HTTP Commander Azure AD integration.
Note !Nowdays many companies migrate to the cloud and as on option uses Azue AD. HTTP Commander can be configured to work with Microsoft Azure Active Directory. After configuration existing Azue AD users will able to authenticate in the HTTP Commander. And folders in the admin panel can be assigned to the groups or users from the Azure AD.
We assume that Azure Active Directory tenant is already configured and function correctly.
Also AD version of Http Commander should be installed on the Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to th Azure portal to complete this configuration .
Please note that if you use only Azure AD (cloud) accounts, then HTTP Commander will work under application pool account and all file system operations will be performed under that account.
However if you use hybrid Azure AD configuration, it is possible to configure impersonation and HTTP Commander will work under the identity of the logged-in user.
In the Azure Active Directory pane, click on App registrations (preview) and choose New registration.
Show screenshotEnter a friendly name for the application, for example 'HttpCommander' and select 'Web app / API' as the Application Type.
For the Supported account types, select who will be able to use the application. By default "Accounts in this organizational directory only " is selected.
Fore the Redirect URI set the url to the HTTP Commander on your web server https://yourdomain.com/htcomnet/
Click register to create the application.
Show screenshotIn the succeeding page, Find the Application (client) ID value and record it for later. You'll need it to configure Http Commander later.
Show screenshotFrom the app menu, choose Certificates Secrets and add a new entry in the "Client secrets" section:
app secret
),Configure Permissions for your application. To that extent, choose the 'API permissions' section and then, click on Add a permission, then Select an Microsoft Graph API. Then, click on Application Permissions and select Directory.Read.All. Repeat add permission for the Delagated Permissions and select openid.
Show screenshot
From the app menu, choose Authentication and select "Access tokens" and "ID tokens" at the "Implicit grant" section.
If you plan to use WebDAV access to folders in HTTP Commander, you need to enable "Treat application as a public client" option in the "Authentication" section.
From the app menu, choose Authentication and set to "Yes" the option "Treat application as a public client".
{
...
"createdDateTime": "2019-03-19T10:56:14Z",
"groupMembershipClaims": "All",
"identifierUris":[],
"optionalClaims": {
"idToken": [
{
"name": "upn",
"source": null,
"essential": false,
"additionalProperties": [
"include_externally_authenticated_upn"
]
}
]
},
...
}
groups
claim with the object id of the security groups, make sure that the user accounts you plan to sign-in s assigned to a few security groups in this AAD tenant.In the authentication section of the application at IIS management console, make sure that only "Anonymous authentication" is enabled, all other options should be disabled. And make sure that "Application pool identity" is selected in the "Anonymous authentication" settings (opened byclick on the "Edit..." link on the right panle).
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
Open the Admin Panel of the HTTP Commander or open HTTPCommanderSettings.config file in text editor. Navigate to the AzureAd section and configure following settings:
EnableAzureAD
settingAADClientId
setting, the application ID (clientId) of the httpcommander
application copied from the Azure portal./li>
AADClientSecret
setting, the key you saved during the creation of the app secret
, in the Azure portal.AADTenant
setting, Azure AD tenant's domain name (in form of <your_tenant>.onmicrosoft.com) or tenand GUID.Navigate to the Main section and configure following settings:
ExternalAppUrl
setting, url to the HTTP Commander application on your domain. For example: https://contoso.com/htcomnet/
To activate Azure AD authentication, rename web.azure.config file from the root folder of the application to web.config file. This file contain precofigured settings to activate Azure AD authentication.
In the IIS Management Console ensure that Anonymous authentication is enabled for the application (and other authentication schemes are disabled).
If you have hybrid Azure AD configuration, you can use end user impersonation in HTTP Commander. With impersonation enabled all file system operations will be performed under the user account , which means all existing NTFS permissions configured for users will be respected.
You should have Azure AD Connect installed and configured for your domain. You web server (where HTTP Commander is installed on) should be joined into local domain.
Here are the steps for correct configuration of the impersonation for AzureAD:
AADImpersonation
settingAADLocalUPNSuffix
setting (in the HTTP Commander admin panel:). In case your local UPN suffix is different from the UPN suffix returned by the Azure AD, you can specify here one that should be used for local account.
If w3wp.exe process is terminated after login and you see folloing error in the Windows Event Logs:
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
at System.Security.Cryptography.NCryptNative+UnsafeNativeMethods.NCryptOpenStorageProvider(Microsoft.Win32.SafeHandles.SafeNCryptProviderHandle ByRef, System.String, Int32)
Then please make sure that the windows service - "CNG Key Isolation" is running (KeyIso).