I have an ASP.net MVC Web application with on-premises Active Directory authentication, which I want to move to AWS PaaS service. My SQL database for the ASP.Net MVC web application will remain on-premises.
I did some research and found that AWS ECS is a good feature for containerization. But I am not looking for IaaS approach.
I am mainly looking for PaaS approach to migrate my on-premises application.
For the AWS Elastic Beanstalk Website, I am not finding an option to enable on-premises Active Directory Authentication. Is it possible?
Also can I connect to on-premises SQL server from AWS Elastic Beanstalk website using Windows Authentication/AD Authentication?
Yes. It is possible. I am using it.
It took lots of research and trial and error. As our AWS cloud VPC is in different domain than our on-prem AD domain and our users are in on-prem AD domain.
This is my setup.
We have setup managed AD in AWS domain (i.e. XYZAWS ) for my organization named XYZ which has one-way trust with our on-prem AD i.e. XYZ domain.
Now here is the catch when we deploy .Net application with windows authentication enabled to EB (elastic beanstalk) our EB server is running in AWS domain i.e. XYZAWS and that EB server is not domain joined by default so you need to domain join your EB server first and this domain join will happen with you on AWS managed AD i.e. XYZAWS domain.
As EB is domain joined to AWS managed AD that won't authenticate your on-prem AD users for that you need to impersonate your IIS app pool with a user which is in your on-prem AD.
For example I am impersonating my IIS identity pool with user XYZ\service-account-user and as I said we have one way trust between AWS managed AD and on-prem AD so your application should now be able to authenticate on-prem AD users bcoz you app is running as on-prem AD service account.
You have to include domain name while logging into your application
suppose user John has to login to app then he must login with user name "XYZ\john" and his password to let app authenticate him.
I have this whole setup automated using .ebextensions config files.
If I ever write blog on this will update it here.
Related
I am trying to set up Google Integration in my self-hosted Nextcloud instance. For this I need a Google Cloud API Web application OAUTH Client ID and Secret, along with the preset Authorized redirect URI from my Nextcloud instance. I can easily create the ID and Secret for the Web app. But, if I put the Authorized redirect URI in the Google Cloud OAUTH page, it tells me "Save failed: The request has been classified as abusive and was not allowed to proceed".
For context, the Domain provided is a Google Domain which I am using with a Cloudflare proxied DNS. Google verification TXT record have been added to Cloudflare. I am self-hosting the Nextcloud instance with a subdomain of this domain behind an Nginx Proxy Manager with a Cloudflare SSL certificate. To add, all of these are running as docker containers on Ubuntu. Additionally I have also verified the Redirect URI as Safe from: https://global.sitesafety.trendmicro.com/result.php
Even then, apart from that specific URI, I have tried URI of other services I am self-hosting as well as the parent domain. All of these are giving the same message from the GCP OAUTH screen.
Kindly help me out with this considering I am fairly a novice.
I have a domain hosted on AWS Route53, but would like to enable Azure services such as Azure AD and 365 to be addressable on the same domain name.
Notably, I would like to keep the main domain under route53 control rather than delegating the entire address to Azure.
What would be the recommended method for integrating the 2 public cloud services, I am unsure if I should manually add CNAME records etc for the required Azure services or if I should look to delegate a subdomain to Azure's domain services directly (such as azure.example.com, while keeping example.com on route53).
Alternateively, should I register an entirely new domain (msexample.com) on azure, and if so how would I make these integrate email etc.
Thank you very much for any advice or direction on best-practices you can provide.
I have mistakenly registered a domain in the wrong project from Google Cloud > Network Services > Cloud Domains.
Is there a way for me to move it in another project?
Google Domains is not project based. Domains are managed by the identity of the domain owner.
Google Cloud Domains is in preview and is project based. At this time, there is no method to move a registered domain from one project to another. You can export the domain to Google Domains. Note: The DNS servers for a domain can be located in any project and do not need to be in the same project as Google Cloud Domains. Before exporting the domain, check to see if your domain is already being managed by Google Domains here. You will need to be using the same identity that owns the registered domain. If the domain appears, go to the other project, create the DNS servers and then enter the servers into Google Domains on the DNS tab under Name Servers. You can also change the DNS servers while in Google Cloud Domains. Select "EDIT DNS DETAILS" at the top of the Google Cloud Domains console window.
If you mean that you created the DNS server in one project and you need to move the DNS server to another project then follow these steps. Create a new DNS server in the desired project, duplicate the DNS server resource records and then update the DNS server entries in Google Domains. Wait at least 24 hours and then delete the old DNS server.
If you mean that your registered your domain under the wrong Google Account (email identity), then you can transfer the domain to the desired Google Account. Login to Google Domains with the account that you own the domain. In the interface follow the Transfer a domain out section. Get the authorization code. In another browser window, login with the desired account and transfer in the domain using the transfer authorization code.
I have an Django+Postgres app that has a multi-tenant structure and I don't have prior experience deploying this type of app to AWS. I have followed the general Elastic Beanstalk tutorial to deploy a simple app. (https://realpython.com/blog/python/deploying-a-django-app-to-aws-elastic-beanstalk/) However, I am looking for a solution that allows me to more flexibly create different "sites". Currently, I have learned to create different sites via this tutorial (http://mycodesmells.com/post/django-tutorial-multi-tenant-setup).
So i have below questions :
how to deploy this app (I am leaning toward not using Elastic Beanstalk but just deploying it to EC2)
how I could create different sites after deploying this app.
The following should help:
Set up your .ebextensions so your Django project deploys with eb deploy.
Set up django-storages with AWS S3 for mediafiles if you need to.
Purchase a domain and set it up with AWS Route 53 (you can buy via Route 53, too).
Point your root domain alias to your Elastic Beanstalk app.
Point a wildcard domain to your app, too.
Set up AWS SES to save your domain emails to an AWS S3 bucket. You can use other providers as well, SES is just about the easiest.
Provision AWS ACM certificates for HTTPS support.
You now have your site working under .example.com and can use tenant.example.com to refer to a single client's setup - it refers to the same deployment but has a different Host header which lets Django tenant schemas to distinguish clients. You have wildcard forwards and do not need any setup other than in Django for adding new tenants.
Can someone help me with my understanding?
So i understand how one can use ADFS and SAML to provide SSO access to the Console via IAM. However im not as clear how this can be done at the application level
So take MS Dynamics as an example. It will be on an EC2 instance which is on a domain controller hosted in the VPC (for mgt etc). However the users themselves will be in an on-prem AD server and we'd want to authenticate users accessing the dynamics web front end with that on-prem AD server. Is this as simple as setting up ADFS between the two sites and configuring the app itself to use ADFS / SAML for claims based authentication?
For application level support, it depends on the ability of the app to support claims based/SAML authentication. CRM supports ADFS configuration. You have one of 2 choices
You can hook it up directly to your on-premises ADFS if it is really about just providing access to your corporate employees. If it requires partner access that ADFS can still federate to other ADFS/IDP organizations.
You can set one up in AWS next to or on the DC that it has and treat it as a Federation Provider and then set up trust to the corporate ADFS where the users live.
I'd recommend #1 as it is simpler. Go with #2 only if you are operating this as a different company or you are building multiple server apps in this AWS site that require local ADFS for things like server to server communication.
Thanks
//Sam