Microsoft IIS/SharePoint Authentication API Proxy

Proxy Client Service w/ Trusted Peer Access Using OAuth2

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2018.

 

All rights reserved. All hardware and software names are trade names and/or trademarks of their respective owners.

These documents are confidential. The delivery and presentation of these documents alone does not justify any rights whatsoever to our software, our services and service performance results or other protected rights. The disclosure, publication or reproduction is not permitted.

For reasons of easier legibility, gender differentiation has been dispensed with. In terms of equal treatment, appropriate terms apply to both sexes.


PreparationPermanent link for this heading

The following settings form Keycloak Server and Mindbreeze Client Service are needed to configure the IIS authentication proxy.

Keycloak Server ConfigurationPermanent link for this heading

OAuth Endpoint: https://keykloakserver/auth/realms/master/protocol/openid-connect/token

Client-ID: iis-client


Client-Secret:

Username: iis-client-user

User Role: InSpire Application Impersonation

Client Service ConfigurationPermanent link for this heading

Configure the Mindbreeze Client Service “Trusted Peer Access Using OAuth 2.0 Bearer Token” section using the settings above.


Microsoft IIS ConfigurationPermanent link for this heading

Add the OAuthProxy handler type declaration to the configuration/system.webServer/handlers node inside web.config file of your web application.

<configuration>

    <system.webServer>

        <handlers>

            <add name="OAuthProxy"

path="/_api_mindbreezeinspire"

verb="*"

type="Mindbreeze.ResourceProxy.OAuthProxy"

resourceType="Unspecified"

preCondition="integratedMode" />

        </handlers>

    </system.webServer>

</configuration>

Add ProxyConfig configuration section declaration to configuration/configSections node.

<configuration>

   <configSections>

        <sectionGroup name="Mindbreeze">

<section name="ProxyConfig"

type="Mindbreeze.ResourceProxy.ProxyConfig"

allowLocation="true"

allowDefinition="Everywhere" />

</sectionGroup>

   </configSections>

<configuration>

Add configuration section to configuration node.

<configuration>

  <Mindbreeze>

     <ProxyConfig logFile="c:\temp\resource_proxy.log" logLevel="Error">

<ServerUrl url="<clienservice url>"

oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token

username="iis-client-user"

password="<password>"

clientId="iis-client"

clientSecret="<clientsecret>"

disableSSLValidation="false"/>

     </ProxyConfig>

   </Mindbreeze>

</configuration>

Copy Mindbreeze.ResourceProxy.dll and its dependencies in bin directory of your web application and restart the web application from IIS Manager. The resource proxy will forward all HTTP requests matching <IIS web application URL>/_api_mindbreezeinspire/path/and/?query to <Client Service URL>/path/and/?query together with IIS authenticated users name and OAuth token obtained from keycloak server to Mindbreeze Client Service.


Encrypted Microsoft IIS ConfigurationPermanent link for this heading

Before encrypting the configuration section, make sure, that the IIS anonymous machine users (IUSR and IIS_IUSRS) have write permission for key containers directory C:\ProgramData\Microsoft\Crypto\RSA\Crypto\RSA. Now run the run aspnet_regiis.exe with directory (c:\tempDir) as parameter containing the web.config file containing only the ProxyConfig node. Note that ProxyConfig should not be inside Mindbreeze node in this temporary web.config file.

<configuration>

     <ProxyConfig logFile="c:\temp\resource_proxy.log" logLevel="Error">

<ServerUrl url="<clienservice url>"

oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token

username="iis-client-user"

password="<password>"

clientId="iis-client"

clientSecret="<clientsecret>"

disableSSLValidation="false"/>

     </ProxyConfig>

</configuration>

For example:

C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe –pef "ProxyConfig" "C:\tempDir"

Microsoft (R) ASP.NET RegIIS version 4.0.30319.0

Administration utility to install and uninstall ASP.NET on the local machine.

Copyright (C) Microsoft Corporation.  All rights reserved.

Encrypting configuration section...

Succeeded!

After encrypting ProxyConfig replace it with ProxyConfig node inside Mindbreeze node of your applications web.config file.

