ADFS integration. (Windows version)

AJS 5.x

Manual

Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only!

Web file manager

Free Installation assistance

Manual Home page

HTTP Commander ADFS integration.

Note !
We offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You need few minutes to get online help.

Often Enterprise customers use ADFS in their networks for Single Sign On. Http Commander can be configured for work with Microsoft Windows Active Directory Federation Services.
Requirements

Microsoft Windows Active Directory with Domain Controller
Microsoft Active Directory Federation Services server.

We assume that DC, ADFS and Web server already installed and function correctly.
Also AD version of Http Commander should be installed on Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to Domain to complete this configuration .

This tutorial is splitted into several sections.

Configuration of Web server
Http Commander configuration
ADFS configuration
DC configuration of Delegation for correct work with Network shares

Steps to configure Web server for ADFS authentication

Create a service account in Active Directory to run the C2WTS service under. In this example, we have created 'element-it\svcC2WTS'.
Next, configure the required local server permissions. Log onto the web server and give the svcC2WTS the following permissions:
1. Add the service account (element-it\svcC2WTS) to the local Administrators Groups.
2. In local security policy (secpol.msc) under user rights assignment give the service account (element-it\svcC2WTS) the following permissions:
  1. Act as part of the operating system
  2. Impersonate a client after authentication
  3. Log on as a service
Show screenshot

Steps to configure Http Commander for ADFS authentication

Configure HTTP Commander application pool to work under the service account (element-it\svcC2WTS) and to load user profile.
Open IIS management console: Control panel->Administrative tools-> Internet Information Services-> and then "Application pools".
Open "Advanced settings" of htcomnetpool application pool.
Change "Identity" setting to use the service account (element-it\svcC2WTS).
Change to true the value of the "Load User Profile" setting.
Show screenshot

We are ready to configure HttpCommander. Open web.config file in editor.
Uncomment (or add if not exist) system.identityModel , system.identityModel.services sections to configSections:

            <configSections>
                ...
                <!-- To enable ADFS - uncomment the lines below, to disable - comment out -->
            <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
            </configSections>

Disable authentication. Replace existing authentication tag with following one at system.web section. Remove other authentication tags (if any) :

            <!-- To enable ADFS - uncomment the line below and remove another authentication tag -->
            <authentication mode="None"/>

Uncomment (or add if not exist) WSFederationAuthenticationModule,SessionAuthenticationModule,ADFSAuthModule modules to system.web/httpModules section. Order is important:
Please note that FileWebDavModule module should be added to the end of the modules list for correct work of WebDav with ADFS.

            <httpModules>
                    ...
                    <!-- To enable ADFS - uncomment the line below -->
            <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
                    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                    <add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander"  />
            </httpModules>

Uncomment (or add if not exist) WSFederationAuthenticationModule,SessionAuthenticationModule,ADFSAuthModule modules to system.webServer/modules section. Order is important:
Please note that FileWebDavModule module should be added to the end of the modules list for correct work of WebDav with ADFS.

        <modules runAllManagedModulesForAllRequests="true">
            ...
            <!-- To enable ADFS - uncomment the lines below -->
            <remove name="WSFederationAuthenticationModule" />
            <remove name="SessionAuthenticationModule" />
            <remove name="ADFSAuthModule" />
            <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
            <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
            <add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander" preCondition="integratedMode" />        
        </modules>

Uncomment (or add if not exist) appSettings section to configuration section:
Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http Commander on your server.

        <appSettings>
		<add key="ida:FederationMetadataLocation" value="https://adfs.element-it.local/federationmetadata/2007-06/FederationMetadata.xml"/>
		<add key="ida:Issuer" value="https://adfs.element-it.local/adfs/ls/"/>
		<add key="ida:ProviderSelection" value="productionSTS"/>
		<add key="ida:EnforceIssuerValidation" value="false"/>
        </appSettings>

Uncomment (or add if not exist) system.identityModel.services section at configuration section.
Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http Commander on your server and https://adfs.element-it.local/adfs with url to your ADFS server.

        <system.identityModel.services>
            <federationConfiguration>
              <cookieHandler requireSsl="false"/>
              <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.element-it.local/adfs/ls/" realm="https://webserver.element-it.local/htcomnet/" requireHttps="false"/>
            </federationConfiguration>
        </system.identityModel.services>

