Поделиться через


Using a Sample Windows NT Token-based Application as an Alternative to SharePoint

This article can be used as a supplement to the ADFS Step-by-Step Guide. It includes instructions for setting up a sample Windows NT token-based application on the Web server (adfsweb) as an alternative to using Windows SharePoint Services. This sample application is a basic blog application made up of 7 files that you create from the instructions in this post.

***This posting is provided "AS IS" with no warranties, and confers no rights.***

To make this sample application work in conjunction with the latest version of the ADFS Step-by-Step Guide, follow the guidance below. I know this looks like a lot of work but it really only takes a couple of minutes to follow these instructions. The end result is that you will have a functional and printable step-by-step document that only includes instructions for setting up two sample applications (without SharePoint) in your ADFS test lab environment:

  1. Download the latest version of the ADFS Step-by-Step Guide (here).

  2. In Step 3: Configuring the Web Server you will notice that this chapter is made up of two sections, the first section is about installing and configuring SharePoint and the second is about installing and configuring the claims-aware sample app. You will need to leave the claims-aware instructions in this chapter untouched and only remove the instructions related to SharePoint. This means that you need to remove all of the content under the heading Install and Configure Windows SharePoint Services along with the content under its three subheadings (Install Windows SharePoint Services, Configure Windows SharePoint Services Access Permissions and Configure IIS and the ADFS Web Agent). Now you can copy all of the instructions under the heading in this post titled Install and Configure a Sample Windows NT Token-based Application and paste it into the location where you removed the SharePoint content.

  3. Replace one small procedure titled Add a Windows NT Token-based Application (in Step 4 of the document) with the procedure in this post titled Add a Sample Windows NT Token-based Application.

  4. In Step 5: Accessing Federation Applications from the Client Computer remove all of the content in the two headings Access the Windows SharePoint Services Application and Access the Windows SharePoint Services Application with Administrative Privileges from the document and replace it with the procedure titled Access the Sample Windows NT Token-based Application in this post.

  5. (Optional) If you want to have a printable document that does not include any SharePoint instructions whatsoever then you might want to remove the contents under Appendix A and Appendix B from the original ADFS Step-by-Step document.

  6. Copy the entire contents under the heading Appendix A: Creating the Sample Windows NT Token-based Applicationin this post and paste it into the document after Step 5.

  7. That’s it! You now have a SharePoint-free ADFS Step-by-Step Guide.

Install and Configure a Sample Windows NT Token-based Application

Use the following procedures to configure Internet Information Services (IIS)settings and to configure access to the Windows NT token–based sample application on the adfsweb computer.

· Configure IIS and the ADFS Web Agent

· Configure the Windows NT Token-based Application for Read/Write Access

Configure IIS and the ADFS Web Agent

Use the following procedure to configure IIS and the ADFS Web Agent.

To configure IIS and the ADFS Web Agent

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the console tree, double-click ADFSWEB, right-click Web Sites, and then click Properties.

3. On the ADFS Web Agent tab, in Federation Service URL, type https://adfsresource.treyresearch.net/adfs/fs/FederationServerService.asmx, and then click OK.

4. In the console tree, right-click Default Web Site, point to New, and then click Virtual Directory.

5. On the Welcome to the Virtual Directory Creation Wizard page, click Next.

6. On the Virtual Directory Alias page, in Alias, type tokenapp, and then click Next.

7. On the Web Site Content Directory page, click Browse, highlight the c:\inetpub\wwwroot folder, click the Make New Folder button, name the folder tokenapp, click OK, and then click Next.

Note

Do not use capital letters in the tokenapp folder name. If this folder name contains capital letters, users must also use capital letters when they type the address of the Web site.

8. On the Virtual Directory Access Permissions page, select the Read and Run scripts check boxes, and then click Next.

9. On the You have successfully completed the Virtual Directory Creation Wizard page, click Finish.

10. Right-click tokenapp, and then click Properties.

11. On the ASP.NET tab, in the ASP.NET version menu, make sure that 2.0.50727 is selected.

12. On the ADFS Web Agent tab, select the Enable the ADFS Web Agent for Windows NT token-based applications check box, and then click OK to accept the default values. When you see the prompt that explains that this will enable anonymous access, click OK.

Note

The value in Return URL on this property page must match precisely with the Application URL value that you specify when you set up the application on the Federation Service for Trey Research.

