How to run this sample? any specific address i need to provide in URL? when I runt the code, the browser shows some xml meta data. when I user /core, it says that page not found (404 error)

I'm managed to get the windows authentication to work fine using MVC (OpenID Connect ) and via java script (return a token and then to validate and return claims). Though I'm failing when calling it from a simple console app client. I'm getting the "invalid_client" and no token provided. Even with the client example that has been provided.

 static void Main(string[] args)
        {
            var handler = new HttpClientHandler{
                UseDefaultCredentials = true
            };
            var oauthClient = new OAuth2Client(new Uri("https://localhost:44333/connect/token"), handler);
            var result = oauthClient.RequestCustomGrantAsync("windows").Result;
        }

which sort of make sense, as no clientId is provided. Therefore I added a clientId with a secret and now getting the error "unsupported_grant_type".

 static void Main(string[] args)
        {
            var handler = new HttpClientHandler{
                UseDefaultCredentials = true
            };
            var oauthClient = new OAuth2Client(new Uri("https://localhost:44333/connect/token"), "K2", "secret", handler));
            var result = oauthClient.RequestCustomGrantAsync("windows").Result;
        }

So what am I doing wrong for it not to return token? Is there some specific I need to setup on the Client configuration?

Hello, first of all I want to say that I have just discovered your project but I already love it.
I am setting up an IdentityServer that will use Active Directory as users store.
I have already implemented my IUserService and by supplying login and password I can get the Identity as expected.
Now I wanted to skip the login view whenever the client offers windows authentication.
So I have added the package IdentityServer.WindowsAuthentication and followed the examples to make it work.
When I click on the link "application permissions" ( https://localhost:44333/permissions ) everything seems to be fine till the point that the browser shows a blank page of death (HTTP 401) and the logs shows what's attached
log-extract.txt

Any ideas?
Perhaps I forgot something, sorry if the question is stupid.

Thank you!

Is it possible to show a custom login screen or passing username and password as parameters to the request URI?

We would like to use the WindowsAuthentication IdentityServer to authenticate users in our iOS and Android apps. To get this work properly we have to find a way for the users to fill in their username and password in the app(s) to authenticate themselves.

Thanks in advance for your response.

Could someone provide documentation about how to use this plugin?

In our project, using the Windows Authentication module and IdentityServer3 when users logout, they still need to close the browser, else when clicking on the Windows button again, it does not re-prompt for a different user.

This is in a lab environment, were we are using a shared desktop/browser, not likely in production I know, but i'd still like to know if it is technically possible to fully logout from windows authentication by closing the connection somehow?

Thanks.

I need some guidance on how to add my claims for the user after authenticating with the Active Directory.

I have a separate custom system that holds a set of claims for the users. I thought I need to override the CustomClaimsProvider in the OWIN startup for UseWindowsAuthenticationService. I sure could use some examples or direction to make sure I'm heading in the right route.

UPDATE: (i'm leaving the previous to help show where I'm coming from)

I see IdentityServer.WindowsAuthentication.Services.DefaultCustomClaimsProvider : ICustomClaimsProvider

I think I need to understand how to create my own custom claims provider. Could someone demo an idea how to build your own?

I set the "WebHost" as the starting project and tried to run it. I got an error popup from Visual Stuido: "Unable to start debugging on the web server. The debugger cannot connect to the remote computer. The debugger was unable to resolve the specified computer name."

What do I need to do to be able to run the "WebHost' project?

I must be missing something fundamental.
I've spent a lot of time looking at examples and I still don't understand it.
What is WindowsAuthenticationOptions.IdpReplyUrl?
What kind of resource it should be pointing to?
In your examples it is pointing to "https://localhost:44333/core/was" but I don't see how this endpoint is configured.

Hi,

We have AD login working and I've now been tasked with looking at updating our user store with AD details during login if required. I have created a custom claims provider but when I inspect the claims in the WindowsPrincipal and OutgoingSubject (ClaimsIdentity) neither of them contain any of these properties.

Is there a place that I can configure additional details to be retrieved from AD during login?

Thanks

I am getting the following error during the build process when executing build.ps1 in PowerShell. Do you have any ideas on how to resolve this?

