HTTP Commander  AJS 5.x
Manual

Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only!

Web file manager
Free Installation assistance
Manual Home page

HTTP Commander ADFS integration.

Note !
We offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You need few minutes to get online help.

Often Enterprise customers use ADFS in their networks for Single Sign On. Http Commander can be configured for work with Microsoft Windows Active Directory Federation Services.
Requirements
  1. Microsoft Windows Active Directory with Domain Controller
  2. Microsoft Active Directory Federation Services server.
We assume that DC, ADFS and Web server already installed and function correctly.
Also AD version of Http Commander should be installed on Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to Domain to complete this configuration .

This tutorial is splitted into several sections.

Steps to configure Web server for ADFS authentication

  1. Create a service account in Active Directory to run the C2WTS service under. In this example, we have created 'element-it\svcC2WTS'.
  2. Next, configure the required local server permissions. Log onto the web server and give the svcC2WTS the following permissions:
    1. Add the service account (element-it\svcC2WTS) to the local Administrators Groups.
    2. In local security policy (secpol.msc) under user rights assignment give the service account (element-it\svcC2WTS) the following permissions:
      1. Act as part of the operating system
      2. Impersonate a client after authentication
      3. Log on as a service

    Show screenshot

Steps to configure Http Commander for ADFS authentication

  1. Configure HTTP Commander application pool to work under the service account (element-it\svcC2WTS) and to load user profile.
    Open IIS management console: Control panel->Administrative tools-> Internet Information Services-> and then "Application pools".
    Open "Advanced settings" of htcomnetpool application pool.
    Change "Identity" setting to use the service account (element-it\svcC2WTS).
    Change to true the value of the "Load User Profile" setting.
    Show screenshot
  2. We are ready to configure HttpCommander. Open web.config file in editor.
    Uncomment (or add if not exist) system.identityModel , system.identityModel.services sections to configSections:
                <configSections>
                    ...
                    <!-- To enable ADFS - uncomment the lines below, to disable - comment out -->
                <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                </configSections>
                
  3. Disable authentication. Replace existing authentication tag with following one at system.web section. Remove other authentication tags (if any) :
                <!-- To enable ADFS - uncomment the line below and remove another authentication tag -->
                <authentication mode="None"/>
  4. Uncomment (or add if not exist) WSFederationAuthenticationModule,SessionAuthenticationModule,ADFSAuthModule modules to system.web/httpModules section. Order is important:
    Please note that FileWebDavModule module should be added to the end of the modules list for correct work of WebDav with ADFS.
                <httpModules>
                        ...
                        <!-- To enable ADFS - uncomment the line below -->
                <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
                        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander"  />
                </httpModules>
  5. Uncomment (or add if not exist) WSFederationAuthenticationModule,SessionAuthenticationModule,ADFSAuthModule modules to system.webServer/modules section. Order is important:
    Please note that FileWebDavModule module should be added to the end of the modules list for correct work of WebDav with ADFS.
            <modules runAllManagedModulesForAllRequests="true">
                ...
                <!-- To enable ADFS - uncomment the lines below -->
                <remove name="WSFederationAuthenticationModule" />
                <remove name="SessionAuthenticationModule" />
                <remove name="ADFSAuthModule" />
                <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
                <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
                <add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander" preCondition="integratedMode" />        
            </modules>
            
  6. Uncomment (or add if not exist) appSettings section to configuration section:
    Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http Commander on your server.
            <appSettings>
    		<add key="ida:FederationMetadataLocation" value="https://adfs.element-it.local/federationmetadata/2007-06/FederationMetadata.xml"/>
    		<add key="ida:Issuer" value="https://adfs.element-it.local/adfs/ls/"/>
    		<add key="ida:ProviderSelection" value="productionSTS"/>
    		<add key="ida:EnforceIssuerValidation" value="false"/>
            </appSettings>
            
  7. Uncomment (or add if not exist) system.identityModel.services section at configuration section.
    Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http Commander on your server and https://adfs.element-it.local/adfs with url to your ADFS server.
            <system.identityModel.services>
                <federationConfiguration>
                  <cookieHandler requireSsl="false"/>
                  <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.element-it.local/adfs/ls/" realm="https://webserver.element-it.local/htcomnet/" requireHttps="false"/>
                </federationConfiguration>
            </system.identityModel.services>
  8. Uncomment (or add if not exist) system.identityModel section at configuration section.
    Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http Commander on your server and https://adfs.element-it.local/adfs with url to your ADFS server.
    Also you should replace the value of the thumbprint attribute with the thumbprint of Token Sign certificate of your STS server.
    How to obtain thumbprint:
    1. Open AD FS 2.0 Management > Service > Certificates then right-click on the Primary Token-signing certificate and choose View certificate.
    2. Click on the details tab to view and record the thumbprint from the Thumbprint field. An example of a thumbprint is: 77 5D 64 8E 73 62 C7 69 45 97 DB 5B BD 39 16 C5 F2 76 8C C1.
      NOTE: when you use the clipboard to copy-and-paste a certificate thumbprint, you may get an invisible Unicode garbage character. Make sure that you did not selected any extra "space" at the beginning of the thumbprint.
      Alternate way is to execute following PowerShell script (on ADFS server) to export thumbprints into CSV file:
      Get-AdfsCertificate | Select-Object CertificateType, Thumbprint | Export-Csv -Path C:\temp\adfsthumbs.csv -Encoding ASCII -NoTypeInformation


