Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Windows authentication across untrusted domains

See original GitHub issue

I’m developing a web service based on ASP.NET Core 2.2 + IdentityServer4, supporting both credentials authentication (i.e. username+password) and Windows authentication. I am not able to login using a domain user from an untrusted domain.

Steps to reproduce the behavior:

  1. Using this version of ASP.NET Core ‘2.2’
  2. Write this code HttpContext.AuthenticateAsync(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme) or Challenge(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme)
  3. Try to access the resource and when prompted for Windows credentials (i.e. Challenge), type untrusted domain credentials.

Expected behavior

Domain user can log in. (Given I could specify the untrusted domain somewhere).

Notes

The two untrusted domains have DNS stubs so they can ‘know’ each others.

The final goal is to use Http.Sys (instead of IIS) or even Kestrel 3.0, but for now I was thinking that using IIS would be the easier thing.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
blowdartcommented, Oct 3, 2019

Talked to some windows friends.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/forest-design-models is the overview, which you should read the forest trust sections to understand what you’re going to do, then https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754626(v=ws.11) are the actual steps.

Please understand the security implications of forest trusts before implementing them 😃

0reactions
blowdartcommented, Dec 5, 2019

Closing as answered, and also really a windows issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Windows authentication across untrusted domains
I'm developing an ASP.NET Web API which implements also an Identity provider using Identity Server. The requirement is to support Windows ...
Read more >
Whats the best way to implement Windows Authentication ...
Whats the best way to implement Windows Authentication from an untrusted domain. Posted by Cdallimore on Sep 5th, 2018 at 9:34 AM. Needs...
Read more >
How to fix, Login failed. The login is from an untrusted ...
The error message you receive indicates that SQL Server is configured to use Integrated Authentication (Windows Authentication), but the login ...
Read more >
Windows Authentication Concepts
When a trust exists between two domains, the authentication mechanisms for each domain trust the authentications coming from the other domain.
Read more >
[MS-NRPC]: Pass-Through Authentication and Domain Trusts
The secure channel between DCs in two domains that are connected via a trust relationship is called a trusted domain secure channel.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

TopLevelParameterNameAnalyzer threw an exception of type System.NullReferenceException.

Next page

Tag Helper asp-src-include Not Functional in Core 3.0