Azure AD integration. (Windows version)

Web file manager

Free Installation assistance

Manual Home page

Note !
We offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You need few minutes to get online help.

Nowdays many companies migrate to the cloud and as on option uses Azue AD. HTTP Commander can be configured to work with Microsoft Azure Active Directory. After configuration existing Azue AD users will able to authenticate in the HTTP Commander. And folders in the admin panel can be assigned to the groups or users from the Azure AD.

We assume that Azure Active Directory tenant is already configured and function correctly.
Also AD version of Http Commander should be installed on the Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to th Azure portal to complete this configuration .

Please note that if you use only Azure AD (cloud) accounts, then HTTP Commander will work under application pool account and all file system operations will be performed under that account.
However if you use hybrid Azure AD configuration, it is possible to configure impersonation and HTTP Commander will work under the identity of the logged-in user.

This tutorial is splitted into several sections.

Register the service application in Azure AD
Configure service app
Http Commander configuration
Hybrid AzureAD configuration and impersonation

Step 1: Register the service app

In the Azure Active Directory pane, click on App registrations (preview) and choose New registration.
Show screenshot
Enter a friendly name for the application, for example 'HttpCommander' and select 'Web app / API' as the Application Type.
For the Supported account types, select who will be able to use the application. By default "Accounts in this organizational directory only " is selected.
Fore the Redirect URI set the url to the HTTP Commander on your web server https://yourdomain.com/htcomnet/
Click register to create the application.
Show screenshot
In the succeeding page, Find the Application (client) ID value and record it for later. You'll need it to configure Http Commander later.
Show screenshot
From the app menu, choose Certificates Á Secrets and add a new entry in the "Client secrets" section:
- Type a key description (of instance app secret),
- Select a key duration of either In 1 year, In 2 years, or Never Expires.
- When you save this page, the key value will be displayed, copy, and save the value in a safe location.
- You'll need this key later to configure the HTTP Commander. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
Show screenshot
Configure Permissions for your application. To that extent, choose the 'API permissions' section and then, click on Add a permission, then Select an Microsoft Graph API. Then, click on Application Permissions and select Directory.Read.All. Repeat add permission for the Delagated Permissions and select openid.
Show screenshot

Step 2: Configure Azure AD application to send group claims

In your application page, click on "Manifest" to open the inline manifest editor.
Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
Optional. If you have hybrid Azure AD configuration and plan to use impersonation, add also UPN claim.
Save the manifest.

        {
        ...
        "createdDateTime": "2019-03-19T10:56:14Z",
        "groupMembershipClaims": "All",
        "identifierUris":[],

        "optionalClaims": {
		    "idToken": [
			    {
				    "name": "upn",
				    "source": null,
				    "essential": false,
				    "additionalProperties": [
					    "include_externally_authenticated_upn"
				    ]
			    }
		    ]
	    },
        ...
        }

To receive the groups claim with the object id of the security groups, make sure that the user accounts you plan to sign-in in is assigned to a few security groups in this AAD tenant.

Step 3: Configure Http Commander to use your tenant

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

Open the Admin Panel of the HTTP Commander or open HTTPCommanderSettings.config file in text editor. Navigate to the AzureAd section and configure following settings:

Set to true the value of the EnableAzureAD setting
Set for the value of the AADClientId setting, the application ID (clientId) of the httpcommander application copied from the Azure portal./li>
Set for the value of the AADClientSecret setting, the key you saved during the creation of the app secret , in the Azure portal.
Set for the value of the AADTenant setting, Azure AD tenant's domain name (in form of <your_tenant>.onmicrosoft.com) or tenand GUID.

Step 4: Hybrid AzureAD configuration and impersonation

If you have hybrid Azure AD configuration, you can use end user impersonation in HTTP Commander. With impersonation enabled all file system operations will be performed under the user account , which means all existing NTFS permissions configured for users will be respected.

You should have Azure AD Connect installed and configured for your domain. You web server (where HTTP Commander is installed on) should be joined into local domain.

Here are the steps for correct configuration of impersonation for AzureAD:

Configure service account for the HTTP Commander application pool as described in the first step of the ADFS integration instuctions.
Set to true the value of the AADImpersonation setting
If required, set the value of the AADLocalUPNSuffix setting. In case your local UPN suffix is different from the UPN suffix returned by the Azure AD, you can specify here one that should be used for local account.
Configure delegation as described in the last step of the ADFS integration instuctions.