Friday, January 13, 2017

ASP : Classic ASP and ADFS

This question comes up from time to time and there was a recent one on the forum.

I did this back in the day so thought it would be a good idea to write up.

Classic ASP is basically just static HTML files, no web.config, no ASP pipeline, no code behind etc.

And they are still out there.

So we will integrate it with ADFS using WIF i.e. everything is driven by a web.config.

Which means we need to add one - example in this gist.

To test this, I used a Windows 8 PC.

This PC has both WIF 3.5 and WIF 4.5 installed. WIF 4.5 is built into ASP.NET 4.5.

So you may need to install this.

This is the line in the web.config:

section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

Also WIF doesn't run on Server 2003 - hopefully you've upgraded by now :-)

The key to getting WIF to be added to the pipeline is this line:

modules runAllManagedModulesForAllRequests="true"

Note that the logging at the end is optional and this part of the file can be removed if not required.

All the above has to be done "on the fly". There is no way to create a Classic ASP project in Visual Studio. (In fact, Microsoft go out of their way to actively discourage this. The official line is that Classic ASP is no longer supported). Consequently, there is no context checking, intellisense or compile / run phase.

I didn't use VS at all - just Notepad++.

Also remember to enable ASP under Windows Features / IIS / World Wide Web Services / Application Development Features.

And you can't use an classic Application Pool in IIS - it needs to be integrated.

I just took a folder on my local PC and added a Default.asp (which contained some basic HTML) and the web.config.

Then I added this as an application in IIS. I called the application "ClassicASPBasic".

I then configured an RP on ADFS. There is no metadata so it easiest to do this manually.

Then configure the web.config. You just need to alter the "my-adfs" to your ADFS FQDN and "my-pc" to wherever you have the website hosted.

Also remember to update the thumbprint with your ADFS token-signing certificate.

Then in IIS on the RHS - "Browse Application" - use the port 443 link.

IIS sees the web.config. The web.config tells it to use the WIF classes. WIF by default protects everything so it sends you off to ADFS to authenticate. Authenticate and you are redirected back to the simple .asp page.

The next step is to Sign Out. You cannot use the standard WIF FederatedSignOut messages because there is no .NET framework so it has to be done via a URL link on the page. If you want the user to end up on the ADFS logout page, use:

<a href="https://my-adfs/adfs/ls/?wa=wsignout1.0">Sign out</a>

If you want to the user to be redirected back to the application use:

<a href="https://my-adfs/adfs/ls/?wa=wsignout1.0&wreply=https://xxx/yyy/Logout.asp">Sign out and return</a>

where:
  • xxx is the ADFS URL
  • yyy is the application URL
  • Logout.asp is a new page added to the site

The other way is to use VS and create an MVC application. Refer How To: Build Claims-Aware ASP.NET MVC Web Application Using WIF.

Then simply copy all your static files over.

This way allows you to access the claims as per the link. 

Enjoy!

11 comments:

Anonymous said...

Hi Are you able to provide detail around the Relying Party Trust setup in ADFS?
Cheers

nzpcmad said...

It's just a standard WIF setup. You can do it manually. Just match the identifier.

There is no WIF support in ASP so there;s no certificates to configure and there's no point in configuring any claims rules since ASP has no way to enumerate the token.

nzpcmad said...

Just did this for a project and remembered you asked for more details. I used WIF but the details are similar.

This is for ADFS 4.0.

The line in the web.config looks like:

wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs/adfs/ls/" realm="https://my-pc/TestAppADFS/" requireHttps="true"

Create RP manually.

No encryption.

Use WS-Fed.

RP WS-FED URL is https://my-pc/TestAppADFS/ as per realm above. Note the trailing slash.

RP trust identifier is automatically filled in.

Permit everyone.

Review, save and you are done!



Satya said...

If I have ASP.net 4.0 installed on my Windows 2008 server, do I need to install WIF separately ?
Is this only a configuration of web.config ? Is there coding to be done in my classic ASP page ?

nzpcmad said...

Yes - WIF was only integrated in .NET 4.5.

Only web.config - no code.

Tavio said...

Hello nzpcmad,

We are stucked on the signin process, is it supposed to return to the default.asp or


There are two servers application with ADFS and the URL we're calling is:

https://application/Teste

and the browser is redirecting to:

https://ADFS/?wa=wsignin1.0&wtrealm=https%3a%2f%2fapplication%2fTeste%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fTeste%252ftest.asp&wct=2017-11-14T12%3a33%3a19Z

but it doesn't show the default.asp

here is a pastebin with the log

https://pastebin.com/Qza5PjCD

Tavio said...

Hello nzpcmad,

We are stucked on the signin process, is it supposed to return to the default.asp or


There are two servers application with ADFS and the URL we're calling is:

https://application/Teste

and the browser is redirecting to:

https://ADFS/?wa=wsignin1.0&wtrealm=https%3a%2f%2fapplication%2fTeste%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fTeste%252ftest.asp&wct=2017-11-14T12%3a33%3a19Z

but it doesn't show the default.asp

here is a pastebin with the log

https://pastebin.com/Qza5PjCD

nzpcmad said...

What I'm seeing is just the redirect to ADFS.

Then what happens?

Do you see the login screen, do you authenticate, is there an error?

What's in the ADFS event log?

SamIam said...

Do you have a step by step for the ADFS 4.0 setup???

Thank YOU.

SamIam said...

Do you have a step by step for ADFS 4.0 setup???

Thanks.

Lorenzo said...

Hi, thankyou, I try to follow all your instruction but I receive:

401 - Unauthorized: Access is denied due to invalid credentials.

what can I have to verify?
best regards