ADFS integration. (Windows version)

Web file manager

Free Installation assistance

Manual Home page

Note !
We offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You need few minutes to get online help.

Often Enterprise customers use ADFS in their networks for Single Sign On. Http Commander can be configured for work with Microsoft Windows Active Directory Federation Services.
Requirements

Microsoft Windows Active Directory with Domain Controller
Microsoft Active Directory Federation Services server.

We assume that DC, ADFS and Web server already installed and function correctly.
Also AD version of Http Commander should be installed on Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to Domain to complete this configuration .

This tutorial is splitted into several sections.

Application pool account configuration
ADFS configuration
HTTPCommander configuration
DC configuration of Delegation for correct work with Network shares

Steps to configure Web server for ADFS authentication

There are 2 options: first and the simpliest one is to use "LocalSystem" account for application pool and the second one is to use separate Domain account for application pool which is a little bit more complicated .

Configure HTTP Commander application pool to work under the "Local system" account.
- Open IIS management console: Control panel->Administrative tools-> Internet Information Services-> and then "Application pools".
- Open "Advanced settings" of htcomnetpool application pool.
- Make sure that the value of "Enable 32-Bit Applications" setting is set to false.
- Change "Identity" setting to use the "Local system" Built-in account.
- Change to true the value of the "Load User Profile" setting.
  Show screenshot
OR Configure HTTP Commander application pool to work under the special domain account.
- Create a service account in Active Directory to run the C2WTS service under. In this example, we have created 'element-it\svcC2WTS'.
- Next, configure the required local server permissions. Log onto the web server and give the svcC2WTS the following permissions:
  1. Add the service account (element-it\svcC2WTS) to the local Administrators Groups.
  2. In local security policy (secpol.msc) under user rights assignment give the service account (element-it\svcC2WTS) the following permissions:
    1. Act as part of the operating system
    2. Impersonate a client after authentication
    3. Log on as a service
  Show screenshot
- Configure HTTP Commander application pool to work under the service account (element-it\svcC2WTS) and to load user profile.
  Open IIS management console: Control panel->Administrative tools-> Internet Information Services-> and then "Application pools".
  Open "Advanced settings" of htcomnetpool application pool.
  Change "Identity" setting to use the service account (element-it\svcC2WTS).
  Change to true the value of the "Load User Profile" setting.
  Show screenshot

Steps to configure Relying Party Trust on ADFS server

Open AD FS management console and navigate to Trust Relationships, Relying Party Trust section of left tree.
Click on Add Relying Party Trust to start wizard.
Choose option Enter data about the relying party manually
On next screen enter Name of relying party (any value),
On next screen select option "AD FS profile"
Show screenshot
Check options Enable support for the WS-Federation Passive protocol and Enable support for the SAML 2.0 WebSSO protocol.
For both options set full url to Http Commander application. In our case it is "https://webserver.element-it.local/htcomnet/default.aspx"
Show screenshot
Relying party identifier should be already added to the list. So you can simply proceed to next step.
Show screenshot
Complete wizard with next several screens following on-screen suggestions.
Choose option Permit all users to access this relying party
Show screenshot
Configure Claim rules.
Choose option Send LDAP attributes as claims
Show screenshot
Only UPN claim is required to be configured for correct work.
Configure it as shown on screenshot.
Show screenshot

Alternately, custom claims rule can be configured to pass all LDAP attributes. Below is the code of custom rule:
```
        c:[]
        => issue(claim = c);
```
HTTP Commander also can get information about display name from following claims (if specified): displayName, fullName, givenName.
Information about home folder is expected in following claims (if specified): homeDirectory, homeFolder.
Now configuration is complete and we are ready to test Http Commander. If all configured correctly , after authentication Http Commander interface should be loaded. Open diagnostics.aspx page and check its output . Make sure that application works under logged in user identity (impersonated ).
If you plan to use Network shares, process to next section.

Steps to configure Http Commander for ADFS authentication

Open the Admin Panel of the HTTP Commander or open HTTPCommanderSettings.config file in text editor.
- Navigate to the ADFS section and
  Set to true the value of the EnableADFS setting
- Set the value of the ADFSMetadataUrl setting pointing to the federation metadata xml file on your adfs server.
  In our case it is https://adfs.element-it.local/federationmetadata/2007-06/FederationMetadata.xml
- Navigate to the Main section and Set as the value of the ExternalAppUrl setting, url to the HTTP Commander application on your domain. For example: https://webserver.element-it.local/htcomnet/
- In the HTTPCommanderSettings.config file search for the version tag and ensure that its value is set to "ad".
- As last step, you will need to set correct value for the LDAPConatiner setting either in the HttpCommanderSettings.config file or on the Settings tab in the Admin Panel. This is required to get user group membership and home directory from AD.
To activate ADFS authentication, rename web.adfs_owin.config file from the root folder of the application to web.config file. This file contain precofigured settings to activate ADFS authentication. Note: file web.adfs.config has been used before version 7.5. It's kept for comtibility reasons and it is still possible to use it. However starting from version 7.5 we recommend to use web.adfs_owin.config file as base for adfs authentication.

In the IIS Management Console ensure that Anonymous authentication is enabled for the application (and other authentication schemes are disabled).

Also make sure that "Application pool identity" is used for the "Anonymous authentication". Select "Anonymous authentication" and click on the "Edit" link on the right pane.
Show screenshot

Steps to configure Delegation for correct work with Network Shares

Once authenticated HttpCommander will work under logged in user identity , It means that all existing NTFS ACLs will be respected, but only for local folders on Web server.
If you plan to use Netwrok Shares (that is common practice), you will need to configure Delegation for web server and service account.

Configure delegation for web server.
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- Expand domain, and then expand the Computers folder.
- In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
- Click to select Trust this computer for delegation to specified services only.
- Ensure that Use any authentication protocol is selected, and then click OK.
- Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that is to be used in HTTP Commander. Click OK.
- In the Available Services list, select the CIFS service. Click OK.
Repeat last two steps for LDAP service and your Domain Controller.

Show screenshot
The last 2 steps are required only if you have configured application pool to work under special domain account.
Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we registered SP/C2WTS to the element-it\svcC2WTS account using the following command:
```
SetSPN -S SP/C2WTS element-it\svcC2WTS
```
Please note that command should be executed under domain admin account.
Configure delegation for service account (element-it\svcC2WTS) .
- In the left pane, Expand Users folder.
- In the right pane, right-click the Service account (element-it\svcC2WTS) which is configured for C2WTS service, select Properties, and then click the Delegation tab.
- Click to select Trust this user for delegation to specified services only.
- Ensure that Use any authentication protocol, and then click OK.
- Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that will be used in Http Commander. Click OK.
- In the Available Services list, select theCIFS service. Click OK.
Repeat the last two steps for LDAP service and your Domain Controller.

Show screenshot

Note: For correct work of WebDav module it should be placed at the end of the modules list.