            <system.identityModel>
                <identityConfiguration>
                  <audienceUris>
                    <add value="https://webserver.element-it.local/htcomnet/"/>
                  </audienceUris>      
                  <certificateValidation certificateValidationMode="None"/>      
                  <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry">
                    <trustedIssuers>
                      <add thumbprint="THUMBPRINT_OF_PRIMARY_TOKEN_SIGN_CERTIFICATE_ON_ADFS_SERVER" name="https://adfs.element-it.local/adfs/services/trust"/>
                    </trustedIssuers>
                  </issuerNameRegistry>
                  <securityTokenHandlers>
                    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                  </securityTokenHandlers>
                </identityConfiguration>
              </system.identityModel>
  9. Finally your web.config should look like this one:
  10. Configure Logout.aspx page to force logout from adfs.
    Open Logout.aspx page in text editor.
    Search for if (Utils.UserSettings.Runtime.AuthMode == AuthenticationMode.Forms) statement,
    navigate to the end of the appropriate else statement and add following line of code:
    Response.Redirect("https://adfs.element-it.local/adfs/ls/?wa=wsignout1.0&wreply="+redirectUrl);
    Where adfs.element-it.local domain should be replaced with domain name of your RP STS server.
  11. As last step, you will need to set correct value for the LDAPConatiner setting either in HttpCommanderSettings.config file or on Settings tab in Admin Panel. This is required to get user group membership and home directory from AD.

Steps to configure Relying Party Trust on ADFS server

  1. Open AD FS management console and navigate to Trust Relationships, Relying Party Trust section of left tree.
    Click on Add Relying Party Trust to start wizard.
  2. Choose option Enter data about the relying party manually
    On next screen enter Name of relying party (any value),
    On next screen select option "AD FS profile"
    Show screenshot
  3. Check options Enable support for the WS-Federation Passive protocol and Enable support for the SAML 2.0 WebSSO protocol.
    For both options set full url to Http Commander application. In our case it is "https://webserver.element-it.local/htcomnet/default.aspx"
    Show screenshot
  4. Relying party identifier should be already added to the list. So you can simply proceed to next step.
    Show screenshot
  5. Complete wizard with next several screens following on-screen suggestions.
    Choose option Permit all users to access this relying party
    Show screenshot
  6. Configure Claim rules.
    Choose option Send LDAP attributes as claims
    Show screenshot
  7. Only UPN claim is required to be configured for correct work.
    Configure it as shown on screenshot.
    Show screenshot
    Alternately, custom claims rule can be configured to pass all LDAP attributes. Below is the code of custom rule:
            c:[]
            => issue(claim = c);
  8. HTTP Commander also can get information about display name from following claims (if specified): displayName, fullName, givenName.
    Information about home folder is expected in following claims (if specified): homeDirectory, homeFolder.
  9. Now configuration is complete and we are ready to test Http Commander. If all configured correctly , after authentication Http Commander interface should be loaded. Open diagnostics.aspx page and check its output . Make sure that application works under logged in user identity (impersonated ).
    If you plan to use Network shares, process to next section.

Steps to configure Delegation for correct work with Network Shares

Once authenticated HttpCommander will work under logged in user identity , It means that all existing NTFS ACLs will be respected, but only for local folders on Web server.
If you plan to use Netwrok Shares (that is common practice), you will need to configure Delegation for web server and service account.
  1. Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we registered SP/C2WTS to the element-it\svcC2WTS account using the following command:
    SetSPN -S SP/C2WTS element-it\svcC2WTS
    Please note that command should be executed under domain admin account.
  2. Configure delegation for web server. Repeat last two steps for LDAP service and your Domain Controller.

    Show screenshot
  3. Configure delegation for service account (element-it\svcC2WTS) Repeat last two steps for LDAP service and your Domain Controller.

    Show screenshot
Note: For correct work of WebDav module it should be placed at the end of the modules list, after SessionAuthenticationModule and WSFederatedAuthenticationModule modules.