AJS 4.x Manual

Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only!

Web file manager Free Installation assistance Manual Home page

HTTP Commander ADFS integration.

1. Microsoft Windows Active Directory with Domain Controller
2. Microsoft Active Directory Federation Services server.

• Configuration of Web server
• Http Commander configuration
• ADFS configuration
• DC configuration of Delegation for correct work with Network shares

Steps to configure Web server for ADFS authentication

1. First of all, make sure that you have .NET Framework 3.5 and Windows Identity Foundation features installed on your server.
   Install them, if they are not installed.
   Http Commander itself work with .NET 4.0 (including 4.5), but Windows Identity Foundation feature require .NET 3.5 .
   Show screenshot

    
    

2. Create a service account in Active Directory to run the C2WTS service under. In this example, we have created 'element-it\svcC2WTS'.
3. Next, configure the required local server permissions that the C2WTS requires. Log onto the web server and give the C2WTS the following permissions:
   1. Add the service account (element-it\svcC2WTS) to the local Administrators Groups.
   2. In local security policy (secpol.msc) under user rights assignment give the service account (element-it\svcC2WTS) the following permissions:
      1. Act as part of the operating system
      2. Impersonate a client after authentication
      3. Log on as a service
   
   Show screenshot

    
    
    
   

4. Open services manager (services.msc) and find "Claims to Windows Token Service". Open its properties and change startup type to "Automatic".
   Next, switch to "Log on" tab and set logon account to domain service account we created previously ( element-it\svcC2WTS ).
   Show screenshot

    
    
   

5. Now we need to configure C2WTS service.
   c2WTS requires the 'callers' identities explicitly listed in the configuration file, c2WTShost.exe.config (\Program Files\Windows Identity Foundation\v3.5\c2WTShost.exe.config).
   c2WTS does not accept requests from all authenticated users in the system unless it is configured to do so. In this case the 'caller' is the HttpCommander application pool identity : IIS APPPOOL\htcomnetpool.
   Show screenshot

   					<?xml version="1.0"?>
   
   					<configuration>
   					  <configSections>
   						<section name="windowsTokenService" type="Microsoft.IdentityModel.WindowsTokenService.Configuration.WindowsTokenServiceSection, Microsoft.IdentityModel.WindowsTokenService, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   					  </configSections>
   
   					  <startup>
   						<supportedRuntime version="v4.0"/>
   						<supportedRuntime version="v2.0.50727"/>
   					  </startup>
   
   					  <windowsTokenService>
   						<!--
   							By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.
   							Add the identities you wish to allow below.
   						  -->
   						<allowedCallers>
   						  <clear/>
   						  <add value="IIS APPPOOL\htcomnetpool" />						  
   						</allowedCallers>
   					  </windowsTokenService>
   					</configuration>
   				

    

6. There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service:
   Open the Command Prompt window.
   Type: sc config "c2wts" depend= CryptSvc

Steps to configure Http Commander for ADFS authentication

1. Configure HTTP Commander application pool to load user profile.
   Open IIS management console: Control panel->Administrative tools-> Internet Information Services-> and then "Application pools".
   Open "Advanced settings" of htcomnetpool application pool. Change to true the value of the "Load User Profile" setting.
   Show screenshot

    
   

2. We are ready to configure HttpCommander. Open web.config file in editor.
   Add microsoft.identityModel section to configSections:

   			<configSections>
   				<section name="HttpCommanderSettings" type="HttpCommander.HttpCommanderSettings" allowLocation="true" allowDefinition="Everywhere" restartOnExternalChanges="false" />
   				<!-- ADFS integration-->
   				<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   				<!-- ADFS integration END-->
   			</configSections>
   			

3. Add microsoft.identityModel assembly to compilation section:
   

   			 <compilation debug="true" targetFramework="4.0">
   			  <!-- ADFS integration-->
   			  <assemblies>
   				<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   			  </assemblies>
   			  <!-- ADFS integration END-->
   			</compilation>
   			

4. Disable authentication. Replace existing authentication tag with following one:
   

   			<!-- ADFS integration-->
   				<authentication mode="None" />
   			<!-- ADFS integration END-->
   			

5. Append requestValidationMode="2.0" attribute to the httpRuntime section.
   

   			<httpRuntime maxRequestLength="2097151" executionTimeout="3600" requestPathInvalidCharacters="" requestValidationMode="2.0" />
   			

6. Add IdentityModel http modules at system.web section.

   			 <!-- HTTP Module for WebDav access and Office edit -->
   			<httpModules>
   			  <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" />
   			  <!-- ADFS integration-->
   			  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   			  <add name="WSFederatedAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederatedAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />			 
   			  <!-- ADFS integration END-->			 
   			</httpModules>
   			

