Enable Windows Authentication for Windows Azure Pack: Web Sites

 

Applies To: Windows Azure Pack

Windows Azure Pack: Web Sites supports web site integration with Active Directory for authentication. Application Pool support also allows a web site to run under a specified identity that is used to connect to database resources.

Note

The Application Pool Identity feature does not currently support all pass-through scenarios and works only with databases.

In order for Active Directory authentication to be enabled, the following conditions must be true:

• All of the Web Site Worker roles must be domain joined to the same Active Directory domain.

• After a Web Site cloud is joined to an Active Directory domain, only workers that are part of the same domain can be added to the cloud.

You can enable Active Directory authentication by using the Management Portal or through PowerShell commands.

Management Portal

Administratively enable Active Directory authentication integration with Web Sites

To enable Active Directory through the admin Portal

1. Open the the Web Site Cloud Configure tab.

2. In the General Settings section, choose among the following three options for Website Windows Authentication:

   Setting	Description
   Off	Disables Windows authentication for the web sites in the cloud
   Allow	Enables Windows authentication so that tenants can enable it on their web sites
   Require	Requires all web sites in the cloud to use Windows authentication

When Windows authentication is administratively set to Require, all tenant web sites in the web site cloud will have Active Directory integration across their web sites. This means that a web site tenant cannot set a non-authenticated experience. The Require setting provides assurances to the Web Sites administrator that all the web sites have been secured.

When Windows authentication is administratively set to Allow, tenants can decide if they want their sites to integrate with Active Directory for authentication. When Allow is enabled, tenants can manipulate individual pages on their web site to not require authentication.

Tenant enablement of Active Directory authentication for a web site

Tenants can enable Active Directory integration on the Configure tab of the Management Portal for their web site. The option to configure Active Directory integration is enabled only if the administrator has enabled it for the Web Site Cloud to which the web site belongs. Depending on settings made by the cloud administrator, tenants can disable Active Directory integration, enable it, or make it required.

To configure Active Directory for a tenant web site in the tenant Management Portal

1. Open the web site's Configure tab.

2. In the General section, choose among the following three options for Windows Authentication:

   Setting	Description
   Off	Disables Windows authentication for the web site
   Allow	Enables Windows authentication to be used on the web site
   Require	Requires the entire web site to use Windows authentication

When Windows Authentication is set to Require, all pages in the site are protected by Active Directory authentication. The Require setting ensures the web site owner that authentication cannot be disabled, even if multiple developers update the same web site.

When Windows Authentication is set to Allow, the web site is protected by Active Directory for authentication. However, web site developers can still disable it for individual pages in the site.

If the cloud system administrator has set Active Directory authentication to Require, then the tenant cannot disable it for their web site.

Administratively enable Application Pool identity for Web Sites

Application pool identities can be enabled only if all of the workers in the web sites cloud are joined to the same Active Directory domain. Administrators can manage the application pool identity feature from the Web Site Cloud Configure tab.

To enable application pool identity through the cloud admin Portal

1. Open the the Web Site Cloud Configure tab.

2. In the General Settings section, set Custom Application Pool Identity to Allow.

Tenant enablement of Application Pool identity

Application pool identities can be enabled for a web site only if the web site cloud administrator has enabled the use of custom application pool identities for the web site cloud to which the web site belongs. Tenants can enable application pool identity on the Configure tab of the Management Portal of their web site.

To enable custom application pool identities in the tenant web site Management Portal

1. Open the the Web Site Cloud Configure tab.

2. In the General Settings section, set Custom Application Pool Identity to Allow.

3. Provide the user name and password that the web site is to run under.

When this setting is completed, the web site can use the identity provided to connect to databases that are in, or federate to, the same domain as the user.

PowerShell

Import the PowerShell WebSites Module

First, to enable the necessary PowerShell commands, run the following command to import the PowerShell WebSites module:

Import-Module WebSites

Create a Web Site

If you do not already have a web site, you can create one by using the Windows Azure Pack: Web Sites Management Portal, or you can use the following PowerShell cmdlet. In the example, replace contoso, adatum, and contoso.fabrikam.com with the name of your web site, your subscription ID, and the host name that you will be using.

