I have an AAD/AD Federated tenant setup. Obviously AAD in Azure, local AD is lab setup with VMs. I've gone through a few permutations of the AADConnect setup, but I always end up with this same error. Looking it up, it seems usually associated with SQLServer, but I don't think that applies here. I'm simply trying to use IWA to authenticate to this AAD federated app but cannot escape this exception.
Local AD
Domain: vandelay.local
ADDS,ADFS,DNS: WIN-H9QGD6BJ2IN.vandelay.local
ADFS DNS: adfs.ad.vandelay.local
Alternate UPN: vandelay.firstresponse911.net
AAD Connect setup with Federation and Password Hash Sync
AAD
AADConnect setup appears to be happy (see screenshot)
App added with globally granted admin consent for app (does not require user interaction to grant permission)
Users synced with AADConnect appear in portal with permission for App.
Code
// Signed into machine as steve.doe#vandelay.firstresponse911.net
static void Main(string[] args)
{
app = PublicClientApplicationBuilder.Create(CLIENT_ID)
.WithAuthority(AzureCloudInstance.AzurePublic, TENANT_ID, false)
.Build();
while (true)
{
var result = _retry.Execute((ctx) => GetToken2().GetAwaiter().GetResult(), new Context("acquireToken", new Dictionary<string, object>() { { "userId", "paul.seabury#vandelay.local" }, { "password", "AGF11nfn" } }));
Console.WriteLine($"IdTok: {ComputeSha256Hash(result.IdToken)}, Exp: {result.ExpiresOn}");
Thread.Sleep(1000 * 60 * 2);
}
}
private static Task<AuthenticationResult> GetToken2()
{
var upn = System.DirectoryServices.AccountManagement.UserPrincipal.Current;
var cachedResult = app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(upn.UserPrincipalName).ExecuteAsync().GetAwaiter().GetResult();
return Task.FromResult(cachedResult);
}
}
Exception
Microsoft.Identity.Client.MsalClientException: 'The target principal name is incorrect.'
This is accompanied on the same client machine by an EventLog Entry:
The Kerberos client received a
KRB_AP_ERR_MODIFIED error from the server fsgma$. The target name used
was HTTP/win-h9qgd6bj2in.vandelay.local. This indicates that the
target server failed to decrypt the ticket provided by the client.
This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is
using. Ensure that the target SPN is only registered on the account
used by the server. This error can also happen if the target service
account password is different than what is configured on the Kerberos
Key Distribution Center for that target service. Ensure that the
service on the server and the KDC are both configured to use the same
password. If the server name is not fully qualified, and the target
domain (VANDELAY.LOCAL) is different from the client domain
(VANDELAY.LOCAL), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the
server.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="16384">4</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-10-30T15:24:32.660502800Z" />
<EventRecordID>3393</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>DESKTOP-BJ6P4H4.vandelay.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Server">fsgma$</Data>
<Data Name="TargetRealm">VANDELAY.LOCAL</Data>
<Data Name="Targetname">HTTP/win-h9qgd6bj2in.vandelay.local</Data>
<Data Name="ClientRealm">VANDELAY.LOCAL</Data>
<Binary />
</EventData>
</Event>
Http Traffic
It looks like the MSAL code successfully asks AAD to Authenticate for this app, which via discovery sends the response back to talk to the locally federated ADFS server. After getting the local metadata, the MSAL code attempts 3 times to get a token from the windowstransport endpoint. The first attempt with no Authorization header, the 2nd and 3rd attempt have differing Authorization(Negotiate) headers with encoded data, but they all fail with 401.
The posted request looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
<wsa:messageID>urn:uuid:42420a0c-3505-455f-914d-639c5685b43d</wsa:messageID>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To s:mustUnderstand="1">https://adfs.ad.vandelay.local/adfs/services/trust/2005/windowstransport</wsa:To>
</s:Header>
<s:Body>
<wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
and the sequence looks like this:
It looks like you are using a CNAME in DNS to resolve the adfs farm name -->you should use an Host A Record
Kerberos Clients will first resolve the name of the web service to the A Record before requesting the Kerberos Service Ticket
This would explain the kerberos error you see
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server fsgma$. The target name used was HTTP/win-h9qgd6bj2in.vandelay.local. "
Related
I have been unsuccessful in getting my CAS to use username/password of my Azure AD
Here is a snippet from cas.properties
cas.authn.attribute-repository.azure-active-directory[0].client-id= <id of the app>
cas.authn.attribute-repository.azure-active-directory[0].client-secret=<secret key>
cas.authn.attribute-repository.azure-active-directory[0].tenant= <id>
cas.authn.attribute-repository.azure-active-directory[0].domain=<domaine name>
whenever i try to enter username and password (azure) in cas login i get the message
[Invalid credentials: clientId is null or empty]
Am I missing another setting that's needed in my cas.properties?
My SNOWFLAKE database is SSO login enabled and the SSO connectivity works perfectly fine when I connect through my chrome browser.
When I try to connect to SNOWFLAKE database using DBeaver (external browser) I get the below error .
NOTE : I can confirm that I am able to see the identity verification (through explorer browser) page and the identity has also been verified. I feel the issue happens when the explorer browser confirms the identity verification back to DBeaver.
Can anyone please help ?
The above error is a generic message and could be seen due to misconfigurations either at the identity provider end or at the service provider end.
It is recommended to verify the configurations for your identity provider and make sure all the steps are performed correctly.
Below could be the common reasons for this error, However, there might be other improper configs as well which could lead to a similar error message.
a. Mismatch in user configuration details at Idp(Identity provider) and Snowflake.
b. SSO certificates are incorrect.