<configuration>

  <Mindbreeze>

  <ProxyConfig configProtectionProvider="RsaProtectedConfigurationProvider">

      <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

         xmlns="http://www.w3.org/2001/04/xmlenc#">

         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">

               <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

               <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                  <KeyName>Rsa Key</KeyName>

               </KeyInfo>

               <CipherData>

                  <CipherValue>Fn6+756cE682pfJD0Eei4jSyOdoiIb1U6XYYbVYCjfw38EZwFGSDFDlbNUe0KVFUgZcGTYw/1aRZRnsR/vrJb9q0c3IRlDYWC9HRolnmBDXna5uZwBkdnD+FYQzc8xMZ9PKoaNjoU645iQNbmdS/6d/QWquQ4ijktdhJJmy0S/kOzyNFvP++DZLnRxl1ML0O7u/RZDVUQacCi623xJQhmbhdrCNnsnvOyjEGOjUS0kWlOpUXAfwJtO9GMJhAWPz9JuIxJxLC/tEtssy+Hf69DVUlyUhwKa/8cKLgwDEM3z0Udt1FaQT7n7htdzVaQbdb3nqrEyvs7ShogfSzWtAezA==</CipherValue>

               </CipherData>

            </EncryptedKey>

         </KeyInfo>

         <CipherData>

            <CipherValue>F0kCfWr3EwY6mO/rLUdrwzgVJcZnRLUCW7zJG9veQ/jXJm3pwLyDO1ytH6bIroF0Hk3AOezyZJphtZe6843GmXrLw4sY6ueTie0Ibx2oKcvOhXY/D+OngU9ZChqtqkUsK+5uQKjCifS5YqeXnNtftZPfwg+0pTnbMyGQAqCmDeC6i8E35UFZ3X1LScNvXlOGO/3MS89scEWCZjDAqAREa+E7Wiiu6jrQVqfDMs/t0Otm9JyTlBsM5QkgjGZrUkpVJmAGy+nG0Kai5501yNQMXpzf4gsOH0GD0EAkPHqFy09sKEwLcHuXb+UU/2EO7swY5hqD5M0ua+djAl1qz8KIzMs4t7duGBafB/Mx8XVw8Rdkmcj8zyYJb9A6JQBHcWm63XMs+hzpBwKJ10A6Oks68YPrVcyVBmbJjCNRH/gpG8NAAeftXcy1fAhiuB2FfwS7MO1id9l3OxqxrNuU7GlO1NGtj+a+jHzrL6R+5giizFN1fdeDM4raCB1bRvSXv03tqKSdLqk1Ywcs88zmcBqzO3okPr8yPCnvkmrBarwM+x6UtuTXzajWAQ2wtVfFkziTjqdSBvwm/HilLPp6ORdo8vyAOiGNCcgGtV3r8gAqMnU7xAEGv1NamQ==</CipherValue>

         </CipherData>

      </EncryptedData>

   </ProxyConfig>

  </Mindbreeze>

</configuration>

Installation on Microsoft SharePoint ServerPermanent link for this heading

Installing authentication proxy on SharePoint server can be performed with stsadm tool for all SharePoint web applications using a supplemental web.config file (webconfig.mindbreeze.xml) in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\CONFIG directory. The ProxyConfig node should already be encrypted to avoid doing it for each web application afterwards. From SharePoint Management shell run the following command.

stsadm -o copyappbincontent

Mindbreeze Supplemental Web.config file:

<actions>

   <remove path="configuration/system.webServer/handlers/add[@name='OAuthProxy']"/>

   <add path="configuration/system.webServer/handlers">

       <add name="OAuthProxy"

       path="/_api_mindbreezeinspire"

       verb="*"

       type="Mindbreeze.ResourceProxy.OAuthProxy"

       resourceType="Unspecified"

       preCondition="integratedMode" />

   </add>

   <remove path="configuration/configSections/sectionGroup[@name='Mindbreeze']" />

   <add path="configuration/configSections">

       <sectionGroup name="Mindbreeze">

          <section name="ProxyConfig"

          type="Mindbreeze.ResourceProxy.ProxyConfig"

          allowLocation="true"

          allowDefinition="Everywhere"/>

        </sectionGroup>

    </add>

    <remove path="configuration/Mindbreeze"/>

    <add path="configuration">

      <Mindbreeze>

       <ProxyConfig logFile="c:\temp\proxy.log" logLevel="Error">

<ServerUrl url="<clienservice>"

oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token

username="iis-client-user"

password="<password>"

clientId="iis-client"

clientSecret="<clientsecret>"

disableSSLValidation="false"/>

     </ProxyConfig>

     </Mindbreeze>

    </add>

</actions>