Web file manager Free Installation assistance Manual Home page

HTTP Commander Azure AD integration.

Note !
We offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You need few minutes to get online help.

Nowdays many companies migrate to the cloud and as on option uses Azue AD. HTTP Commander can be configured to work with Microsoft Azure Active Directory. After configuration existing Azue AD users will able to authenticate in the HTTP Commander. And folders in the admin panel can be assigned to the groups or users from the Azure AD.

We assume that Azure Active Directory tenant is already configured and function correctly.
Also AD version of Http Commander should be installed on the Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to th Azure portal to complete this configuration .

Please note that if you use only Azure AD (cloud) accounts, then HTTP Commander will work under application pool account and all file system operations will be performed under that account.
However if you use hybrid Azure AD configuration, it is possible to configure impersonation and HTTP Commander will work under the identity of the logged-in user.



This tutorial is splitted into several sections.

Step 0. Register the enterprise application in Azure AD (optional, only for SAML)

If you prefer to use SAML authentication instead of OpenID, you have to create Enterprise APP initially instead of creating app from the application registrations section. Otherwise you won't be able to configure SAML, because by default for apps created from the app registrations section OpenID auth is used.

  1. Open "Enterprise applications" section and click on the "New application" button.


    Show screenshot
  2. Then click on the "Create your own application" button, enter name of the application and select "Integrate any other application you don't find in the gallery (Non-gallery)" option from the list.

    Show screenshot
  3. When the app has been created open it's "Properties" section and click on the "application registration" link to open app settings in the application registration section.
    Continue with the Step 1.1: Configure the app.

    Show screenshot

Step 1: Register the service app (OpenID auth)

  1. In the Azure Active Directory pane, click on App registrations (preview) and choose New registration.



    Show screenshot

  2. Enter a friendly name for the application, for example 'HttpCommander' and select 'Web app / API' as the Application Type.

  3. For the Supported account types, select who will be able to use the application. By default "Accounts in this organizational directory only " is selected.

  4. Fore the Redirect URI set the url to the HTTP Commander on your web server https://yourdomain.com/htcomnet/

  5. Click register to create the application.



    Show screenshot

Step 1.1: Configure the app

  1. In the succeeding page, Find the Application (client) ID value and record it for later. You'll need it to configure Http Commander later.

    Show screenshot

  2. From the app menu, choose Certificates Secrets and add a new entry in the "Client secrets" section:

    Show screenshot

  3. Configure Permissions for your application. To that extent, choose the 'API permissions' section and then, click on Add a permission, then Select an Microsoft Graph API. Then, click on Application Permissions and select Directory.Read.All.
    If you plan to use OpenID as authentication protocol ( AADUseSAML is set to false), repeat add permission for the Delagated Permissions and select openid.

    Show screenshot

  4. From the app menu, choose Authentication and select "Access tokens" and "ID tokens" at the "Implicit grant" section. If you plan to use WebDAV access to folders in HTTP Commander, you need to enable "Treat application as a public client" option in the "Authentication" section.
    From the app menu, choose Authentication and set to "Yes" the option "Treat application as a public client".

    Show screenshot

SAML configuration (optional)

If you prefer to use SAML authentication insteadof OpenID, you can configure it.

  1. On the overview screen of newly created application, click on the "Managed applicaiton" link.

    Show screenshot
  2. Open "Single sing-on" section and select "SAML" as "single sign-on" method.

    Show screenshot
  3. On the "Basic SAML Configuration" section set the value of the "Identifier (Enity ID)" prop. This value must be unique across all applications in your Azure Active Directory tenant. Keep it somewhere, you will use it later to configure HTTP Commander.

    Fore the Reply URL set the url to the HTTP Commander on your web server https://yourdomain.com/htcomnet/. It is not necessary to have public domain name.

    Show screenshot
  4. Click "Edit" icon on the "Attributes & Claims" section and the click on the "Add a group claim"

    Show screenshot

Step 2: Configure Azure AD application to send UPN and group claims

  1. On your application page (app registration), click on "Manifest" to open the inline manifest editor.
  2. Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
  3. Also add UPN claim (if you use OpenID), specially if you have hybrid Azure AD configuration and plan to use impersonation (upn claim is required in this case).
  4. If SAML auth is used, add group claim to saml2Token token. The same can be done from the SAML configuration page.
  5. Save the manifest.
        {
        ...
        

        "groupMembershipClaims": "All",        

        "optionalClaims": {
        "idToken": [
			    {
				    "name": "upn",
				    "source": null,
				    "essential": false,
				    "additionalProperties": [
					    "include_externally_authenticated_upn"
				    ]
			    }
		    ],
            "saml2Token": [
			    {
				    "name": "groups",
				    "source": null,
				    "essential": false,
				    "additionalProperties": []
			    }
		    ]
                    
	    },
        

        ...
        }
  1. To receive the groups claim with the object id of the security groups, make sure that the user accounts you plan to sign-in s assigned to a few security groups in this AAD tenant.