13. Create the seven files that make up the Windows NT token–based sample application by using the procedures in Appendix A: Creating the Windows NT Token-based Sample Application. After you create them, copy the files into the c:\inetpub\wwwroot\tokenapp folder.

Configure the Windows NT Token–based Application for Read/Write Access

Use the following procedure to configure the Windows NT token–based application for Read/Write access.

To configure the Windows NT token–based application for Read/Write access

1. Start Windows Explorer.

2. Click the C: folder.

3. Right-click the file named blog.txt, and then click Properties.

4. Click the Security tab, and then click Add.

Note

To perform this step, you should be logged on as a domain administrator and not as a local administrator.

5. Type adatumtokenappusers, and then click OK.

6. Under Group or user names, highlight adatumtokenappusers, select the Write check box, and then click OK.

 

Add a Sample Windows NT Token–based Application

Use the following procedure on the adfsresource computer to add a Windows NT token–based application to the Federation Service for Trey Research.

To add a Windows NT token–based application

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Applications, point to New, and then click Application.

3. On the Welcome to the Add Application Wizard page, click Next.

4. On the Application Type page, click Windows NT token–based application, and then click Next.

5. On the Application Details page, in Application display name, type Token-based Application.

6. In Application URL, type https://adfsweb.treyresearch.net/tokenapp/ , and then click Next.

7. On the Accepted Identity Claim page, click User principal name (UPN) , and then click Next.

8. On the Enable this Application page, ensure that the Enable this application check box is selected, and then click Next.

9. On the Completing the Add Application Wizard page, click Finish.

 

Access the Sample Windows NT Token–based Application

Use the following procedure to access the Windows NT token–based application from a client that is authorized for that application.

To access the Windows NT token–based application

1. Log on to the adfsclient computer as Adamcar.

2. Open a browser window, and then navigate to https://adfsweb.treyresearch.net/tokenapp/ .

Note

If you did not install the certificates from the previous procedures, you will be prompted twice (in the Security Alert dialog box) for certificate information. You can install each certificate by clicking View Certificate and clicking Install, or you can click Yes each time that you are prompted.

3. When you are prompted for your home realm, click A. Datum, and then click Submit.

Note

If you did not install the certificate from the previous procedure, you will be prompted one more time for a certificate.

4. At this point you should see the Windows NT token–based sample application. You should have both Read and Write access to the blog.

5. Log off as Adamcar, and then log on as Alansh. Repeat steps 2 through 4 of this procedure. Notice that Alan can read blog messages, but he does not have access rights to submit a blog message.

 

Appendix A: Creating the Sample Windows NT Token-based Application

To test token-based authorization using Active Directory Federation Services (ADFS) you need a Windows NT token-based application. This section includes instructions for setting up a sample Windows NT token-based application on your Web server. By using this sample Windows NT token-based application and the supporting instructions in Step 3: Configuring the Web Server together, you can complete the Web server setup process and prepare the application for testing from the client computer.

This application is made up of the following seven files:

· Default.htm

· Blog.aspx

· Blog.aspx.cs

· Message.aspx

· Message.aspx.cs

· Web.config

· Blog.txt

For this application to function correctly, you must use the following procedures to create each of the required files in order. After you create them, move the files to the C:\inetpub\wwwroot\tokenapp directory on the adfsweb computer.

· Create the Default.htm File

· Create the Blog.aspx File

· Create the Blog.aspx.cs File

· Create the Message.aspx File

· Create the Message.aspx.cs File

· Create the Web.config File

· Create the Blog.txt File

Create the Default.htm File

Use the following procedure to create the default.htm file.

To create the default.htm file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="https://www.w3.org/1999/xhtml" >

<head>

    <title>Windows NT token-based Sample Application</title>

</head>

<body>

    <b><font size="4">Windows NT token-based Sample Application</font></b>

    <p><a href="message.aspx">Read blog</a>

    <br />

  <a href="blog.aspx">Write blog</a>

</p>

</body>

</html>

3. Save the Notepad file as default.htm in the c:\inetpub\wwwroot\tokenapp directory.

Create the Blog.aspx File

Use the following procedure to create the blog.aspx file.