Solution
a. Username configured at the Identity provider end should match with the login_name at snowflake end for that user. For instance, If the SAML response shows NameID as abc#xyz.com. Then login_name configured at Snowflake end should be same as abc#xyz.com
SAML response snippet:
abc#xyz.com
Set the login_name same as the NameID configured at the identity provider side.
alter user set login_name='abc#xyz.com';
b. SSO certificate configured at Snowflake end should match with the certificate configured at the identity provider end.
Note:
The certificate value contains a number of new lines. Remove the new lines, forming a certificate value with a single line.
If the above suggestions did not help then please check the error codes for the failed login attempt in Snowflake Information Schema using the below query. And check the reason for that error code here. The below query retrieve up to 100 login events of every user your current role is allowed to monitor in the last hour and you can modify it appropriately.
select * from table(information_schema.login_history(dateadd('hours',-1,current_timestamp()),current_timestamp())) order by event_time
lets say I have two on-premise domains (DomainA.org, domainB.org) and one tenant (domainA.onmicrosoft.com). Both domains are sync thanks to Azure AD Connect, so user from domainA can log to office.com, there is no problem. Hoever user from domainB getting this "Error validating credentials due to invalid username or password.", and when I changed password from portal.office.com for this user from domainB. I can log with this new password, but only to office365 services, its not sync to On-prem.
And another wierd thing is, that I cant change password for users from domainA.
Do You know where the problem is?
Thanks
I understand you have synced your 2 domains to Azure AD through Azure AD connect . Initially you have registered both the domain in Azure AD and verified both. Kindly check what kind of authentication you were using for Domain A since you were not able to change the password from Azure End. If you have federated that domain it is not possible to change from the cloud. If you were using password hash synchronization then the authentication will happen if cloud and you can change for managed domain.
I request you to go through this article about password writeback . When you are getting an error message while logging before resetting the password kindly note the correlation ID and time stamp and need to get a support ticket since it will be due to multiple reasons.
I have service provider application http://sp.example.com/sp and when user accesses it through a browser, user is redirected from my SP application to IdP server which is configured on PingFederate server with an SP connection(http://sp.example.com/sp) as entity id. User is redirected through SAML protocol with SAML AuthnRequest to IdP. But on Ping server I keep getting this error which says
unable to lookup idp connection metadata for entityid='http://sp.example.com/sp'
Does anyone have face similar error before with Ping? This is SP-initiated SSO.
Request I am sending to PingFederate
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sp.example.com/sp" Destination="https://idp.com/sp/ACS.saml2" ForceAuthn="false" ID="_93313f7882ff7b3274da46502c4cf072" IsPassive="false" IssueInstant="2014-04-29T15:15:04.666Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Version="2.0"><samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.example.com/sp</samlp:Issuer><saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" SPNameQualifier="https://sp.example.com/sp"/><saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>
You can find possible solutions to your problem in Ping's support center:
https://www.pingidentity.com/support/solutions/index.cfm/SSO-fails-with-Unable-to-lookup-sp-or-idp-connection-metadata-for-entityid
In the server.log, the error "Unable to lookup sp connection metadata
for entityid" is seen. This is usually an indication that there is a
mismatch between the Partner Entity ID (Connection ID) configured in
the IDP-side PingFederate SP Connection and the actual entity ID of
the partner, and therefore PF cannot determine which SP Connection to
use when a SAML AuthnRequest comes in from the SP in the SP-initiated
SSO use case.
https://www.pingidentity.com/support/solutions/index.cfm/Unable-to-lookup-sp-connection-metadata-for-entityid
Since Entity ID is case sensitive, if there is a mismatch between the
value entered for the Partner's Entity ID (Connection ID) field in the
PingFederate Administrative Console and what the partner is sending in
the SAML protocol message, then the SSO attempt will fail with the
"Unable to lookup sp (or idp) connection" error message.
The solution is to verify the Partner's Entity ID (Connection ID)
setting matches exactly what is sent by the partner in the SAML
messages.
I have a WCF web service that should always use a specific AD account, which has been granted access to the database, to execute SQL transactions. I read a couple of articles, but I'm obviously doing/understanding something wrong because I'm not getting it to work the way I want.
I figured that that web service should impersonate the AD user, so I enabled impersonation in the web service web.config:
<identity userName="dmn\wsusr" password="p#55w0rd" impersonate="true"/>
Then, since I'm technically using a Windows user to connect to SQL, I set the connection string as follows ("Integrated security=true;" for Windows authentication, right?):
Data Source=SQLSVR\INSTNC; Failover Partner=SQLSVR\INSTNC2; Initial Catalog=DB; Integrated Security=true;
For testing the connection I insert some values into a table. One of the columns of the table I'm inserting to has the following definition:
[LogUser] VARCHAR(75) NOT NULL DEFAULT USER
So, theoretically, the AD username of the user who opened the connection will automatically be inserted into the column. Unfortunately, however, the column contains my own AD username every time.
I'm testing the web service via a web site that uses Windows authentication, so I'm assuming that this plays a role in the cause of the problem. But the website authentication should be disregarded since this will be an externally accessible web service and SQL transactions should never rely on authentication between the client and the web service.
Thanks!
EDIT
I also tried:
Adding Trusted_connection to the connection string, but it yielded the same result as above.
Using User ID and Password in the connection string, but since the connection string only accepts SQL users, this resulted in a Login failure error
EDIT2
I suggested to my superiors that we should try the approach where you create a separate application pool for the service, set it up to run as the AD user, and allow the AD user to log on as a service (something I read somewhere) but they're not keen on that and reckon it should be a "last resort"