Thanks,

psake version 4.4.1
Copyright (c) 2010-2014 James Kovacs & Contributors

Executing Clean
Executing UpdateVersion
Executing Compile
Executing ILMerge


Directory: E:\git\playground\IdentityServer3.WindowsAuthentication\distribution\lib


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         10/9/2015  10:55 AM            net45
An exception occurred during merging:
Unresolved assembly reference not allowed: System.Net.Http.Formatting.
   at System.Compiler.Ir2md.GetAssemblyRefIndex(AssemblyNode assembly)
   at System.Compiler.Ir2md.GetTypeRefIndex(TypeNode type)
   at System.Compiler.Ir2md.WriteTypeDefOrRefEncoded(BinaryWriter target, TypeNode type)
   at System.Compiler.Ir2md.WriteTypeSignature(BinaryWriter target, TypeNode type, Boolean instantiateGenericTypes)
   at System.Compiler.Ir2md.WriteTypeSignature(BinaryWriter target, TypeNode type, Boolean instantiateGenericTypes)
   at System.Compiler.Ir2md.GetBlobIndex(TypeNode type)
   at System.Compiler.Ir2md.GetTypeSpecIndex(TypeNode type)
   at System.Compiler.Ir2md.VisitClass(Class Class)
   at System.Compiler.Ir2md.VisitModule(Module module)
   at System.Compiler.Ir2md.SetupMetadataWriter(String debugSymbolsLocation)
   at System.Compiler.Ir2md.WritePE(Module module, String debugSymbolsLocation, BinaryWriter writer)
   at System.Compiler.Writer.WritePE(String location, Boolean writeDebugSymbols, Module module, Boolean delaySign, Strin
g keyFileName, String keyName)
   at System.Compiler.Writer.WritePE(CompilerParameters compilerParameters, Module module)
   at ILMerging.ILMerge.Merge()
   at ILMerging.ILMerge.Main(String[] args)
Executing CreateNuGetPackage
Attempting to build package from 'IdentityServer.WindowsAuthentication.nuspec'.
Successfully created package 'E:\git\playground\IdentityServer3.WindowsAuthentication\distribution\IdentityServer.Window
sAuthentication.1.0.0.nupkg'.

Build Succeeded!

----------------------------------------------------------------------
Build Time Report
----------------------------------------------------------------------
Name               Duration
----               --------
Clean              00:00:00.2539040 
UpdateVersion      00:00:00.0684963
Compile            00:00:22.1707601
ILMerge            00:00:28.7964576
CreateNuGetPackage 00:00:02.8306707
Total:             00:00:54.9885970

I was wondering if it is possible to add a redirect Url to the post-logout action when using the Windows Authentication module? Currently, it seems to leave users on a blank page.

Thanks

Could someone tell me where to specify the Active Directory server?

Is it within the constants class?
https://github.com/IdentityServer/WindowsAuthentication/blob/master/source/WindowsAuthentication/Constants.cs
If so, how should the configuration look like?

And where does "wa:" stand for? (found as value in the constants class)

Is there a reason that after signing out while using the Windows Authentication Service that it just stays on the windows auth page with an empty screen? I understand that you can't really logout since it's the current windows login, but I just want it to logout of IdentityServer, and then return to my application. Am I missing a setting in IdentityServer itself to not stay on the windows authentication page?

I've looked into it some and it seems that setting the SignOutWreply in the WsFederationAuthenticationOptions in IdentityServer is how this should be handled. So I set that, and I see the wreply gets added to the querystring, but it still sits there and doesn't handle the redirect.

I looked into the source code and it seems the SignOut message is just returning 200 OK and that's it.

                var signout = message as SignOutRequestMessage;
                if (signout != null)
                {
                    Logger.Info("Sign-in request");

                    // no support for signout
                    return Ok();
                }

I added some code to handle the redirect if the wreply is set, am I missing something as to why this wasn't implemented?

                var signout = message as SignOutRequestMessage;
                if (signout != null)
                {
                    Logger.Info("Sign-out request");

                    if (!string.IsNullOrWhiteSpace(signout.Reply))
                    {
                        // if the wreply is set, redirect
                        return Redirect(signout.Reply);
                    }
                    // otherwise just return 200 ok
                    return Ok();
                }

Adding issue here to help others who may be googling this...

If you attempt to use this package with the WsFederation Middleware in OWIN/Katana 4.0 (which uses Microsoft.IdentityModel 5.x) you will get a SecurityTokenException "no validator found" error message.

This is due to a bug in Microsoft.IdentityModel 5.x:
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1107

I got everything working, except the browser behavior is unpredictable. For example,

• IE and Chrome can pick up Windows identity by default, but Firefox requires some tweaks.
• When using FQDN, all browsers prompt for Id/Password, unless you update intranet zone
• And of course, when calling from non-windows clients, it always prompt

I can add middleware to catch 302/401, but it always seems one step behind IIS. Is there a way to catch it BEFORE IIS prompt Id/Password? I understand this might not be an Identity Server question, but just in case someone already know the answer.