To create the blog.aspx file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<%@ Page language="c#" Inherits="CHWWebApp.WebForm1" CodeFile="blog.aspx.cs" %>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<HTML>

<HEAD>

<title>Write Blog Message</title>

<meta name="GENERATOR" Content="Microsoft FrontPage 6.0">

<meta name="CODE_LANGUAGE" Content="C#">

<meta name="vs_defaultClientScript" content="JavaScript">

<meta name="vs_targetSchema" content="https://schemas.microsoft.com/intellisense/ie5">

</HEAD>

<body>

<form id="Form1" method="post" runat="server">

            <asp:TextBox ID="TextBox1" runat="server" Height="146px" Width="451px"></asp:TextBox>

            <br />

            <asp:Button ID="Button2" runat="server" OnClick="Button2_Click" Text="Submit Message" />

            <asp:Label ID="Label1" runat="server"></asp:Label>

</form>

</body>

</HTML>

3. Save the Notepad file as blog.aspx in the c:\inetpub\wwwroot\tokenapp directory.

Create the Blog.aspx.cs File

Use the following procedure to create the blog.aspx.cs file.

To create the blog.aspx.cs file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

using System;

using System.IO;

using System.Collections;

using System.ComponentModel;

using System.Data;

using System.Drawing;

using System.Web;

using System.Web.SessionState;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.HtmlControls;

using System.Web.Security.SingleSignOn;

using System.Threading;

using System.Security.Principal;

 

 

namespace CHWWebApp

{

/// <summary>

/// Summary description for WebForm1.

/// </summary>

public partial class WebForm1 : System.Web.UI.Page

{

 

#region Web Form Designer generated code

override protected void OnInit(EventArgs e)

{

//

// CODEGEN: This call is required by the ASP.NET Web Form Designer.

//

InitializeComponent();

base.OnInit(e);

}

 

/// <summary>

/// Required method for Designer support - do not modify

/// the contents of this method with the code editor.

/// </summary>

private void InitializeComponent()

{

}

#endregion

        protected void Button2_Click(object sender, EventArgs e)

        {

            try

            {

 

                using (StreamWriter sw = new StreamWriter("c:\\blog.txt"))

                {

                    sw.Write(this.TextBox1.Text.ToString());

                    this.Label1.Text = "Note successfully saved by " + WindowsIdentity.GetCurrent().Name + " @ " + System.DateTime.Now.ToString();

                }

            }

 

            catch (System.Exception exception)

            {

                this.Label1.Text = "Note could not be written to file " +

                        exception.Message.ToString();

                this.Label1.Text = this.Label1.Text + " " + WindowsIdentity.GetCurrent().Name;

            }

 

  }

}

}

3. Save the Notepad file as blog.aspx.cs in the c:\inetpub\wwwroot\tokenapp directory.

Create the Message.aspx File

Use the following procedure to create the message.aspx file.

To create the message.aspx file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="message.aspx.cs" Inherits="message" %>

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 

<html xmlns="https://www.w3.org/1999/xhtml" >

<head runat="server">

    <title>Read Blog Message</title>

</head>

<body>

    <form id="form1" runat="server">

    <div>

 

    </div>

    </form>

</body>

</html>

3. Save the Notepad file as message.aspx in the c:\inetpub\wwwroot\tokenapp directory.

Create the Message.aspx.cs File

Use the following procedure to create the message.aspx.cs file.

To create the message.aspx.cs file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

using System;

using System.Data;

using System.Configuration;

using System.Collections;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.IO;

 

public partial class message : System.Web.UI.Page

{

    protected void Page_Load(object sender, EventArgs e)

    {

        try

        {

            using (StreamReader sr = new StreamReader("c:\\blog.txt"))

            {

   string oneLine;

                Response.Write("Message in blog contains the following text: <HR>");

                while((oneLine = sr.ReadLine()) != null)

                {

                    Response.Write(oneLine);

                    Response.Write("<BR>");

                }

            }

        }

        catch (Exception myException)

        {

            Response.Write("The file containing the blog message could not be read. Check to make sure the blog.txt file is created in the root of C: on the Web server. Error message:");

            Response.Write("<BR>");

            Response.Write(myException.Message);

        }

    }

}

3. Save the Notepad file as message.aspx.cs in the c:\inetpub\wwwroot\tokenapp directory.

Create the Web.config File

Use the following procedure to create the web.config file.

To create the web.config file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<?xml version="1.0"?>

<configuration>

<system.web>

 

    <!-- DYNAMIC DEBUG COMPILATION

          Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to

          false will improve runtime performance of this application.

          Set compilation debug="true" to insert debugging symbols (.pdb information)

          into the compiled page. Because this creates a larger file that executes

          more slowly, you should set this value to true only when debugging and to

          false at all other times. For more information, refer to the documentation about

          debugging ASP.NET files.

