question

LarryWildey-1258 avatar image
0 Votes"
LarryWildey-1258 asked LimitlessTechnology-2700 answered

Suggested migration from NTLM to modern auth for On Premise web apps in .NET 6

We are going to be working on updating a asp.net 4.72 framework web apps and web apis next year. Currently, we are researching the changes in moving to .NET 6 to plan for the migration. One item we would like to tackle is user authentication which is currently using NTLM username/passwords from our AD servers. Is there a path for moving away from NTLM to OpenID Connect that still uses our AD servers or would we need to move all users to Azure AD? We haven't found examples/documentation for the use of Microsoft.Identity.Web on premise.

windows-active-directoryazure-ad-msalazure-webapps-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ryanchill avatar image
0 Votes"
ryanchill answered

I'm by no means an NTLM expert, but I would suggest starting with https://docs.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-on-premises-to-cloud. I think synchronizing your on prem AD with Azure AD through Azure AD Connect should allow you to use the AAD provider. Since you're in the exploratory phase, https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory is white paper that discuss this topic that may help provide some direction.

One you start trying things and run into issues, please do feel free to post those questions on Q&A.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,
You have to install Azure active directory to ensure synchronization between on prem AD and Azure active directory

Azure AD connect provides 3 mechanism to ensure the SSO (single sign on) when you have a prem AD:

  • ADFS : This service will redirect all authentication request to on-prem active directory. This solution is complicated to manage because you have to install a additional servers to install ADFS

  • Password hash synchronization: this solution ensure the passowrd synchronization between the user AD connect and the user account in azure Active directory : whatis-phs

  • PTA : Pass-through authentication :how-to-connect-pta


Please don't forget to mark helpful reply as answer





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

The below documentation might help you in a better understanding of the process.

NTLM user authentication https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication

Migrate application authentication to Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory

NTLM Overview https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview

Grant locally-managed partner accounts access to cloud resources using Azure AD B2B collaboration
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-on-premises-to-cloud



If the reply is helpful, please Upvote and Accept it as an answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.