Uncomment (or add if not exist) system.identityModel section at configuration section.
Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http Commander on your server and https://adfs.element-it.local/adfs with url to your ADFS server.
Also you should replace the value of the thumbprint attribute with the thumbprint of Token Sign certificate of your STS server.
How to obtain thumbprint:
1. Open AD FS 2.0 Management > Service > Certificates then right-click on the Primary Token-signing certificate and choose View certificate.
2. Click on the details tab to view and record the thumbprint from the Thumbprint field. An example of a thumbprint is: 77 5D 64 8E 73 62 C7 69 45 97 DB 5B BD 39 16 C5 F2 76 8C C1.
  NOTE: when you use the clipboard to copy-and-paste a certificate thumbprint, you may get an invisible Unicode garbage character. Make sure that you did not selected any extra "space" at the beginning of the thumbprint.
  Alternate way is to execute following PowerShell script (on ADFS server) to export thumbprints into CSV file:
  Get-AdfsCertificate | Select-Object CertificateType, Thumbprint | Export-Csv -Path C:\temp\adfsthumbs.csv -Encoding ASCII -NoTypeInformation
```
        <system.identityModel>
            <identityConfiguration>
              <audienceUris>
                <add value="https://webserver.element-it.local/htcomnet/"/>
              </audienceUris>      
              <certificateValidation certificateValidationMode="None"/>      
              <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry">
                <trustedIssuers>
                  <add thumbprint="THUMBPRINT_OF_PRIMARY_TOKEN_SIGN_CERTIFICATE_ON_ADFS_SERVER" name="https://adfs.element-it.local/adfs/services/trust"/>
                </trustedIssuers>
              </issuerNameRegistry>
              <securityTokenHandlers>
                <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
              </securityTokenHandlers>
            </identityConfiguration>
          </system.identityModel>
```
Finally your web.config should look like this one:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <configSections> <section name="HttpCommanderSettings" type="HttpCommander.HttpCommanderSettings" allowLocation="true" allowDefinition="Everywhere" restartOnExternalChanges="false" />  <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> </configSections> <HttpCommanderSettings configSource="HttpCommanderSettings.config" />  <system.web> <hostingEnvironment shadowCopyBinAssemblies="true" /> <customErrors mode="Off" /> <pages enableSessionState="true" validateRequest="true" enableViewStateMac="true" viewStateEncryptionMode="Always" enableEventValidation="true" />  <sessionState timeout="60" />   <httpRuntime maxRequestLength="2147483647" executionTimeout="3600" requestPathInvalidCharacters="" />   <compilation debug="false" targetFramework="4.7.2" />  <identity impersonate="true" />  <authentication mode="None"/>  <httpModules> <add name="FormsWithWindowsUsersAuthModule" type="HttpCommander.FormsWithWindowsUsersAuthModule, HttpCommander" />  <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> <add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander" /> <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" /> </httpModules>  <authorization> <deny users="?" /> </authorization>   </system.web>  <system.net> <mailSettings> <smtp deliveryMethod="Network" from="support@mysite.com"> <network host="mail.mysite.com" port="25" userName="" password="" defaultCredentials="false" /> </smtp> </mailSettings> </system.net>  <location path="iframe.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="favicon.ico"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Default.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Diagnostics.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Logout.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="ForceLogout.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Handlers/AnonymousDownload.ashx"> <system.web> <authorization> <allow users="*" /> </authorization> <identity impersonate="true" /> </system.web> </location> <location path="Handlers/Captcha.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Localization"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear/> </profiles> </caching> </system.webServer> </location> <location path="Scripts"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear/> </profiles> </caching> </system.webServer> </location> <location path="crossdomain.xml"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Styles.css"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear/> </profiles> </caching> </system.webServer> </location> <location path="Styles-min.css"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear/> </profiles> </caching> </system.webServer> </location> <location path="DemoFolder"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Manual"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Manual.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Data"> <system.web> <httpHandlers> <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" /> <add path="*.db" verb="*" type="System.Web.HttpForbiddenHandler" /> </httpHandlers> </system.web> <system.webServer>  <security> <requestFiltering> <fileExtensions> <remove fileExtension=".xml" /> <add fileExtension=".xml" allowed="false" /> <remove fileExtension=".db" /> <add fileExtension=".db" allowed="false" /> </fileExtensions> </requestFiltering> </security> </system.webServer> </location> <location path="SyncWebFolders.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="testSSO.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="hcwebdav"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>  <system.webServer> <validation validateIntegratedModeConfiguration="false" />  <modules runAllManagedModulesForAllRequests="true">  <remove name="FileWebDavModule" /> <remove name="WebDAVModule" /> <add name="FormsWithWindowsUsersAuthModule" type="HttpCommander.FormsWithWindowsUsersAuthModule, HttpCommander" preCondition="integratedMode" />  <remove name="WSFederationAuthenticationModule" /> <remove name="SessionAuthenticationModule" /> <remove name="ADFSAuthModule" /> <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/> <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/> <add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander" preCondition="integratedMode" /> <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" preCondition="integratedMode" /> </modules> <security> <requestFiltering allowDoubleEscaping="true">  <requestLimits maxAllowedContentLength="4294967295" /> </requestFiltering> </security> <defaultDocument> <files> <clear /> <add value="Default.aspx" /> </files> </defaultDocument> <staticContent> <remove fileExtension=".svg" /> <remove fileExtension=".woff" /> <remove fileExtension=".woff2" /> <mimeMap fileExtension=".svg" mimeType="image/svg+xml" /> <mimeMap fileExtension=".woff" mimeType="font/x-woff" /> <mimeMap fileExtension=".woff2" mimeType="font/woff2" /> </staticContent> </system.webServer> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-4.1.1.2" newVersion="4.1.1.2" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="Microsoft.IdentityModel.Tokens" publicKeyToken="31bf3856ad364e35" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-5.2.0.0" newVersion="5.2.0.0" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-5.2.0.0" newVersion="5.2.0.0" /> </dependentAssembly> </assemblyBinding> </runtime>  <appSettings> <add key="ida:FederationMetadataLocation" value="https://adfs.element-it.local/federationmetadata/2007-06/FederationMetadata.xml"/> <add key="ida:Issuer" value="https://adfs.element-it.local/adfs/ls/"/> <add key="ida:ProviderSelection" value="productionSTS"/> <add key="ida:EnforceIssuerValidation" value="false"/> </appSettings> <system.identityModel> <identityConfiguration> <audienceUris> <add value="https://webserver.element-it.local/htcomnet/"/> </audienceUris> <certificateValidation certificateValidationMode="None"/> <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry"> <trustedIssuers> <add thumbprint="THUMBPRINT_OF_PRIMARY_TOKEN_SIGN_CERTIFICATE_ON_ADFS_SERVER" name="https://adfs.element-it.local/adfs/services/trust"/> </trustedIssuers> </issuerNameRegistry> <securityTokenHandlers> <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> </securityTokenHandlers> </identityConfiguration> </system.identityModel> <system.identityModel.services> <federationConfiguration> <cookieHandler requireSsl="false"/> <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.element-it.local/adfs/ls/" realm="https://webserver.element-it.local/htcomnet/" requireHttps="false"/> </federationConfiguration> </system.identityModel.services> </configuration>
Configure Logout.aspx page to force logout from adfs.
Open Logout.aspx page in text editor.
Search for if (Utils.UserSettings.Runtime.AuthMode == AuthenticationMode.Forms) statement,
navigate to the end of the appropriate else statement and add following line of code:
Response.Redirect("https://adfs.element-it.local/adfs/ls/?wa=wsignout1.0&wreply="+redirectUrl);
Where adfs.element-it.local domain should be replaced with domain name of your RP STS server.
As last step, you will need to set correct value for the LDAPConatiner setting either in HttpCommanderSettings.config file or on Settings tab in Admin Panel. This is required to get user group membership and home directory from AD.

