I got error below by following steps below in this example:
Step 1: Clone or download this repository
Step 2: (Optional) Register the sample with your Azure Active Directory tenant
Choose the Azure AD tenant where you want to create your applications
Register the client app (up-console)
Step 3: Configure the sample to use your Azure AD tenant
Run the app:
Enter your username
anyuser#outlook.com
Enter your password (no backspace possible)
*********
Response status code does not indicate success: 406 (NotAcceptable).
Press any key to exit
Enter your username
anyuser#msn.com
Enter your password (no backspace possible)
*********
Response status code does not indicate success: 406 (NotAcceptable).
Press any key to exit
I changed the setting in Supported account types to below, but got the same error
Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)
Enter your username
anyuser#outlook.com
Enter your password (no backspace possible)
*********
Response status code does not indicate success: 406 (NotAcceptable).
Press any key to exit
Any idea?
anyuser#outlook.com has admin permission
It looks like you may be trying to use a personal Microsoft account. It will not work with this authentication flow.
The password grant (aka resource owner password credentials grant flow) only works with users who are Azure AD users, do not have MFA, and who are not federated. And the password must not have expired.
Related
We have a C# web app for new customer intake, at the end of which the user enters a password value we apply to their new Active Directory user object when we invoke the userPrincipal .NET method to create their user object. Our code also creates an account in our Azure AD tenant, with the correct values (ImmutableID) set for Azure AD Connect to import and join both accounts on its next pass (30 minutes AADC cycle wait time not acceptable for our requirements). We sync our password hashes from on-premise AD to Azure AD, and we have password complexity enabled in AD, and we enabled and added our own vocabulary to the Banned Words (substrings) facility in Azure AD. We are considering installing the MS "Password Protection" service on our DC's that will also apply Azure Banned Words checking when passwords are updated on-premise.
To keep this question short, we really would like to pre-validate the user entered passwords against all the password policies, including the banned words list (assume we install that service on all our on-prem DCs), but we can't find a method or service in .NET that will pre-validate that a proposed password passes all the active password policies. Our users tend to use Azure Self Service Password Reset, on-premise password changes later on are rare. But in the C# programming, it appears you have to actually request an Add of a new AD username to get .NET to evaluate the password value and signal status back, from the userPrincipal method in .NET
Anyone got any tricky ideas how to get a password pre-validated against AD password policies without the context of adding an actual new user, but assuming that the sAMAccountName that will be submitted does NOT yet exist in Active Directory? We thought about creating a temporary AD user with hash or base64 of a GUID for a unique temporary usernames, get any password evaluation feedback back from .NET, then delete the temporary user object, but that's a lot of overhead just to check a password, would trigger replications and generate beaucoup EventViewer and AD-AuditPlus log events, much junk network traffic. Thank you.
On guest user login on redirect URI I got an error:
AADSTS1000031: Application {App name} cannot be accessed at this time. Contact your administrator.
I'm using multi-tenant approach. The authorization URL looks good and it redirects me with such an error.
But I can't find any description of the error or configuration in the azure related to this error.
Also, "normal" users can log in without any issues.
I have such configuration in my Azure App:
Could you please advise how can I enable guest accounts support here?
This error can occur if you have not granted admin consent.
Go to Azure Active Directory within the Azure portal.
Go to Application registrations.
Select the Application based on the App-Id.
Go to API Permissions.
Click Grant Admin consent.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Has this SSO been setup as an Enterprise application?
Or are you just trying to get a guest user logged in to your tenancy as a guest?
If it is the later just create a new Guest user within your tenancy, make sure you have the rights to to do this first.
Then have the guest user accept the email invitation they receive.
Confirm within Azure they have accepted the invite.
Also make sure they are using the same email address as the invite was sent to and not an alias, which can cause confusion.
I have an Azure Active directory with SSO and provisioning enabled. Users from my company can SSO into snowflake just fine, but when I invite a user from GMail or another domain into our AD they get the SAML error. The Snowflake AD app has provisioned the user to Snowflake correctly from what I can see.
How do I troubleshoot this?
Thanks,
Phil
#suzy_lockwood It was the NameID attribute giving me the problem. I linked it back to the Snowflake Application in my Azure AD. The fix was to go to Manage > Single-Sign On > User Attributes and Claims. Under Required Claim I opened the claim "Unique User Identifier (Name ID) and changed the source attribute from UPN to be user.mail.
This error is due to unable to identify the user. Please specify the complete name if the user while authenticating:
snowsql -a mytest.us-east-1 -u xyz#abc.com
I am trying to create a new service principal using the command below using azure cli v2.0.
az ad sp create-for-rbac --name ServicePrincipalName
Changing "ServicePrincipalName" to a valid URI of "http://ServicePrincipalName", which is the required format used for service principal names
Found an existing application instance of "abcd-8f27-47cf-9976-xkkfigif5e1de". We will patch it
Insufficient privileges to complete the operation.
I am not sure what privileges the Azure Admin of my tenant should assign to my user so i can create a servicePrincipal any guidelines or document pointers please
First, you have to know what this command will do. The command az ad sp create-for-rbac --name ServicePrincipalName will create an AD App(app registration) along with a service principal in your tenant, the AD App will have an Application ID URI named http://ServicePrincipalName, a Display name named ServicePrincipalName. Then the command will add the service principal to your subscription as a Contributor.
The error you got means there is already an AD App with the Application ID URI equals http://ServicePrincipalName existing in your tenant. And you are not the Owner of the AD App. (Note: in the tenant, the Display name is not unique, but the Application ID URI is.)
To solve the issue and use this command successfully, follow the tips below.
1.Change the ServicePrincipalName to a different one. (Or if your admin allow you to use the existing AD App mentioned above, just let him add your user account as an Owner to the AD App. - not recommend)
2.If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes. If your account is a Guest , except the Users can register applications need to be Yes, also User settings -> External collaboration settings -> Guest users permissions are limited need to be No.
3.Your user account should be the Owner of the subscription. Otherwise you can create the service principal successfully, but you cannot add it to the subscription.
I've connected my WSO2 api manager with external ldap i.e. Microsoft Active Directory.
I have a following user in my Active directory :
Username : WSO2 Admin
User logon Name : WSO2.Admin#india.test.com
NT logon Name : INDIA\WSO2.Admin
When I'm setting the Admin role for my user's Username in user-mgt.xml file. I'm able to login into the the WSO2 admin console with Username i.e. WSO2 Admin only and I'm also able to see all the users from active directory but If I'm trying to login into management console with the actual logon name i.e. india\WSO2.Admin or WSO2.Admin#india.test.com It's showing me login failed error.
<AdminUser>
<UserName>WSO2 Admin</UserName>
<Password>xxxxx</Password>
</AdminUser>
Can somebody please help me solving this?
In WSO2 carbon (base for all wso2 products, not just apim) realms and domains are having different meaning.
e. g. the domain #india.test.com in the carbon logon form denotes the tenant (the default tenant is carbon.super. You may try to log in with WSO2.Admin#carbon.super in theory it should work. (I did not try it myself)
as well the realm (in form of realm\username) hints the carbon to use a secondary userstore with specified realm parameter (I may be wrong in this format, if someone knows for sure, feel welcome to correct me)
I believe full domain should work with a Kerberos authenticator (used for applications, not for the Carbon management console), but this authenticator has been reworked and improved in current versions, so I don't know current state)