    -->

<compilation defaultLanguage="c#" debug="true">

<compilers>

<compiler language="c#" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" extension=".cs" compilerOptions="/d:DEBUG;TRACE"/></compilers>

<assemblies>

<add assembly="System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></assemblies></compilation>

<!-- CUSTOM ERROR MESSAGES

      Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.

          Add <error> tags for each of the errors you want to handle.

 

          "On" Always display custom (friendly) messages.

          "Off" Always display detailed ASP.NET error information.

          "RemoteOnly" Display custom (friendly) messages only to users not running

           on the local Web server. This setting is recommended for security purposes, so

           that you do not display application detail information to remote clients.

    -->

<customErrors mode="RemoteOnly"/>

<!-- AUTHENTICATION

          This section sets the authentication policies of the application. Possible modes are "Windows",

          "Forms", "Passport" and "None"

 

          "None" No authentication is performed.

          "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to

           its settings for the application. Anonymous access must be disabled in IIS.

          "Forms" You provide a custom form (Web page) for users to enter their credentials, and then

           you authenticate them in your application. A user credential token is stored in a cookie.

          "Passport" Authentication is performed via a centralized authentication service provided

           by Microsoft that offers a single logon and core profile services for member sites.

    -->

    <identity impersonate="true"/>

<authentication mode="Windows"/>

<!-- AUTHORIZATION

          This section sets the authorization policies of the application. You can allow or deny access

          to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous

          (unauthenticated) users.

    -->

<authorization>

<allow users="*"/>

<!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"

                             roles="[comma separated list of roles]"/>

                  <deny users="[comma separated list of users]"

                             roles="[comma separated list of roles]"/>

            -->

</authorization>

<!-- APPLICATION-LEVEL TRACE LOGGING

          Application-level tracing enables trace log output for every page within an application.

          Set trace enabled="true" to enable application trace logging. If pageOutput="true", the

          trace information will be displayed at the bottom of each page. Otherwise, you can view the

          application trace log by browsing the "trace.axd" page from your web application

          root.

    -->

<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true"/>

<!-- SESSION STATE SETTINGS

          By default ASP.NET uses cookies to identify which requests belong to a particular session.

          If cookies are not available, a session can be tracked by adding a session identifier to the URL.

          To disable cookies, set sessionState cookieless="true".

    -->

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>

<!-- GLOBALIZATION

          This section sets the globalization settings of the application.

    -->

<globalization requestEncoding="utf-8" responseEncoding="utf-8"/>

</system.web>

</configuration>

3. Save the Notepad file as web.config in the c:\inetpub\wwwroot\tokenapp directory.

Create the Blog.txt File

The blog.txt file contains the text for the Windows NT token–based sample application. For the application to function correctly, this empty file must be created in the root of C: on the Web server. The blog.txt file is used to assign Read/Write access. Use the following procedure to create the blog.txt file.

To create the blog.txt file

1. On the adfsweb computer, start Windows Explorer.

2. Click the C: folder.

3. On the File menu, point to New, and then click Text Document.

4. Name the file blog.txt

Comments

  • Anonymous
    January 01, 2003
    New version includes some minor UI updates as well as the removal of the sample&amp;nbsp;Windows NT token-based...
  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    August 06, 2006
    This is a nice addition to the step by step guide.  A lot of people won't be using SharePoint, but still have token-based apps, so the scenario is important.

    I wanted to point out another approach that is pretty straightforward for diagnosing token-based apps that is similar to the approach you use for claims-based apps--a simple page that dumps out the security information.  

    I put such a page up on my blog to help out a newsgroup poster and thought I'd point it out in case you wanted to look at showing something like that.
  • Anonymous
    August 07, 2006
    Thanks Joe. Please post the location to your blog here so that myself and others can take a look.
  • Anonymous
    August 09, 2006
    Sorry, I thought I put it in the text, but I only included it in the identifier for me.  :)The URL for the post is this:
    http://www.joekaplan.net/DiscoveringTheUsersNameAndGroupsInTheirWindowsToken.aspx
    The blog is here:
    www.joekaplan.net
    There's other stuff there that ADFS developers may find interesting and will be more in the coming weeks.
  • Anonymous
    August 31, 2006
    The comment has been removed
  • Anonymous
    August 31, 2006
    All,
    I was successfully able to implement UPN-to-UPN mapping in ADFS scenario.
    You just need to take care of the outgoing domain name for the Account Domain UPN claim.

    Thanks anyways.