Thanks.

Hi,
I thought this sample is going to demonstrate the windows authentication with identity server (taking windows credentials, authenticate, and convert windows token to Identity server token).
But when I run the sample, it is simply showing meta data. It is supposed to contact the url:https://localhost:44333/core/was. But this is not happening. and it is not going to Identity server at all. Anyone tried this sample? Could you share your thoughts on the purpose of this sample?

What type of token does the WindowsAuthentication return? The token being returned has the following fields:

{ "access_token": [Base64 encoded JWT], "token_type": "bearer", "expires_in": long value }

Since I want to revalidate my user's windows login, I'm trying to determine which expiration field needs to be used. It seems to me that the "expires_in" field in the outer token is just the difference between the "exp" and "nbf" fields of the JWT. Is that correct?

If not, what expiration value should I be using?

Thanks

-marc

Hi,

Could you please give me some pointers as to how to start with using the Windows Authentication Middleware? A guide or existing post would be much appreciated.

Thanks,

Aron

Just running this code straight from cloned repo.... I'm running each project from separate instance of VS in IIS Express.

From the IdentityServer3 landing page, I click "application permissions" and during authentication, it returns an error page with:

IDX10803: Unable to create to obtain configuration from: 'https://localhost:44366'.

And from top of stack trace:
[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://localhost:44366'.]
Microsoft.IdentityModel.Protocols.d__3.MoveNext()

Any ideas? Is there special setup I need to perform to get this sample to work?

Would love to see a Windows Trusted Auth provider work somehow with the IdentityServer4.

I'm working at implementing IdentityServer to authenticate users in AD. This project seems like a good starting point, but I'm struggling to find more info. My situation is as follows:

I have setup a basic IdentityServer that is up and running. I'm using Identity Manager and Identity Admin to keep everything (user, roles, claims, clients, scopes) in a database. Next step is to integrate authentication with AD. My requirements are:

• User will be authenticated against AD
• User permissions (claims/roles) will be stored in database (as they are now)
• Depending on the client application, I have three different scenarios:
  • In some cases, the identity of the current user should be used (I guess for this to work, Identity Server should run with Windows Authentication). User should not be prompted for anything.
  • In some cases, the user has to explicitly login. He can use the current login or
  • Manually enter an username and password that will be validated against AD.

I'm looking for some pointers/direction how to proceed. Should I handle completely the login sequence myself, is there something similar I can base my solution, etc.

I'm trying to figure out how to use IdentityServer3 with the Windows Authentication module installed.

I followed the example located here: [https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/WebHost%20(Windows%20Auth%20All-in-One)] .

I have the server component up and running. I can access the documents provided when I go to /identity and /windows.

The disconnect in my head at this point, is how to get a Console, Windows, or even a web client to connect to the server, pass the user's windows credentials and get a response back.

Once I get the response back, I assume I would just follow the normal authorization flow of asking for the claims for a specific client and scope.

Thanks

marc

Why am I getting this error both in sample code and when attempting to plug this in existing production code?

Line 80:         private static void ConfigureAdditionalIdentityProviders(IAppBuilder app, string signInAsType)
Line 81:         {
Line 82:             app.UseWindowsAuthenticationService(new WindowsAuthenticationOptions
Line 83:             {
Line 84:                 IdpRealm = "urn:idp",

or

Unhandled Exception: System.Reflection.TargetInvocationException: Exception has
been thrown by the target of an invocation. ---> System.InvalidOperationExceptio
n: Sequence contains no elements
   at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)
   at SelfHost.Startup.Configuration(IAppBuilder app) in c:\Dev\IdSrvWinAuth\source\SelfHost\Startup.cs:line 14
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
   at Microsoft.Owin.Hosting.Engine.HostingEngine.ResolveApp(StartContext context)
   at Microsoft.Owin.Hosting.Engine.HostingEngine.Start(StartContext context)
   at Microsoft.Owin.Hosting.Starter.DirectHostingStarter.Start(StartOptions options)
   at Microsoft.Owin.Hosting.Starter.HostingStarter.Start(StartOptions options)
   at Microsoft.Owin.Hosting.WebApp.StartImplementation(IServiceProvider services, StartOptions options)
   at Microsoft.Owin.Hosting.WebApp.Start(StartOptions options)
   at Microsoft.Owin.Hosting.WebApp.Start[TStartup](StartOptions options)
   at Microsoft.Owin.Hosting.WebApp.Start[TStartup](String url)
   at SelfHost.Program.Main(String[] args) in c:\Dev\IdSrvWinAuth\source\SelfHos
t\Program.cs:line 17
Press any key to continue . . .