I have set up a Mediawiki for our small local domain (abc.local) on a linux VM (just for internal use). Our local domain controller is a Win Server 2008 R2. I've setup the Mediawiki LDAP Authentication extensions so that i can restrict editing of our Wiki to only domain Users. I've configured the Mediawiki LDAP configuration to use the domain Administrator credentials for this authentication.
Is there a way to create another account that can do this user authentication but can't change anything? Sort of like a "read-only" Administrator account?
thanks,
russ
An account can't be "read-only" and also "Administrator". It's one or the other.
"Authentication" can only ever be done with the user's own credentials. There is no special kind of account that lets you authenticate other accounts. All it needs credentials for is to look up accounts on the domain. So you only need a read-only account, which is basically any account that can authenticate on your domain.
So just create an account specifically for Mediawiki and use that.
Related
When a user logs in to a SSO (Single Sign on) application, IIS makes a request to LDAP (Lightweight Directory Access Protocol) to get some user information for authentication. I am trying to find where the communication between LDAP and IIS happens (I am assuming that IIS sends a request to LDAP in order to get some user information). I have looked in the IIS Manager in windows and could not find the communication between IIS and LDAP. Does anyone know where I would be able to find the communication between LDAP and IIS?
If you're talking about Windows Authentication, then no, IIS doesn't use LDAP. It will use either Kerberos (preferably) or NTLM.
The mechanism is different for each, but basically, the user is already logged in on the client computer and sends their already-existing ticket to the server. The server just verifies the ticket with the domain controller. This means that the server must be joined to the same domain (or a trusted domain) as the user logging in.
For seamless SSO (where the user does not need to type in their username/password), the user must be logged into the client computer with the credentials they want to use on the website. If not, they will be prompted for credentials and the actual logging in will happen from the server.
If you cannot use Windows Authentication because the server is not joined to the same (or trusted) domain as the user, then you would have to implement LDAP authentication yourself. You would use Forms Authentication, ask for the user's username and password, and validate the credentials like this for example.
I've been reading the docs for Identity Server 4 (here) and it supports Windows Authentication and Active Directory.
Does it support multiple Active Directories?
Does it need to be configured somehow or Windows take care of it?
Thanks
That article is talking about running your application behind IIS. It's actually IIS performing the Windows Authentication, then passing the credentials to your application.
The answer to your question is "it depends". The server has to be able to authenticate your credentials. It can be from a different domain, but only if the domain your server is joined to trusts the domain the user account is on.
So if your server is joined to DOMAIN1, which is in an AD forest that has three domains: DOMAIN1, DOMAIN2, and DOMAIN3, then anyone with accounts on DOMAIN1, DOMAIN2, or DOMAIN3 can authenticate to your application.
Or if your server is joined to DOMAIN1, and DOMAIN1 has an explicit trust with DOMAIN4 (in a different AD forest), then users from DOMAIN4 can log in.
I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!
I have windows server running ADFS server. I want to Connect to ldap server on it. My questions are
Does running ADFS Server already have LDAP Server running or need to do anything for that? I believe it is running already because I could see open port 389 and 636.
Assuming LDAP server is running, I was trying to connect to it using Google App Directory Sync to get list of users However I was not able to authorize. Is there any default credentials to connect? Or steps to get credentials for LDAP server?
Thanks
An ADFS server is not an Active Directory server - ADFS only extends Active Directory's infrastructure. Ports 389 and 636 are available because ADFS supports the LDAP and LDAPS protocols for communication, and as such, ADFS can retrieve user attributes from Active Directory, and it can also authenticate users against Active Directory. If you already have a directory server running, you need to add it to ADFS as an account store.
There are no default credentials - just use an administrative account that exists in your Active Directory store, as mentioned in point one.