7. Add IdentityModel modules at system.webServer section.

   			<modules runAllManagedModulesForAllRequests="true">
   			  <remove name="FileWebDavModule" />
   			  <remove name="WebDAVModule" />
   			  <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" preCondition="integratedMode" />
   			  <!-- ADFS integration-->
   			  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
   			  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />     
   			  <!-- ADFS integration END-->
   			</modules>
   			

8. Add microsoft.identityModel section to the configuration section right after system.webServer.
   Here you will need to replace https://webserver.element-it.local/htcomnet/default.aspx with url to Http COmmander on your server and https://adfs.element-it.local/adfs with url to your ADFS server.
   Also you should replace the value of the thumbprint attribute with the thumbprint of Token Sign certificate of your STS server.
   How to obtain thumbprint:
   1. Open AD FS 2.0 Management > Service > Certificates then right-click on the Primary Token-signing certificate and choose View certificate.
   2. Click on the details tab to view and record the thumbprint from the Thumbprint field. An example of a thumbprint is: 77 5D 64 8E 73 62 C7 69 45 97 DB 5B BD 39 16 C5 F2 76 8C C1.
      NOTE: when you use the clipboard to copy-and-paste a certificate thumbprint, you may get an invisible Unicode garbage character. Make sure that you did not selected any extra "space" at the beginning of the thumbprint.
      Alternate way is to execute following PowerShell script (on ADFS server) to export thumbprints into CSV file:
      Get-AdfsCertificate | Select-Object CertificateType, Thumbprint | Export-Csv -Path C:\temp\adfsthumbs.csv -Encoding ASCII -NoTypeInformation
   
   
   

   			 <!-- ADFS integration-->
   			  <microsoft.identityModel>
   				<service saveBootstrapTokens="true">
   				  <applicationService>
   					<claimTypeRequired>          
   					  <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
   					  <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />
   					  <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />          
   					</claimTypeRequired>
   				  </applicationService>
   				  <securityTokenHandlers>
   					<remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   					<add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   					  <sessionTokenRequirement useWindowsTokenService="true" />        
   					</add>
   					<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   					  <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />        
   					</add>
   				  </securityTokenHandlers>
   				  <certificateValidation certificateValidationMode="None" />
   				  <audienceUris>					
   					<add value="https://webserver.element-it.local/htcomnet/default.aspx" />
   				  </audienceUris>
   				  <federatedAuthentication>
   					<wsFederation passiveRedirectEnabled="true" issuer="https://adfs.element-it.local/adfs/ls/" realm="https://webserver.element-it.local/htcomnet/default.aspx" requireHttps="true" />
   					<cookieHandler requireSsl="true" />
   				  </federatedAuthentication>
   				  <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   					<trustedIssuers>
   					  <add thumbprint="775D648E7362C7694597DB5BBD3916C5F2768CC1" name="http://adfs.element-it.local/adfs/services/trust" />
   					</trustedIssuers>
   				  </issuerNameRegistry>
   				</service>
   			  </microsoft.identityModel>  
   			  <!-- ADFS integration END-->
   			

