{"id":11531,"date":"2016-09-20T13:14:28","date_gmt":"2016-09-20T18:14:28","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=11531"},"modified":"2022-03-09T16:07:03","modified_gmt":"2022-03-09T21:07:03","slug":"secure-asp-net-4-5-with-adfs-2-0","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=11531","title":{"rendered":"Secure ASP.Net 4.5 with ADFS 2.0"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tIntroduction<\/a>\n\t<\/li>\n\t
  2. \n\t\tGenerate Initial Web.config<\/a>\n\t<\/li>\n\t
  3. \n\t\tFind Issuer Name<\/a>\n\t<\/li>\n\t
  4. \n\t\tFind Issuer Thumbprint<\/a>\n\t<\/li>\n\t
  5. \n\t\tFinal Web.config<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tExample Web.config<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    2. \n\t\tExample Code<\/a>\n\t<\/li>\n\t
    3. \n\t\tCreate Relying Party<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tAdd Claim Rules<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      2. \n\t\tDeploy ASP.Net 4.5 to IIS 7.5<\/a>\n\t<\/li>\n\t
      3. \n\t\tTest<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
         <\/div>\n

        Introduction<\/h2><\/span>\n

        * ASP.Net 4.5 web application can be secured with ADFS 2.0
        \n* Authentication configuration is done in Web.config<\/em> file<\/p>\n

        Generate Initial Web.config<\/h2><\/span>\n

        * Use Visual Studio to generate an initial Web.config by pointing to ADFS Federation Metadata URL.<\/p>\n

        \"adfsaspnet1_newsln_1\"<\/a><\/h6><\/span>\n

        * Click Change Authentication<\/em> button:<\/p>\n

        \"adfsaspnet1_newsln_auth_1\"<\/a><\/h6><\/span>\n

        * Enter ADFS federation metadata URL into On-Premises Authority<\/em> field.<\/p>\n

        \"adfsaspnet1_newsln_auth_2\"<\/a><\/h6><\/span>\n

        * Click OK buttons to create the initial web application
        \n* Relevant elements in the initial Web.config<\/em> file:<\/p>\n