Step 3: Managed app configuration

Azure portal allows to configure access rules for the application. So, you (as an administrator) can decide who will have access to the application.

  1. On the overview screen of the newly created application, click on the Managed applicaiton" link.

    Show screenshot
  2. Open "Properties" section and set needed value for the "Assignment required?" and "Visible to users?" props.
    "Assignment required?" - If this option is set to yes, then users and other apps or services must first be assigned this application before being able to access it.
    If this option is set to no, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service.
    "Visible to users?" - If this option is set to yes, then assigned users will see the application on My Apps and O365 app launcher. If this option is set to no, then no users will see this application on their My Apps and O365 launcher.
    Show screenshot
  3. On the "User and Groups" section you can configure list of users and groups who will be able to use the application.
    Show screenshot

Step 4: Configure Http Commander to use your tenant

In the authentication section of the application at IIS management console, make sure that only "Anonymous authentication" is enabled, all other options should be disabled. And make sure that "Application pool identity" is selected in the "Anonymous authentication" settings (opened byclick on the "Edit..." link on the right panle).

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

Open the Admin Panel of the HTTP Commander or open HTTPCommanderSettings.config file in text editor. Navigate to the AzureAd section and configure following settings:

  1. Set to true the value of the EnableAzureAD setting
  2. Set for the value of the AADClientId setting, the application ID (clientId) of the httpcommander application copied from the Azure portal./li>
  3. Set for the value of the AADClientSecret setting, the key you saved during the creation of the app secret , in the Azure portal.
  4. Set for the value of the AADTenant setting, Azure AD tenant's domain name (in form of <your_tenant>.onmicrosoft.com) or tenand GUID.
  5. (Optional) Change the value of the AADScope setting, if you use Azure GCC environment.
  6. If you decided to use SAML, set to true the value of the AADuseSAML setting.
  7. If you decided to use SAML set for the value of the AADSamlEntityId setting, the value you set for the "Identifier (Enity ID)" in SAML section of the managed app.
  8. If you have Hybrid Azure AD config, set to true the value of the AADImpersonation setting
  9. If required, set the value of the AADLocalUPNSuffix setting. In case your local UPN suffix is different from the UPN suffix returned by the Azure AD, you can specify here one that should be used for local account.

Navigate to the Main section and configure following settings:

  1. Set as the value of the ExternalAppUrl setting, url to the HTTP Commander application on your domain. For example: https://contoso.com/htcomnet/

To activate Azure AD authentication, rename web.azure.config file from the root folder of the application to web.config file. This file contain precofigured settings to activate Azure AD authentication.

In the IIS Management Console ensure that Anonymous authentication is enabled for the application (and other authentication schemes are disabled).

Also make sure that "Application pool identity" is used for the "Anonymous authentication". Select "Anonymous authentication" and click on the "Edit" link on the right pane.
Show screenshot



Step 5: Hybrid AzureAD configuration and impersonation

If you have hybrid Azure AD configuration, you can use end user impersonation in HTTP Commander. With impersonation enabled all file system operations will be performed under the user account , which means all existing NTFS permissions configured for users will be respected.

You should have Azure AD Connect installed and configured for your domain. You web server (where HTTP Commander is installed on) should be joined into local domain.

Here are the steps for correct configuration of the impersonation for AzureAD:

  1. Configure HTTP Commander application pool to work under the "Local system" account.
  2. In the HTTP Commander admin panel: Set to true the value of the AADImpersonation setting
  3. If required, set the value of the AADLocalUPNSuffix setting (in the HTTP Commander admin panel:). In case your local UPN suffix is different from the UPN suffix returned by the Azure AD, you can specify here one that should be used for local account.
  4. Configure delegation to CIFS and LDAP on the web server account.
    Repeat last two steps for LDAP service and your Domain Controller.

    Show screenshot

    Please NOTE: delegation settings can be applied with some delay. Therefore you may have to wait a while for network shares work in the HTTP Commander.


"Connection is terminated" error after successfull login. HTTP Commander is not loaded.

If w3wp.exe process is terminated after login and you see folloing error in the Windows Event Logs:

Description: The process was terminated due to an unhandled exception. Exception Info: System.AccessViolationException at System.Security.Cryptography.NCryptNative+UnsafeNativeMethods.NCryptOpenStorageProvider(Microsoft.Win32.SafeHandles.SafeNCryptProviderHandle ByRef, System.String, Int32)

Then please make sure that the windows service - "CNG Key Isolation" is running (KeyIso).