Share via


Windows Identity Foundation (WIF): How to Protect Static Content with the Federation Authentication Module (FAM)

Summary

The most common scenario for protecting a web application with the Windows Identity Foundation (WIF) Federation Authentication Module (FAM) is to use ASP.NET content. Using FedUtil.exe (WIF SDK) to configure your web.config file works fine in this scenario. When static content is introduced, such as a static .htm file, you'll find that the static content isn't protected by FAM the way you would expect. This article describes the extra steps needed in order to protect static content with the WIF FAM.

Start by reading the "Enabling ASP.NET Services for All Types of Content" section of this learn.iis.net article.

The extra configuration needed is as follows:

  1. Edit the application's web.config file
  2. Add this line: <modules runAllManagedModulesForAllRequests="true" /> within <system.webServer>

 

More Information

If you are protecting static content and you expect to rely on the Windows file system ACL to provide authorization via a Windows token, then you will need to invoke the Claims-to-Windows token Service (C2WTS) that ships with the WIF runtime. C2WTS can be invoked by adding the following lines to the application's web.config file in the <service> section within <microsoft.IdentityModel>:

<securityTokenHandlers>
**       ** <!--By default, the SAML 1.1 security token handler does not have the map-to-windows feature enabled. In addition, it does not use the Windows Token Service to create the windows identities.
        To turn these features on, this sample replaces the default handler with another instance of the token handler which has these features enabled.-->
**        <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">**
**          <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
        </add>
</securityTokenHandlers>**

If you decide to invoke C2WTS, you will need to modify the allowed callers list in the service configuration file named c2wtshost.exe.config, which is located in %programfiles%\Windows Identity Foundation\v3.5\. The service account that runs your application pool needs to be added to the list of allowed callers.

Example:

<allowedCallers>

<add value="contoso.com\MyAppSvcAccount" />

</allowedCallers>

 

Finally, set the C2WTS service start-up type to Automatic and Start the C2WTS service within the Services MMC console.