After I installed DC/OS, it prompts a login dialog with login with Google/Github/Microsoft, is it possible to login with a customized user/pass like admin/admin?
Open Source DC/OS does not allow for basic authentication. You can either use OAuth or "NoAuth". You can disable authentication via these instructions: https://dcos.io/docs/1.9/security/managing-authentication/#authentication-opt-out. However, if you go the "NoAuth" route you would not want to leave your cluster wide-open. You should set up a firewall or other means of access control around your DC/OS cluster.
Related
I have set up a B2C instance OK and managed to get a basic Blazor (server) app working with it a using the Microsoft Identity Platform (using AD groups for permissions - it was a hassle but works).
However, I'm trying to use an external Azure AD as a custom identity provider in the user flow, so that I am not just restricted to just email/id/social accounts, but can have guest accounts from other directories use the app without having to manage their sign-in's. To do that I performed a web app registration in the AD tenant that I wanted to use to authenticate those accounts against (as suggested in a couple of tutorials).
The application I registered in the external AD has a Redirect URI in the format "https://{My B2C Directory Name}.b2clogin.com/{My B2C Directory Name}.onmicrosoft.com/oauth2/authresp", which matches the name of my B2C instance, and I have added the client id and secret generated from that app registration and put the details into the custom identity provider I have created for the sign-in flow, as per the instructions here (including the mappings etc.):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I also found a slightly older tutorial here, which is pretty similar (different mappings) that I've tried to follow (and adapt the bits that are out-of-date).
https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32
However when I run the user flow I get "AADSTS900971: No reply address provided." - this happens even when I run the flow directly from the User Flows tab in B2C with a 'Reply URL' explicitly set to "http://jwt.ms" (just to capture the token contents).
I'm confused about the reply URL being missing because they exist in both registered apps. Also, it's not saying they're mismatched, just that one isn't set at all (but appears to be).
It feels like I'm missing something simple - does anyone have any idea what that might be?
Ok so I did a couple of things to resolve this:
Re-registered the application in the AD I want to authenticate with (following this tutorial again: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow)
I was careful to ensure that the redirect URI in the format:
https://{B2C Instance Name}.b2clogin.com/{B2C Instance Name}.onmicrosoft.com/oauth2/authresp
was all lower case.
I also had to change from just a 'sign-in' user flow to the 'sign-up, sign-in' one, and then applied the custom identity provider to that flow. Apparently you need that even for users from another AD to be able to complete their invite process (otherwise you just end up with a user doesn't exist error - even if you've invited/added them to the B2C users list).
I also elected to 'Grant admin consent for Default directory' under the API Permissions tab for the application being registered in the external AD (to be used for the custom identity provider).
The flow seems to work now. The only thing that would be useful would be to have an invite only sign-up, sign-in flow so that you could invite specific people without breaking the invite process.
If anyone knows how to do that please do post something.
I am facing ERROR like below when connecting Microsoft Azure AD after enabling MFA. Before that it gets connected. Today while login, it required me to enable this security feature in my Phone(Microsoft Auithenticator APP). Unless this feature added, i can't able to access MS Outlook in Microsoft 365.
I am using WSO2 Outlook Connector to make connection with Microsoft Graph API
ERROR:
"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000
Possible solutions:
Use a interactive flow instead.
If you are using a interactive flow and still getting this error, ensure openid is one of the scopes during the interactive sign-in. You might be getting the error after the interactive sign-in and trying to exchange the authorization code for a access token...
https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize
?client_id=########-####-####-####-############
&response_type=code
&scope=openid groups.read.all
&nonce=1234
&redirect_uri=https://app.contoso.com
Notice "scope=openid groups.read.all" in the request above.
Add the client application to the exception list of the Conditional Access Policy
Add the user to the exception list of the Conditional Access Policy
If not using conditional access policies and the user is directly enabled for MFA, then as a last resort, disable MFA for the user if solutions above (specifically solution #1 and #2) do not work for you.
I can access my reports through
http://mymachine:808/Reports
or
http://localhost:808/Reports
but not
http://myhost.mydomain.com:808/Reports
even when I have myhost.mydomain.com map to 127.0.0.1 in the host file. It was keep asking user name and password, but the same user name and password works fine in other ways to access.
How to fix this?
Update
It prompts to type in user name and password, but just to pop up again. So there is no way to get into the page with the broken URL.
This is consistent in at least 2 browsers: Firefox 47.0, and Edge 25.10586.0.0
Also, I didn't have Report Manager installed, here is my menu of Reporting services configuration manager:
From the hint in comments the issues is in the Reporting Services.
I was using the default settings, but MSDN said you can have different authentication types. I checked my reportserver.config file and I was using NTLM. Change it to use basic authentication solves the problem.
My guess of the reason, is that the browser will send a "Host" property for every request, and as this is inconsistent with NTLM's "domain", so Reporting Services reject the authentication. However, when switch to basic authentication, it simply pass the credential to Windows, so now it accepts.
References:
Authentication Types in Reporting Services
How to: Configure Basic Authentication in Reporting Services
You could try adding a new URL for Report Manager. To do this
Open Reporting Services Configuration Manager
Select Report Manager URL
Click Advanced
Click Add to add details
Here's a screenshot to help.
I receive "Unauthorized" exception on the host side for a provider-hosted App for SharePoint 2013.
Uri hostWeb = new Uri(Request.QueryString["SPHostUrl"]);
using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity))
{
clientContext.Load(clientContext.Web, web => web.Title);
clientContext.ExecuteQuery();
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
}
Certificates were installed, Anonymos access was disabled. I can't understand the reason of this problem.
I have ran into the exact same problem before... i resolved it by implementing OAuth and have it redirect to the app main page with "write" permission.
Response.Redirect(TokenHelper.GetAuthorizationUrl("mysharepoint.com", "Web.Write", "myapp.com/default.aspx"));
Basically what this does is that it'll authentication the login user with your sharepoint site, once it's authenticated, it'll redirect (with write permission) to your app site.
Here is how to implement OAuth: http://msdn.microsoft.com/en-us/library/office/jj687470(v=office.15).aspx
Looks like this is High Trust App. If you have exhausted the tips at http://msdn.microsoft.com/en-us/library/fp179932.aspx, then there is an illformed SPTrustedSecurityTokenIssuer. You can find out all of them using the below PS. Ideally it should be IssuerId#Realm. If there is one which is not, then remove that. But remember not to remove first one which is for workflows
Get-SPTrustedSecurityTokenIssuer | select Name,RegisteredIssuerName
First you have to Check user in 'Request.LogonUserIdentity'. actually this happens when your user does not have access to your site in IIS.
so to set the correct user in 'Request.LogonUserIdentity' follow the below steps:
open your IIS --> Authentication -->Anonymous Authentication --> edit--> Specific user [ User which you get in 'Request.LogonUserIdentity']. --> iisreset
now user have permission to access your IIS site.
I would like to be automatically logged on a website using my password an login that are used on my computer when i open an AD session.
Connection must be granted if i'm in the right AD group .
Any advices ?
The easiest solution would be to use the built-in ASP.NET Membership and Role system and just use the "Active Directory" membership and role providers.
That way, your user is automatically authenticated, and you can use role-based security in ASP.NET to do something like:
[PrincipalPermission(SecurityAction=Demand, Role='MyAppRole')]
Put this on your critical or sensitvie methods to allow or refuse access to your app.
With the same method, you can also add protected subfolders to your application and protect them by specifying who has access (or not) in your web.config (in that folder).
See a few links for additional details:
http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx
http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
Hope this helps a bit.
Marc