Steps to configure Relying Party Trust on ADFS server

Open AD FS management console and navigate to Trust Relationships, Relying Party Trust section of left tree.
Click on Add Relying Party Trust to start wizard.
Choose option Enter data about the relying party manually
On next screen enter Name of relying party (any value),
On next screen select option "AD FS profile"
Show screenshot
Check options Enable support for the WS-Federation Passive protocol and Enable support for the SAML 2.0 WebSSO protocol.
For both options set full url to Http Commander application. In our case it is "https://webserver.element-it.local/htcomnet/default.aspx"
Show screenshot
Relying party identifier should be already added to the list. So you can simply proceed to next step.
Show screenshot
Complete wizard with next several screens following on-screen suggestions.
Choose option Permit all users to access this relying party
Show screenshot
Configure Claim rules.
Choose option Send LDAP attributes as claims
Show screenshot
Only UPN claim is required to be configured for correct work.
Configure it as shown on screenshot.
Show screenshot

Alternately, custom claims rule can be configured to pass all LDAP attributes. Below is the code of custom rule:
```
        c:[]
        => issue(claim = c);
```
HTTP Commander also can get information about display name from following claims (if specified): displayName, fullName, givenName.
Information about home folder is expected in following claims (if specified): homeDirectory, homeFolder.
Now configuration is complete and we are ready to test Http Commander. If all configured correctly , after authentication Http Commander interface should be loaded. Open diagnostics.aspx page and check its output . Make sure that application works under logged in user identity (impersonated ).
If you plan to use Network shares, process to next section.

Steps to configure Delegation for correct work with Network Shares

Once authenticated HttpCommander will work under logged in user identity , It means that all existing NTFS ACLs will be respected, but only for local folders on Web server.
If you plan to use Netwrok Shares (that is common practice), you will need to configure Delegation for web server and service account.

Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we registered SP/C2WTS to the element-it\svcC2WTS account using the following command:
```
SetSPN -S SP/C2WTS element-it\svcC2WTS
```
Please note that command should be executed under domain admin account.
Configure delegation for web server.
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- Expand domain, and then expand the Computers folder.
- In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
- Click to select Trust this computer for delegation to specified services only.
- Ensure that Use any authentication protocol is selected, and then click OK.
- Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that is to be used in HTTP Commander. Click OK.
- In the Available Services list, select the CIFS service. Click OK.
Repeat last two steps for LDAP service and your Domain Controller.

Show screenshot
Configure delegation for service account (element-it\svcC2WTS)
- In the left pane, Expand Users folder.
- In the right pane, right-click the Service account (element-it\svcC2WTS) which is configured for C2WTS service, select Properties, and then click the Delegation tab.
- Click to select Trust this user for delegation to specified services only.
- Ensure that Use any authentication protocol, and then click OK.
- Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that will be used in Http Commander. Click OK.
- In the Available Services list, select theCIFS service. Click OK.
Repeat last two steps for LDAP service and your Domain Controller.

Show screenshot

Note: For correct work of WebDav module it should be placed at the end of the modules list, after SessionAuthenticationModule and WSFederatedAuthenticationModule modules.