9. Finally your web.config should look like this one:
   <?xml version="1.0" encoding="utf-8"?> <configuration> <configSections> <section name="HttpCommanderSettings" type="HttpCommander.HttpCommanderSettings" allowLocation="true" allowDefinition="Everywhere" restartOnExternalChanges="false" /> <!-- ADFS integration--> <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <!-- ADFS integration END--> </configSections> <HttpCommanderSettings configSource="HttpCommanderSettings.config" /> <!-- *************** ASP.NET settings. *************** --> <appSettings /> <system.web> <customErrors mode="Off" /> <pages enableSessionState="true" validateRequest="true" enableViewStateMac="true" viewStateEncryptionMode="Always" enableEventValidation="true" controlRenderingCompatibilityVersion="4.0" /> <!--Session timeout. If user not active last 60 minutes then session will be closed For Windows version in Admin Panel settings enable (set to 'true') EnableAutoLogoutWhenSessionTimedOut parameter in Main section --> <sessionState timeout="60" /> <!--cookieless="AutoDetect"/>--> <!-- Setting maximum 2 GB file upload limit for IIS 6 (For IIS 7 see maxAllowedContentLength below) and maximum number of seconds that a request is allowed to execute = 60 minutes (3600 seconds) --> <httpRuntime maxRequestLength="2097151" executionTimeout="3600" requestPathInvalidCharacters="" requestValidationMode="2.0" /> <!-- Only for ASP.NET 4.0+ to prevent problems in WebDav with special symbols: Add to httpRuntime: requestPathInvalidCharacters="" requestValidationMode="2.0" --> <!-- For change standard upload ASP.NET temporary folder add tempDirectory="<your-path-to-temp-fodler>" attribute. For more info see https://msdn.microsoft.com/en-us/library/s10awwz0(v=vs.100).aspx --> <compilation debug="true" targetFramework="4.0"> <!-- ADFS integration--> <assemblies> <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </assemblies> <!-- ADFS integration END--> </compilation> <!-- Set true to execute application under logon user role (default: "true") . --> <identity impersonate="true" /> <!-- ADFS integration--> <authentication mode="None" /> <!-- ADFS integration END--> <!-- <authentication mode="Forms"> <forms loginUrl="Default.aspx" defaultUrl="Default.aspx" timeout="43200" cookieless="UseCookies" /> </authentication> --> <!-- HTTP Module for WebDav access and Office edit --> <httpModules> <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" /> <!-- ADFS integration--> <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <add name="WSFederatedAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederatedAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <!--<add name="ADFSAuthModule" type="HttpCommander.ADFSAuthModule, HttpCommander" />--> <!-- ADFS integration END--> <!--<add name="FormsWithWindowsUsersAuthModule" type="HttpCommander.FormsWithWindowsUsersAuthModule, HttpCommander" /> --> </httpModules> <!-- Enable authorized access only --> <authorization> <deny users="?" /> </authorization> <!-- Set machine key for cross-autentication forms --> <!--<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />--> </system.web> <!-- Mail server settings for email notification feature --> <system.net> <mailSettings> <smtp deliveryMethod="Network" from="support@mysite.com"> <network host="mail.mysite.com" port="25" userName="" password="" defaultCredentials="false" /> </smtp> </mailSettings> </system.net> <!-- ADFS integration--> <location path="FederationMetadata"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <!-- ADFS integration END--> <!-- Disabling of authentication for some pages and folders --> <location path="iframe.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="favicon.ico"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Diagnostics.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Logout.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Activate.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="ForceLogout.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Handlers/AnonymousDownload.ashx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Handlers/Captcha.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Uploaders"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Localization"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear /> </profiles> </caching> </system.webServer> </location> <location path="Scripts"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear /> </profiles> </caching> </system.webServer> </location> <location path="Styles.css"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear /> </profiles> </caching> </system.webServer> </location> <location path="Styles-min.css"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> <system.webServer> <staticContent> <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" /> </staticContent> <caching enabled="true" enableKernelCache="true"> <profiles> <clear /> </profiles> </caching> </system.webServer> </location> <location path="crossdomain.xml"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="DemoFolder"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Manual"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Manual.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Data"> <system.web> <httpHandlers> <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" /> <add path="*.db" verb="*" type="System.Web.HttpForbiddenHandler" /> </httpHandlers> </system.web> <system.webServer> <!-- Setting only for IIS 7 and 7.5 --> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".xml" /> <add fileExtension=".xml" allowed="false" /> <remove fileExtension=".db" /> <add fileExtension=".db" allowed="false" /> </fileExtensions> </requestFiltering> </security> </system.webServer> </location> <location path="SyncWebFolders.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="testSSO.html"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="hcwebdav"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <!-- Setting only for IIS 7 and 7.5 --> <system.webServer> <validation validateIntegratedModeConfiguration="false" /> <!-- HTTP Module for WebDav access and Office edit --> <modules runAllManagedModulesForAllRequests="true"> <remove name="FileWebDavModule" /> <remove name="WebDAVModule" /> <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" preCondition="integratedMode" /> <!-- ADFS integration--> <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> <!-- ADFS integration END--> </modules> <security> <requestFiltering allowDoubleEscaping="true"> <!-- Setting maximum 2 GB (= 2147483648 bytes) file upload limit for IIS 7 --> <requestLimits maxAllowedContentLength="2147483648" /> </requestFiltering> </security> <defaultDocument> <files> <clear /> <add value="Default.aspx" /> </files> </defaultDocument> <staticContent> <remove fileExtension=".svg" /> <remove fileExtension=".xap" /> <mimeMap fileExtension=".svg" mimeType="image/svg+xml" /> <mimeMap fileExtension=".xap" mimeType="application/x-silverlight-app" /> </staticContent> </system.webServer> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-2.6.10.0" newVersion="2.6.10.0" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-2.6.10.0" newVersion="2.6.10.0" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-2.2.29.0" newVersion="2.2.29.0" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Net.Http.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-2.2.29.0" newVersion="2.2.29.0" /> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-9.0.0.0" newVersion="9.0.0.0" /> </dependentAssembly> </assemblyBinding> </runtime> <!-- ADFS integration--> <microsoft.identityModel> <service saveBootstrapTokens="true"> <applicationService> <claimTypeRequired> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" /> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" /> <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" /> </claimTypeRequired> </applicationService> <securityTokenHandlers> <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sessionTokenRequirement useWindowsTokenService="true" /> </add> <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" /> </add> </securityTokenHandlers> <certificateValidation certificateValidationMode="None" /> <audienceUris> <add value="https://vmware2012.element-it.local/htcomnet4/default.aspx" /> </audienceUris> <federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.element-it.local/adfs/ls/" realm="https://vmware2012.element-it.local/htcomnet4/default.aspx" requireHttps="true" /> <cookieHandler requireSsl="true" /> </federatedAuthentication> <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add thumbprint="775D648E7362C7694597DB5BBD3916C5F2768CC1" name="http://adfs.element-it.local/adfs/services/trust" /> </trustedIssuers> </issuerNameRegistry> </service> </microsoft.identityModel> <!-- ADFS integration END--> </configuration>
10. Configure Logout.aspx page to force logout from adfs.
    Open Logout.aspx page in text editor.
    Search for if (Utils.UserSettings.Runtime.AuthMode == AuthenticationMode.Forms) statement,
    navigate to the end of the appropriate else statement and add following line of code:
    Response.Redirect("https://adfs.element-it.local/adfs/ls/?wa=wsignout1.0&wreply="+redirectUrl);
    Where adfs.element-it.local domain should be replaced with domain name of your RP STS server.
    