To clarify on terminology for ADFS:
Account Store in ADFS: This is the account store that ADFS authenticates the user against with some form of credential (e.g. Username/password). By default ADFS connects to the Active Directory Domain Services and adds it as a special account store that cannot be deleted. So, any users in this active directory forest or in it's trusted subsystem can authenticate to ADFS. So far, ADFS only supported Active Directory as an account store and nothing else. With Windows Server 2016, it now supports connecting any LDAP v3 compliant directory as an account store. ADFS does not open LDAP ports as it is not an LDAP server. If ADFS were collocated with a domain controller, you would see LDAP ports open.
Attribute Store in ADFS: This a store where you can augment additional information about the user AFTER the user authenticates. By default ADFS has a default attribute store for ADDS that is setup by virtue of the install. Beyond this, it has in-built adapters that can be instantiated to connect to SQL or ADLDS (lightweight directory service). It also has an extensible API to connect to any other attribute store of your choice via .NET. People connect to Oracle/SAP data base, FIM metaverse etc.
#Srikanth: You will use the ADFS claims language or the UI to query for additional data using the attribute store model. In the UI, you would see it when you configure the issuance authorization rules or the issuance claims rules.
Hope that helps
Sam (#MrADFS)
I'm having a very confusing error between SharePoint and SQL Server 2k5.
My SQL Server acting as backend to my MOSS farm has several logins in it which correspond to the web front end servers in my farm, with the pattern: {my-domain}{my-machine}$
Now, those accounts do not exist in AD anywhere, despite the login name syntax, and were generated somehow (assume by MOSS, but can't confirm). One (and only one) of the servers is throwing login failures every 2 minutes; that server was the first in the farm and holds most of the services, just not search and indexing.
I did a number of traces in SQL Profiler, and all I can tell is that the failure is a type 16 error on 'master'; so the login exists but doesn't have rights to 'master'.
Having found that, I went back in and gave it progressively greater rights on Master, including db_owner, and eventually making it a sysadmin. Still no joy, same error.
Diggin further w/ tracing, I found that the actual failure was due to the SSO db not existing; probably b/c it wasn't configured in MOSS. When I tried configuring the error, I got a "Sorry, you're not authorized to do that" error in Central Admin, even though I was logged in as the farm admin, who's also a forest-level admin w/ rights to everything I can think of.
Turning off SSO as a windows service worked, but I'm concerned about my inability to configure it in MOSS, so I dont' want to leave that as a solution.
I'm out of ideas, anyone else have thoughts or experience on this?
Thanks
The {my-domain}{my-machine}$ account is an alias for the NETWORK SERVICE built-in local machine account. NETWORK SERVICE is a low privilege predefined account that was introduced in Windows 2003. It has network credentials and can therefore connect to remote databases (as long as they're within the same domain).
It sounds like you've created your SharePoint web applications with the default application pool identity. This will create the logins named {my-domain}{my-machine}$ in SQL Server. So yes, SharePoint created the SQL logins, but they're based on the built-in NETWORK SERVICE machine accounts on the servers in your farm.
I'd check that the account you're using to configure SSO has the rights to create the SSO database. Have a look at the table in Plan for single sign-on. It lists all the privileges required for all the different types of SSO accounts. For the configuration account, the document lists:
SSO configuration account:
Must be a user domain account. Cannot be a group account.
The user account must be a server farm administrator.
Must be a member of the Administrators group on the
encryption-key server computer.
Must be a member of the following SQL Server security roles on the
computer running SQL Server:
Dbcreator
Securityadmin
Must be either the same as the SSO administrator account, or be a member
of the group account that is the SSO
administrator account.
If that doesn't help, follow Alex Angas' advice and post this question to serverfault.com.
Try and follow this to configure SSO:
http://technet.microsoft.com/en-us/library/cc262932.aspx
We had this same problem - the source of your "Not authorized to do that" message when you configure SSO is that you need to be logged into Sharepoint Central Admin as the SSO user (in our case, it was DOMAIN\SSO_Proxy). This allowed us to make the changes we needed.
Good luck!