Azure AD integration. (Windows version)

Web file manager

Free Installation assistance

Manual Home page

Note !
We offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You need few minutes to get online help.

Nowdays many companies migrate to the cloud and as on option uses Azue AD. HTTP Commander can be configured to work with Microsoft Azure Active Directory. After configuration existing Azue AD users will able to authenticate in the HTTP Commander. And folders in the admin panel can be assigned to the groups or users from the Azure AD.

We assume that Azure Active Directory tenant is already configured and function correctly.
Also AD version of Http Commander should be installed on the Web server. And Web server should have SSL certificate installed and HTTPS binding configured.
You will need to have Administrative access to th Azure portal to complete this configuration .

Please note that if you use only Azure AD (cloud) accounts, then HTTP Commander will work under application pool account and all file system operations will be performed under that account.
However if you use hybrid Azure AD configuration, it is possible to configure impersonation and HTTP Commander will work under the identity of the logged-in user.

This tutorial is splitted into several sections.

Register the service application in Azure AD
Configure Azure AD application to send UPN and group claims
Http Commander configuration
Hybrid AzureAD configuration and impersonation

Step 1: Register the service app

In the Azure Active Directory pane, click on App registrations (preview) and choose New registration.
Show screenshot
Enter a friendly name for the application, for example 'HttpCommander' and select 'Web app / API' as the Application Type.
For the Supported account types, select who will be able to use the application. By default "Accounts in this organizational directory only " is selected.
Fore the Redirect URI set the url to the HTTP Commander on your web server https://yourdomain.com/htcomnet/
Click register to create the application.
Show screenshot
In the succeeding page, Find the Application (client) ID value and record it for later. You'll need it to configure Http Commander later.
Show screenshot
From the app menu, choose Certificates Secrets and add a new entry in the "Client secrets" section:
- Type a key description (of instance app secret),
- Select a key duration of either In 1 year, In 2 years, or Never Expires.
- When you save this page, the key value will be displayed, copy, and save the value in a safe location.
- You'll need this key later to configure the HTTP Commander. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
Show screenshot
Configure Permissions for your application. To that extent, choose the 'API permissions' section and then, click on Add a permission, then Select an Microsoft Graph API. Then, click on Application Permissions and select Directory.Read.All. Repeat add permission for the Delagated Permissions and select openid.
Show screenshot
From the app menu, choose Authentication and select "Access tokens" and "ID tokens" at the "Implicit grant" section. If you plan to use WebDAV access to folders in HTTP Commander, you need to enable "Treat application as a public client" option in the "Authentication" section.
From the app menu, choose Authentication and set to "Yes" the option "Treat application as a public client".
Show screenshot

Step 2: Configure Azure AD application to send UPN and group claims

In your application page, click on "Manifest" to open the inline manifest editor.
Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
Also add UPN claim, specially if you have hybrid Azure AD configuration and plan to use impersonation (upn claim is required in this case).
Save the manifest.

        {
        ...
        "createdDateTime": "2019-03-19T10:56:14Z",
        "groupMembershipClaims": "All",
        "identifierUris":[],

        "optionalClaims": {
        "idToken": [
			    {
				    "name": "upn",
				    "source": null,
				    "essential": false,
				    "additionalProperties": [
					    "include_externally_authenticated_upn"
				    ]
			    }
		    ]        
	    },
        ...
        }

To receive the groups claim with the object id of the security groups, make sure that the user accounts you plan to sign-in s assigned to a few security groups in this AAD tenant.

Step 3: Configure Http Commander to use your tenant

In the authentication section of the application at IIS management console, make sure that only "Anonymous authentication" is enabled, all other options should be disabled. And make sure that "Application pool identity" is selected in the "Anonymous authentication" settings (opened byclick on the "Edit..." link on the right panle).

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

Open the Admin Panel of the HTTP Commander or open HTTPCommanderSettings.config file in text editor. Navigate to the AzureAd section and configure following settings:

Set to true the value of the EnableAzureAD setting
Set for the value of the AADClientId setting, the application ID (clientId) of the httpcommander application copied from the Azure portal./li>
Set for the value of the AADClientSecret setting, the key you saved during the creation of the app secret , in the Azure portal.
Set for the value of the AADTenant setting, Azure AD tenant's domain name (in form of <your_tenant>.onmicrosoft.com) or tenand GUID.

Navigate to the Main section and configure following settings:

Set as the value of the ExternalAppUrl setting, url to the HTTP Commander application on your domain. For example: https://contoso.com/htcomnet/

To activate Azure AD authentication, rename web.azure.config file from the root folder of the application to web.config file. This file contain precofigured settings to activate Azure AD authentication.
In the IIS Management Console ensure that Anonymous authentication is enabled for the application (and other authentication schemes are disabled).

Step 5: Hybrid AzureAD configuration and impersonation

If you have hybrid Azure AD configuration, you can use end user impersonation in HTTP Commander. With impersonation enabled all file system operations will be performed under the user account , which means all existing NTFS permissions configured for users will be respected.

You should have Azure AD Connect installed and configured for your domain. You web server (where HTTP Commander is installed on) should be joined into local domain.

Here are the steps for correct configuration of the impersonation for AzureAD:

Configure HTTP Commander application pool to work under the "Local system" account.
- Open IIS management console: Control panel->Administrative tools-> Internet Information Services-> and then "Application pools".
- Open "Advanced settings" of htcomnetpool application pool.
- Make sure that the value of "Enable 32-Bit Applications" setting is set to false.
- Change "Identity" setting to use the "Local system" Built-in account.
- Change to true the value of the "Load User Profile" setting.
  Show screenshot
In the HTTP Commander admin panel: Set to true the value of the AADImpersonation setting
If required, set the value of the AADLocalUPNSuffix setting (in the HTTP Commander admin panel:). In case your local UPN suffix is different from the UPN suffix returned by the Azure AD, you can specify here one that should be used for local account.
Configure delegation to CIFS and LDAP on the web server account.
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- Expand domain, and then expand the Computers folder.
- In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
- Click to select Trust this computer for delegation to specified services only.
- Ensure that Use any authentication protocol is selected, and then click OK.
- Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that is to be used in HTTP Commander. Click OK.
- In the Available Services list, select the CIFS service. Click OK.
Repeat last two steps for LDAP service and your Domain Controller.

Show screenshot

Please NOTE: delegation settings can be applied with some delay. Therefore you may have to wait a while for network shares work in the HTTP Commander.

"Connection is terminated" error after successfull login. HTTP Commander is not loaded.

If w3wp.exe process is terminated after login and you see folloing error in the Windows Event Logs:


        Description: The process was terminated due to an unhandled exception.
        Exception Info: System.AccessViolationException
        at System.Security.Cryptography.NCryptNative+UnsafeNativeMethods.NCryptOpenStorageProvider(Microsoft.Win32.SafeHandles.SafeNCryptProviderHandle ByRef, System.String, Int32)

Then please make sure that the windows service - "CNG Key Isolation" is running (KeyIso).