November Happy Hour will be moved to Thursday December 5th.

Next Js and Optimizely CMS 12 with Windows Authentication

Vote:
 

Hello!

I have an existing Optimizely CMS 12 website hosted on prem, running MVC, where I plan to remove the MVC parts and start using the Content Delivery Api together with setting up a new frontend website running Next Js.

My workplace has a similar setup for an external website already, but the difference is that this is an internal website using windows authentication (and impersonation to other services) and I can´t seem to figure out how to make this work with Next (Node Js).

I started looking at npm packages, for example node-sspi and node-expose-sspi, but they all seem rather obsolete. So then I thought maybe I could set up a reverse proxy for the frontend website, running windows auth and passing the negotiate token through the frontend and on to the backend website, but that token does not seem to validate on the backend server. I also tried signing in using windows authentication on the rev. proxy and setting a cookie with the claimsidentity and reading the cookie on the backend server. This works well for the claims part, but I am unable to cast the claims identity to a windows identity for impersonation.

Has anyone else attempted anything similar? Any advice is much appreciated.

#321646
May 07, 2024 7:56
Vote:
 

Assuming you are in a corporate environment there's probalby an ADFS-server. These can expose OpenID endpoints which is the way to go.

If not going the OpenID route there are LDAP-libraries for Next, e.g. ldapjs, https://next-auth.js.org/tutorials/ldap-auth-example

#321955
May 13, 2024 10:08
Vote:
 

Thank you for answering!

I actually found an npm package - Kerberos Js - which seems to work well so far for retrieving Kerberos Tokens. I´m hoping this will pan out since we don´t have the time at the moment to rewrite other legacy services called by the api. If not I will have to delve deeper into OpenId.

Thanks again!

#322081
May 15, 2024 12:59
Vote:
 

So we seem to be stuck going down the kerberosjs track. It works fine when using with username/password, but I see no way forward if we want to use integrated authentication on the web api server so the user is automatically signed in.

I can get all the necessary claims and such, but the problem is we have another service on the same domain that in turn authenticates to another service using windows authentication (so double hop) and I cannot get impersonation working if creating the windows identity only by User Principal Name.

The schematics would look like this (all services are on the same domain):

Reverse proxy (IIS) -> Intranet (Next JS) -> Optimizely CDA -> Internal API (windows auth) -> Internal service (windows auth)

But even if I implemented OpenId or an Ldap solution, wouldn´t this still be a problem? I don´t see how I could get the user to impersonate from the Optimizely CDA to the Internal Api and on to the internal service. But maybe this simply isn´t possible without asking the user for username/password at some point?

#322545
May 23, 2024 6:27
Vote:
 

Can you access the Internal API and Internal Service? Either the code or configuration.

Either way, I still think this should be doable using Kerberos since Windows Auth is Kerberos. The ADFS server simply provide SAML support with everything that follows. If you can access and configure the services you could probably get this to work. https://plugins.miniorange.com/steps-setup-kerberos-windows-authentication

#322547
Edited, May 23, 2024 7:26
Vote:
 

I wish I could access those, but sadly I can only make adjustments to the frontend and the Optimizely CDA. Does that mean I´m stuck?

I tried node-expose-sspi, and although this library seems nice it does not seem very well maintained (solo developer) and after getting it up and running I still seem stuck with needing a password for making the request to the Optimizely CDA with the correct user context.

There is the WindowsIdentity(string upn) constructor but this would require additional rights for the service account running the Optimizely CDA app pool for impersonate to work from what I understand.

#322727
May 27, 2024 13:08
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.