I have a WCF service hosted by Azure and secured by Azure AD. when I use the web to access the service I am prompted with the Azure login,after a successful login,I reach the data. I am trying to access the data form Winforms, I reach the OAuth2 login screen, I successfully login and get the token. I add the token to the context headers, but still receive this message:
InnerException = "You do not have permission to view this directory or page."
any help on how to access WCF secured with Azure AD, from Winforms ?
There could be multiple reasons for this error and it's hard to guess.
But here are few things to check.
Your client application (Winform) is registered with Azure AD and has
permission to access your web app. Make sure desktop/mobile apps have
to be registered wtih Azure AD as native app.
Your Audience is set correctly in Azure AD . I have seen many people
struggle if they don't have it set properly.
If your WCF is hosted in app services then turn on the real time logging. Go to app services and turn on the "Diagnostic logs".Under "Diagnostic logs" set the "application log" to verbose. After this go to "Log Stream" in app service to view the real time app logging. Now if you hit your web app with your client you should be able to see the why are you getting 401 unauthorized.
Hope that helps !
Related
I need to perform a HTTP request to a site that is hosted In an Azure App Service. This site has Azure Ad authentication enabled. The HTTP request will be performed by a MS flow. I have attempted to use basic authentication, but this fails. I am now looking at an Azure app registration to get access to the site, however I'm having issues with this too. Does anyone have any suggestions on the best approach?
Cheers
According to some test, I reproduced your issue. When you enable authentication of your app service, you need to click "Azure Active Directory" under "Authentication Providers" and register a app in your azure ad(If you do not do any other operation, the name of app registered in ad should be same as you app service. Shown like below screenshot).
Then you can use "Active Directory OAuth" as Authentication type in your "HTTP" action.
You can go to your azure ad and click "App registrations", find the app name in it. And then you can find the "Tenant id", "Client ID". You also need to new a client secret like below screenshot.
The Audience in "HTTP" action also comes from your registration app, the Audience is "Application ID URI" in the page below:
I have a website hosted as Azure App Service with Azure Active Directory authentication enabled. Users can sign in from their browser using the interactive workflow.
The website must run as a dashboard on a big screen 24/7. There it is not possible to use the interactive workflow for authentication there, since there is no user to enter credentials.
How can I achieve this?
Is it possible to use a service principle with a client certificate? If so: How?
You can use the client credential flow to obtain a token to call the Web API hosted in your App Service on your behalf (not on behalf of the user). This solution is useful for non-interactive daemon applications that perform tasks without logged in users.
Since you have enabled Azure AD authentication in the app service, you only need to register the daemon app in the Azure portal. When you use the client credential flow to request the application hosted by the APP service, Just replace resource with the application ID URL hosted by APP service.
please see:here.
I have a server-side Blazor app running on Azure AppService protected by AAD auth. Authorized AD users (admins) are able to access and use the app.
What I'm want to achieve is to allow other users to access only a specific page of the Blazor app. Users would access the app from WPF app, themselves not necessarily being AD users, but AD application user (daemon app). WPF app gets the token (v2.0) and opens the page in a browser with the Authorization header (bearer token), however Blazor doesn't not interpret the auth header in request and threats the user as unauthenticated.
App registrations should have been setup properly as I'm able to access API when using this approach.
It this scenario possible? If so, any ideas what I could be doing wrong?
This scenario sounds like it is going quite a lot against general recommendations.
You really should not be doing "daemon app" authentication from a WPF app as it is not a confidential client application (and neither a daemon app). It runs on a user device, exposing the application's credential to any user.
Authentication flows that use secrets should never be used from a user device.
Secondly, a Blazor application is not generally one that can accept requests from an application.
Your WPF application should be calling an API, not a UI application.
What you should instead have is:
WPF app authenticates the user and acquires a token on their behalf to your API
WPF app calls the API with the access token
API validates the access token, authorizes access for the user and app, returns data
The Blazor app could be using this same API in its front-end code in a similar manner.
But I don't think you are going to be able to put it in the middle of your client app and the API.
We've been running an Angular app in a custom masterpage during the last year, using the Sharepoint REST api to retrieve user properties, data from lists etc., which has been working fine. As the application is hosted on Sharepoint Online, accessing the page requires a login thus making the request digest available so further authentication is not necessary.
Now however, we want to start using some of the functionality in the Microsoft Graph API. From what I can gather this requires OAuth2 authentication against the Azure Active Directory, involving among other things a redirect to the AAD login page.
Does this mean I have to:
1) Login via the organizations (standard Microsoft) login page to access the Sharepoint Online site.
2) Redirect to the Azure AD login page and back again?
Or can I leverage the login that the user already did when logging into Sharepoint Online?
Sorry if the question is a bit vague, we are all still very new to this.
When registering your application on Azure AD you will give the app access to Files/Sharepoint REST api and Microsoft Graph API. See this picture the app has access to several apis (Exchange, Graph and AD) you must add sharepoint APIs in your case.
Regarding the authentication, I am afraid that the Sharepoint model does not provide a token that will enable you to request the Graph API see this. You will have two authentications, one to access the Sharepoint site, as you said, and the other "within" the sharepoint iframed add-in to log into your AAD's registered app. This will be an OAUTH process through login.microsoft.com. Have a look at my Outlook add-in Keluro Mail Team on the Office store, I think it is similar to what you want to achieve.
You can use the same token from graph.microsoft.com. I have a sample using Asp.Net Core 1.0 and the.Net ADAL but the same authentication flow is used when using ASP.NET 4.6. Just make your auth request against ms graph on startup then acquire access token to auth against SharePoint.
https://github.com/edrohler/com.ericrohler
Hope this helps.
I have an interesting situation that I haven't been able to crack. Here is the environment that my Silverlight application runs in.
We have a SharePoint 2010 intranet that is the main host for the application. On a web part page, we have a Silverlight web part that contains the application. We use the Client Object Model to deduce who the logged in SharePoint user is. The users of this application access the SharePoint site OUTSIDE of the AD domain that they use to login; meaning they have an AD account, but their computers are part of various domains. The Silverlight application makes calls to a WCF service over https via SOAP protocol.
The question is, how do I secure the services so that the only valid requestor is the Silverlight application when being called from inside the context of a logged in SharePoint user?
Each end-user has an AD account that is created for them. The SharePoint site is an extranet that requires each user to login using their AD credentials. However, no end-user is accessing a site from a computer that is part of the domain.
I've attempted using Windows Authentication, but we have a requirement that the user must not be prompted to login (to the web services) after they have already logged into SharePoint. I've attempted using the Client Object Model to "pass" authentication/credentials to the service, but no luck there.
We have to disable Anonymous Authentication before we go to live, so I've got to figure out a way to secure the services but not make the users login a 2nd time inside the application.
out of the box you cant, silverlight cant delegate to any external service for security reasons. What you can do is to secure your WCF channel via some other method (certificate based for example) and send through the current username manually. On the SharePoint end you can then impersonate the user.
It will be quite a fiddly thing to get going though :)