11. If you plan to use public links and online viewers, it is necessary to configure anonymous access to /Handlers/AnonymousDownload.ashx handler.
    Open Global.asax file in text editor and add following code to it :
    Append to the inport section on the top of the file:

                    <%@ Import Namespace="Microsoft.IdentityModel.Web" %>
                

    
    Add event handler function:

                        void WSFederationAuthenticationModule_AuthorizationFailed(object sender, AuthorizationFailedEventArgs e)
                        {                        
                            if (Request.Path.EndsWith("/Handlers/AnonymousDownload.ashx"))
                            {
                                e.RedirectToIdentityProvider = false;
                            }
                        }
                

    
    And subscribe to the AuthorizationFailed event in the Application_Start function:

                        protected void Application_Start(object sender, EventArgs e)
                        {		
    		                FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed += WSFederationAuthenticationModule_AuthorizationFailed;
    		                ...
                        }   	
                

12. As last step, you will need to set correct value for the LDAPConatiner setting either in HttpCommanderSettings.config file or on Settings tab in Admin Panel. This is required to get user group membership and home directory from AD.
    

Steps to configure Relying Party Trust on ADFS server

1. Open AD FS management console and navigate to Trust Relationships, Relying Party Trust section of left tree.
   Click on Add Relying Party Trust to start wizard.
2. Choose option Enter data about the relying party manually
   On next screen enter Name of relying party (any value),
   On next screen select option "AD FS profile"
   Show screenshot

    
    
    
   

3. Check options Enable support for the WS-Federation Passive protocol and Enable support for the SAML 2.0 WebSSO protocol.
   For both options set full url to Http Commander application. In our case it is "https://webserver.element-it.local/htcomnet/default.aspx"
   Show screenshot

    
   

4. Relying party identifier should be already added to the list. So you can simply proceed to next step.
   Show screenshot

    

5. Complete wizard with next several screens following on-screen suggestions.
   Choose option Permit all users to access this relying party
   Show screenshot

    
    
    
    
   

6. Configure Claim rules.
   Choose option Send LDAP attributes as claims
   Show screenshot

    
   

7. Only UPN claim is required to be configured for correct work.
   Configure it as shown on screenshot.
   Show screenshot

    
    
   

8. Now configuration is complete and we are ready to test Http Commander. If all configured correctly , after authentication Http Commander interface should be loaded. Open diagnostics.aspx page and check its output . Make sure that application works under logged in user identity (impersonated ).
   If you plan to use Network shares, process to next section.

Steps to configure Delegation for correct work with Network Shares

1. Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we registered SP/C2WTS to the element-it\svcC2WTS account using the following command:

   			SetSPN -S SP/C2WTS element-it\svcC2WTS
   		

   Please note that command should be executed under domain admin account.
2. Configure delegation for web server.
   • Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   • Expand domain, and then expand the Computers folder.
   • In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
   • Click to select Trust this computer for delegation to specified services only.
   • Ensure that Use any authentication protocol is selected, and then click OK.
   • Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that is to be used in HTTP Commander. Click OK.
   • In the Available Services list, select the CIFS service. Click OK.
   
   Show screenshot

    
   

3. Configure delegation for service account (element-it\svcC2WTS)
   • In the left pane, Expand Users folder.
   • In the right pane, right-click the Service account (element-it\svcC2WTS) which is configured for C2WTS service, select Properties, and then click the Delegation tab.
   • Click to select Trust this user for delegation to specified services only.
   • Ensure that Use Kerberos only is selected, and then click OK.
   • Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the File server that will be used in Http Commander. Click OK.
   • In the Available Services list, select theCIFS service. Click OK.
   
   Show screenshot