        \r\n\r\n\r\n  \r\n    
        \r\n    
        \r\n  <\/configSections>\r\n  \r\n    \r\n    \r\n    \r\n  <\/appSettings>\r\n  \r\n    \r\n    \r\n      \r\n    <\/authorization>\r\n    \r\n    \r\n  <\/system.web>\r\n  \r\n    \r\n      \r\n      \r\n    <\/modules>\r\n  <\/system.webServer>\r\n  \r\n    \r\n      \r\n        \r\n      <\/audienceUris>\r\n      \r\n        \r\n        \r\n      <\/securityTokenHandlers>\r\n      \r\n      \r\n        \r\n          \r\n            \r\n          <\/keys>\r\n          \r\n            \r\n          <\/validIssuers>\r\n        <\/authority>\r\n      <\/issuerNameRegistry>\r\n    <\/identityConfiguration>\r\n  <\/system.identityModel>\r\n  \r\n    \r\n      \r\n      \r\n    <\/federationConfiguration>\r\n  <\/system.identityModel.services>\r\n<\/configuration>\r\n<\/pre>\n
        Find Issuer Name<\/h2><\/span>\n
        * You can find the Issuer Name, e.g. urn:my:adfs<\/em>, from the initial Web.config<\/em> file (see previous section):<\/p>\n
        \r\n        \r\n          ...\r\n          \r\n            \r\n          <\/validIssuers>\r\n        <\/authority>\r\n<\/pre>\n
        * Alternatively, you can find it from ADFS2’s federationmetadata.xml file:
        \n– Point browser to federation metadata page, e.g.: https:\/\/sts.my.com\/federationmetadata\/2007-06\/federationmetadata.xml<\/em>
        \n– Find <entityID><\/em> attribute, which is<\/em> the issuer name, at the beginning of the XML:<\/p>\n
        \r\n\n
        Find Issuer Thumbprint<\/h2><\/span>\n
        * You can find the thumbprint from the initial Web.config<\/em> file (see previous section):<\/p>\n
        \r\n        \r\n          \r\n            \r\n          <\/keys>\r\n<\/pre>\n
        * Alternatively, you can find thumbprint value from ADFS2's federationmetadata.xml file:
        \n- Point browser to federation metadata page, e.g.: https:\/\/sts.my.com\/federationmetadata\/2007-06\/federationmetadata.xml<\/em>
        \n- Find <KeyDescriptor use=\"signing\"><\/em> element:<\/p>\n
        \r\n\r\n    \r\n        \r\n            xxxxxxxxxxxx<\/X509Certificate>\r\n        <\/X509Data>\r\n    <\/KeyInfo>\r\n<\/KeyDescriptor>\r\n<\/pre>\n
        - Copy and paste base64 characters between X509Certificate<\/em> element into a temp file with .cer<\/em> file name ending, e.g. mysts_signing.cer<\/em>
        \n- Double click the .cer temp file to open the certificate
        \n- Find thumbprint value<\/p>\n
        \"adfsaspnet1_thumbprint_1\"<\/a><\/h6><\/span>\n
        * You still need to prepare the thumbprint value:
        \n- Copy thumbprint value (do NOT <\/strong>copy the first empty space, it contains hidden characters!)
        \n- Remove white spaces
        \n- Upper case whole string, e.g. final value is: F5ADED8729AF0005FA889CCB913C7B7AEFF96B33<\/em>
        \n* You'll get \"Error ID4175 and ConfigurationBasedIssuerNameRegistry\" error if you have the wrong thumbprint value.
        \n- See         this post<\/a> for more details.<\/p>\n
        Final Web.config<\/h2><\/span>\n
        * Initial Web.config generated by Visual Studio is only a starting point.
        \n* Need to modify, e.g.:
        \n- Replace https:\/\/localhost:44306\/<\/em> with actual website URL, e.g. https:\/\/asp.my.com<\/em>
        \n* Following is a working example.<\/p>\n
        Example Web.config<\/h3><\/span>\n
        \r\n\r\n\r\n\r\n  \r\n    \r\n    \r\n    
        \r\n    
        \r\n  <\/configSections>\r\n\r\n  \r\n    \r\n    \r\n    \r\n    \r\n    \r\n\r\n    \r\n    \r\n    \r\n    \r\n  <\/appSettings>\r\n  \r\n    \r\n    \r\n    \r\n    \r\n      \r\n        \r\n        \r\n        \r\n        \r\n        \r\n        \r\n      <\/namespaces>\r\n    <\/pages>\r\n\r\n    \r\n    \r\n      \r\n    <\/authorization>\r\n  <\/system.web>\r\n  \r\n    \r\n    \r\n      \r\n      \r\n      \r\n      \r\n    <\/handlers>\r\n    \r\n\r\n    \r\n      \r\n      \r\n    <\/modules>\r\n  <\/system.webServer>\r\n\r\n  \r\n  \r\n    \r\n      \r\n        \r\n      <\/audienceUris>\r\n      \r\n        \r\n          \r\n          \r\n        <\/trustedIssuers>\r\n      <\/issuerNameRegistry>\r\n      \r\n      \r\n        \r\n        \r\n      <\/securityTokenHandlers>\r\n    <\/identityConfiguration>\r\n  <\/system.identityModel>\r\n\r\n  \r\n  \r\n    \r\n      \r\n      \r\n    <\/federationConfiguration>\r\n  <\/system.identityModel.services>\r\n  \r\n    \r\n      \r\n        \r\n        \r\n      <\/dependentAssembly>\r\n      \r\n        \r\n        \r\n      <\/dependentAssembly>\r\n      \r\n        \r\n        \r\n      <\/dependentAssembly>\r\n      \r\n        \r\n        \r\n      <\/dependentAssembly>\r\n      \r\n        \r\n        \r\n      <\/dependentAssembly>\r\n    <\/assemblyBinding>\r\n  <\/runtime>\r\n<\/configuration>\r\n<\/pre>\n
