.com/a/28061252/1534925
[samltest.id][1] is good way to test shibboleth.
You cannot use localhost as SP to connect to remote IDp, that
iDp won't find any SP to return to because localhost means it's own
system so IDp would go in it's local system and find your given SP's
entity ID. It won't find that entity ID so it would give such error.
These two approach may help you
Give your machine some public IP and try connect to IDp with that SP.
If you cannot make public IP, make both SP and IDp in your local system. My [this][2] answer may help you.
[1]: https://samltest.id/ [2]:
https://stackoverflow.com/a/21278524/1534925
and https://stackoverflow.com/a/21278524/1534925
Yes you sure can.
Download and install SP and idP in that machine, configure metadata
for both to communicate to localhost or for better ease use two
domains for SP and idP,
C:\Windows\System32\drivers\etc here add two domains localhost-sp
and localhost-idp to the hosts file.
So you have now two differet domains for sp and idp.

How can I authenticate with the machine account during SPNego authentication?

My goal is to create a HTTPS REST service that (in concept) allows a machine account to authenticate using the less- than documented machine$ account.
I have a REST endpoint for an AD connected intranet application. Right now IIS simply echoes the thread CurrentPrincipal when I navigate using Internet Explorer.
Now I'm using the HTTPClient , using default authentication, running a my username, and that also works.
My new goal is to send the AD Connected machineAccount (that ends in the dollar sign $) so that IIS responds with the kerberos name Domain\TestServer$
I attempted creating a Windows Desktop service, running as NetworkService or LocalSystem, and I'm not clear if HttpClientHandler.UseDefaultCredentials is sufficient for running in this (unusual) context or if a different approach is needed to authenticate using the machine account.
Is a PInvoke needed? Is there anything in logonuser32 that needs to be done?

IdentityServer3 Unable to get document from

I'm using the IdentityServer3 Version (2.5.4) for the current project, everything works fine on my local machine (with IIS and IIS Express).
The customer has a Windows7 Embedded machine (without SP1!) with .NET 4.5 installed, we created a selfsigned SSL cert (with the current hostname, NOT localhost), but its not working. I'm always getting the error "Unable to get document from: https://xyz/.well-known/openid-configuration"
what is wrong with the configuration?
I found the Solution, it has nothing to do with the Configuration. The Installation of the Windows 7 SP1 has fixed it.
In a couple of cases where we had this issue, it is mostly to do with network connectivity.
Few things which helped us figure out the root cause -
Access the "https://xyz/.well-known/openid-configuration" route from a browser on the server.
If you are not able to access the url then it means that the server is unable to connect to the Idserver installation. This is a network level issue.
If you are able to access the url from the server where the relying application is hosted, but the relying application is throwing an error -> it means that, a proxy is configured on the server. The browser automatically uses the proxy, where as you have to set the proxy in the relying party application as below in the startup.cs
var request = WebRequest.Create(uri);
var myProxy = new WebProxy {Address = new Uri("proxy uri")};
request.Proxy = myProxy;
var response = request.GetResponse();
This will ensure that all the http requests originating from the code will also use the same proxy.
If the above doesnt help, Check if the IIS where Idserver is installed, allows TLS 1.0 and 1.1. THis is disabled on some servers for security purposes. If that is the case, use the below code to make ur application use tls 1.2 and the call will succeed
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Federated identity between multiple instances of IdSrv3

Is it possible to do federated identity between multiple instances of IdSrv3 using OpenID Connect/OAuth2 in the following scenario?
Multiple instance of IdSrv3, called Local STS, running on different machines with some kind of chain of trust to a Central STS. The machines running the Local STS can go offline and in that context the applications running on the local machines makes call to local STS for a token and uses that token while communicating with APIs on another server. The API Service, which is registered and connected to the Central STS, can validate and trust the token generated by a Local STS. Is it possible to do this setup with IdSrv3 or IdSrv4? Also how can a chain of trust be established between central and local STS?
That is absolutely possible -
in IdentityServer you can add external providers via ASP.NET (Core) authentication middleware. For the "other" IdentityServer this becomes a normal client.
https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html

Kerberos - SPN and keytabs

I have a project that have embedded jetty with SPNEGO enabled. I would like to be able to run this project locally for development purposes (WITH SPNEGO enabled!)
My question is, is the SPN and keytab associated with a particular server at all or can I use the same set on multiple instances of my service?
Kerberos requires that both the client and server somehow figure the service principal to use without any prior contact. If you have control of both the client and server, you can use any principal you want provided you configure both sides to
use the same principal.
In the SPNEGO case, the client does the "standard" thing and builds a principal based on the hostname of the server. (i.e. I want to talk to www.foo.com, I'll try
requesting an HTTP/www.foo.com service ticket and see if the server accepts it. )
I don't know of any way to get the SPNEGO code in the browser to use a fixed service principal. So in this case you'll need a separate keytab for each server.