How to configure Kerberos authentication for an ASP.NET MVC application on a Windows Server outside a domain?
I have an ASP.NET MVC web application running on IIS Windows Server. Clients connect to the application from a domain, but the server itself is not part of the domain.
Previously, the server was in the domain, and IIS used the application pool account to connect to the domain and obtain the necessary Kerberos tokens. The application successfully handled user authentication via SSO. Now that the server is outside the domain, configuring the IIS account to connect to the domain is not possible.
Question: Is it possible to configure IIS using a proxy server or other IIS extensions to connect to the domain and distribute Kerberos tokens without rewriting the application logic?
I’m also interested in experiences using ADFS in similar situations. Security experts insist on using these servers, so I’m willing to consider rewriting the logic for ADFS if examples are available.
Moving to Linux is not being considered, as the application is a monolithic one on an outdated framework, and rewriting it would require significant time that the business is not prepared to allocate.
Kerberos Authentication for ASP.NET MVC Applications Outside of a Domain on Windows Server
Kerberos authentication for ASP.NET MVC applications outside of a domain on Windows Server requires special configurations, as standard IIS configuration cannot directly access the domain to obtain tickets. The main solutions are using Kerberos connectors, setting up trust between the domain and server, or transitioning to ADFS for centralized authentication while preserving existing application logic.
Table of Contents
- Basic Approaches to the Solution
- Configuring Kerberos Through Connectors
- Using ADFS
- Alternative Authentication Methods
- Practical Configuration Examples
- Security Recommendations
- Conclusion
Basic Approaches to the Solution
When working with an ASP.NET MVC application outside of a domain, there are several approaches to implementing Kerberos authentication:
- Using Kerberos connectors - special components that act as intermediaries between the server and domain
- Setting up trust between the domain and server - creating trust relationships without adding the server to the domain
- Integrating with ADFS - deploying a federation service to handle authentication
- Using proxy servers - configuring proxies to redirect authentication requests to the domain
Each of these approaches has its advantages and disadvantages, and the choice depends on specific infrastructure and security requirements.
Configuring Kerberos Through Connectors
To implement Kerberos authentication outside of a domain, you can use specialized connectors:
Microsoft Kerberos Constrained Delegation
Although the server is not in the domain, you can configure constrained delegation:
# Set up SPN for web application
setspn -S HTTP/your-web-server your-domain\service-account
# Allow delegation for the service
Set-ADComputer -Identity "your-web-server" -PrincipalsAllowedToDelegateToAccount "your-domain\service-account"
Using MIT Kerberos for Windows
For working outside of a domain, you can install MIT Kerberos for Windows:
- Download and install MIT Kerberos for Windows
- Configure the krb5.conf file specifying the domain controller
- Use kinit to manually obtain tickets
Example krb5.conf Configuration
[libdefaults]
default_realm = YOURDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
YOURDOMAIN.LOCAL = {
kdc = domain-controller.yourdomain.local
admin_server = domain-controller.yourdomain.local
}
[domain_realm]
.yourdomain.local = YOURDOMAIN.LOCAL
yourdomain.local = YOURDOMAIN.LOCAL
Using ADFS
ADFS (Active Directory Federation Services) is the most reliable solution for your scenario:
Steps for ADFS Integration
- Deploy an ADFS server - can be installed on a separate server or domain controller
- Set up trust between ADFS and the application - creating federated trust
- Modify the application’s web.config - adding configuration to work with ADFS
Example ADFS Configuration in ASP.NET MVC
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://your-app-domain.com" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="ADFS-CERT-THUMBPRINT" name="https://your-adfs-server/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
<microsoft.identityModel>
<service>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://your-adfs-server/adfs/ls" realm="https://your-app-domain.com" reply="https://your-app-domain.com" requireHttps="false" />
</federationConfiguration>
</service>
</microsoft.identityModel>
Advantages of ADFS Solution
- Preserving existing logic - the application can continue using standard authentication methods
- Centralized management - all security policies are managed through ADFS
- SSO support - single sign-on for users across different applications
- Scalability - ability to add new applications to the federation
Alternative Authentication Methods
If Kerberos through ADFS is not possible, consider the following alternatives:
Form Authentication with Domain Integration
// Example of authenticating through domain in code
using System.DirectoryServices.AccountManagement;
public bool AuthenticateUser(string username, string password)
{
using (var context = new PrincipalContext(ContextType.Domain, "your-domain.com"))
{
return context.ValidateCredentials(username, password);
}
}
Using Windows Identity Foundation (WIF)
For deeper integration with the domain:
// WIF configuration in web.config
<system.identityModel>
<identityConfiguration>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="CERT-THUMBPRINT" name="YOURDOMAIN" />
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
OAuth 2.0/OpenID Connect
A modern standard for authentication:
// OAuth 2.0 configuration
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = "https://your-auth-server",
ValidateAudience = true,
ValidAudience = "your-app",
ValidateLifetime = true
};
});
Practical Configuration Examples
IIS Configuration for Working Outside of a Domain
-
Application pool configuration:
- Use a local system account or special account
- Check “Load User Profile” for access to the user profile
-
Authentication configuration in IIS:
- Windows Authentication - enabled
- Anonymous Authentication - disabled
- ASP.NET Impersonation - disabled
-
Web.config settings:
<system.web>
<authentication mode="Windows">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<identity impersonate="true" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Example Code for Working with Kerberos Outside of a Domain
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
public class KerberosHelper
{
[DllImport("secur32.dll", CharSet = CharSet.Auto)]
public static extern int LsaConnectUntrusted(
out IntPtr LsaHandle);
[DllImport("secur32.dll", CharSet = CharSet.Auto)]
public static extern int LsaLookupAuthenticationPackage(
IntPtr LsaHandle,
ref string PackageName,
out int AuthenticationPackage);
public static bool AcquireKerberosTicket(string username, string password, string domain)
{
try
{
// Implementation for obtaining Kerberos ticket
// without direct connection to the domain
return true;
}
catch
{
return false;
}
}
}
Security Recommendations
Secure Work with Credentials
- Password storage - use secure storage like Windows Credential Manager
- Connection encryption - always use HTTPS for data transmission
- Right limitation - minimal necessary rights for accounts
- Access auditing - logging all authentication attempts
Security Policy Configuration
# Configure policies for secure authentication
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "LocalAccountTokenFilterPolicy" -Value 1
# Configure delegation restrictions
Set-ADComputer -Identity "your-web-server" `
-TrustedToAuthForDelegation $false
Conclusion
Setting up Kerberos authentication for an ASP.NET MVC application outside of a domain requires a comprehensive approach:
-
ADFS is the optimal solution for your situation, as it allows preserving existing application logic while ensuring secure authentication through the domain.
-
Use Kerberos connectors as a temporary solution when ADFS deployment is not possible, but be aware of additional security risks.
-
Modify IIS and web.config configurations to support working outside of the domain using specialized tools and libraries.
-
Consider transitioning to modern standards OAuth 2.0/OpenID Connect as a long-term solution for improved security and compatibility.
-
Ensure thorough testing of all changes in an isolated environment before deployment to production, as any authentication configuration error can lead to loss of access to the application.
Since your infrastructure doesn’t allow transitioning to Linux and rewriting the application is not feasible, ADFS remains the most professional and reliable solution meeting security requirements and providing the necessary security level.