        Example Code<\/h2><\/span>\n
        * Example to print out all cliam types and values:<\/p>\n
        \r\n        protected void Page_Load(object sender, EventArgs e)\r\n        {\r\n            var Identity = (ClaimsIdentity)User.Identity;\r\n            if (!Identity.IsAuthenticated)\r\n            {\r\n                log.ErrorFormat(\"User {0} not authenticated!\", GetUserName(Identity));\r\n            }\r\n            else\r\n            {\r\n                log.InfoFormat(\"User {0} authenticated!\", GetUserName(Identity));\r\n            }\r\n\r\n            var claims = Identity.Claims;\r\n            foreach (Claim c in claims)\r\n            {\r\n                log.InfoFormat(\"Got claim {0} with value {1}\", c.Type, c.Value);\r\n            }\r\n        }\r\n<\/pre>\n
        Create Relying Party<\/h2><\/span>\n
        * Login ADFS server
        \n* Open ADFS management console
        \n* Go to: AD FS 2.0 > Trust Relationships > Replying Party Trusts<\/em>
        \n* Right click and select Add Relying Party Trust...<\/em>
        \n* Click Start <\/em>on Welcome page:
        \n* Select: Enter data about the relying party manually<\/em>
        \n* Enter:
        \n- Display name: Test ADFS2<\/strong>
        \n* Select: AD FS 2.0 profile<\/em>
        \n* Skip for now on Configure Certificate<\/em> screen
        \n* Select: Enable support for the WS-Federation Passive protocol<\/em>
        \n- Relying party WS-Federation Passive protocol URL: https:\/\/myappc.my.com\/<\/strong>
        \n* Click OK <\/em>on Configure Identifiers<\/em>
        \n* On Choose Issuance<\/em> screen, select Permit all users to access this replying party<\/em>
        \n* Review settings on Ready to Add Trust<\/em> screen
        \n* Click Next <\/em>to add the relying party<\/p>\n
        Add Claim Rules<\/h3><\/span>\n
        * Login ADFS server
        \n* Open ADFS management console
        \n* Go to: AD FS 2.0 > Trust Relationships > Replying Party Trusts<\/em>
        \n* Select relying party, e.g. Test ADFS2<\/em>
        \n* Click Edit Claim Rules...<\/em>
        \n* Click Add Rule...<\/em>
        \n* Enter:
        \n- Claim rule name: Name ID<\/strong>
        \n- Attribute store: Active Directory<\/em>
        \n- LDAP Attribute: SAM-Account-Name<\/em>
        \n- Outgoing Cliam Type: Name ID<\/em>
        \n* Click OK <\/em>twice
        \n* Add additional rules, e.g. E-mail Address<\/em><\/p>\n
        Deploy ASP.Net 4.5 to IIS 7.5<\/h2><\/span>\n
        * Start IIS Manager
        \n* Add new application pool
        \n* Add new application
        \n* Enable anonymous authentication
        \n* Enable SSL
        \n* Setup Web.config file
        \n* Restart Default Web Site<\/p>\n
        Test<\/h2><\/span>\n
        * Point browser to https:\/\/myappc.my.com\/Default.aspx
        \n* Check log file for claims, e.g.<\/p>\n
        \r\nUser jimmy authenticated!\r\nGot claim http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/nameidentifier with value jimmy\r\nGot claim http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/authenticationmethod with value http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/authenticationmethod\/windows\r\nGot claim http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/authenticationinstant with value 20xx-xx-02T15:40:14.391Z\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
        Introduction * ASP.Net 4.5 web application can be secured with ADFS 2.0 * Authentication configuration is done in Web.config file Generate Initial Web.config * Use Visual Studio to generate an initial Web.config by pointing to ADFS Federation Metadata URL. * … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[346,705],"tags":[632,706],"class_list":["post-11531","post","type-post","status-publish","format-standard","hentry","category-adfs","category-asp-net","tag-adfs","tag-asp-net"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-2ZZ","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/11531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11531"}],"version-history":[{"count":10,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/11531\/revisions"}],"predecessor-version":[{"id":12029,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/11531\/revisions\/12029"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}