New-WebSitesSite -Name contoso -SubscriptionId adatum -HostNames contoso.fabrikam.com

Enable NTLM Windows Authentication for a Windows Azure Pack web site

To enable Windows authentication for your web site, run the following cmdlet on the Controller using the Allow option. The Required option can be used when you want to lock the authentication configuration sections in the site’s applicationhost.config file and prevent any web.config file on the site, or any application under the site, from overriding it. In the example that follows, replace adatum with your subscription ID and contoso with the name of your web site.

Set-WebSitesSiteConfig -SubscriptionId adatum -Name contoso –WindowsAuthEnabled {Allow | Required}

Enable Kerberos Windows Authentication for a Windows Azure Pack web site

Enabling Kerberos for a Windows Azure Pack web site involves the following:

1. Issue the same commands to enable Windows authentication as those for enabling NTLM-based Windows authentication.

2. Create a domain user on the domain server.

3. Add a Service Principal Name (SPN) for every host name in the site that will be supporting Kerberos.

4. Assign the domain user to the appPool identity for your subscription.

These steps are explained in detail as follows.

1. Enable Windows authentication

Run the following cmdlet on the Controller using the Allow option. In the example, replace adatum with your subscription ID and contoso with the name of your web site.

Set-WebSitesSiteConfig -SubscriptionId adatum -Name contoso –WindowsAuthEnabled {Allow | Required}

2. On the domain server, create a domain user

To create a domain user, run the following command on the domain server. Replace lowprivilegeduser and password with values appropriate to your environment.

net users /add lowprivilegeduser  password

3. Add a Service Principal Name (SPN) for every host name in the site that will be supporting Kerberos

To add a Service Principal Name (SPN) for every host name in the site that will be supporting Kerberos, run the following command on the domain server. Replace contoso.fabrikam.com, domainname, and lowprivilegeduser with the values corresponding to your environment.

Setspn -S http/contoso.fabrikam.com  domainname\lowprivilegeduser

4. On the Windows Azure Pack Web Sites Controller, assign the domain user to the application pool

To assign the domain user that you created to the application pool, perform the following steps on the Windows Azure Pack Web Sites Controller. In a new PowerShell window, run the following commands. Replace adatum, contoso, domainname, lowprivilegeduser, and password with the values corresponding to your environment.

Add-PSSnapin WebHostingSnapin
Set-WebSitesSiteConfig -SubscriptionId adatum -Name contoso -CustomAppPoolIdentity $true -SiteRuntimeUser domainname\lowprivilegeduser -SiteRuntimeUserPassword password

Disabling Windows Authentication for a Windows Azure Pack web site

If you need to disable Windows authentication, run the following PowerShell command. In the example, replace adatum with your subscription ID and contoso with the name of your web site.

Set-WebSitesSiteConfig -SubscriptionId adatum -Name contoso –WindowsAuthEnabled Off

Enable SQL Integrated Authentication for a Windows Azure Pack web site

Enabling SQL Integrated Authentication for a Windows Azure Pack web site involves the following steps:

1. Create a domain user on the domain server.

2. Grant the domain user permissions to the database.

3. Assign the domain user to the appPool identity for your subscription.

These steps are explained in detail as follows.

1. On the domain server, create a domain user

To create a domain user, run the following command on the domain server. Replace lowprivilegeduser and password with the values corresponding to your environment.

net users /add lowprivilegeduser  password

2. On SQL Server, grant the domain user database permissions

To grant the domain user that you created permissions to the database, run the following commands on SQL Server. Replace usersdatabasename, domainname\lowprivilegeduser, and lowPrivilegedDBUser with the values corresponding to your environment.

use usersdatabasename;

CREATE LOGIN [domainname\lowprivilegeduser] FROM WINDOWS;

CREATE USER lowPrivilegedDBUser FOR LOGIN [domainname\lowprivilegeduser];

EXEC sp_addrolemember 'db_datareader', lowPrivilegedDBUser;

3. On the Windows Azure Pack Web Sites Controller, assign the domain user to the application pool

To assign the domain user that you created to the application pool, perform the following steps on the Windows Azure Pack Web Sites Controller. In a new PowerShell window, run the following commands. Replace adatum, contoso, domainname, lowprivilegeduser, and password with the values corresponding to your environment.

Add-PSSnapin WebHostingSnapin Set-WebSitesSiteConfig -SubscriptionId adatum -Name contoso -CustomAppPoolIdentity $true -SiteRuntimeUser domainname\lowprivilegeduser -SiteRuntimeUserPassword password