I've implemented a site using Umbraco 7.1.3 and configured the CMS to use Active Directory for the login. I've followed this official post (https://our.umbraco.org/wiki/how-tos/membership-providers/active-directory-membership-provider) and everything works perfectly.
My problem is when I try to create a new user using a user which has successfully logged in using It's AD credentials. Obviously the user I'm using is an Administrator of the CMS.
When I try to create this second user I get an error which points that
login name already exists
I can't find or understand what is doing Umbraco when it's configured to use AD as DefaultBackofficeProvider.
Does it try to create an user in Active Directory?
As I thought, the CMS will use the AD as the store of users, but it doesn't create new AD users for you (effectively you can only use the users section in the CMS to assign permission to users who have logged in).
If you wanted the Users section to create AD users for you, you might be able to code something custom yourself?
Related
I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.
I installed a Kentico 9.0 website and everything worked fine. Then I tried to configure Windows Active Directory authentication using this documentation: https://docs.kentico.com/display/K8/Configuring+Windows+AD+authentication. However, when I open the URL, the login popped up, I used my working login credentials and the login pops up back constantly.
I changed back the web.config and saw the event log, and there was nothing logged about my numourous login attemps.
The documentation was straight forward, so I am guessing there is a permission issue in my environment. There is one little warning in the documentation but it doesn't say how to do it:
Prerequisite
For Windows authentication to work, the application must be able to access the following attributes of user objects in Active Directory (i.e. the attributes cannot be protected or confidential):
memberof
userAccountControl
My application is in a virtual server in a domain. And the Active Directory service is in different server in the domain. Does it mean I need to do something for my application's permission to AD? I am using NetworkServices application pool identity.
Thanks.
You (your laptop) have to be in company intranet and logged in to your laptop with your AD credentials. If you meet those conditions IE or Chrome should not even prompt you for credentials as they are already known, so browser just passes your AD account information to Kentico.
Once you see the prompt continuously there is something wrong with your setup. Make sure
you configured everything according to documentation (Kentico + IIS)
server/host is in domain
you're in intranet and logged in with AD creds
Usually how Active Directory authentication works is you need to pass it a AD Username and password that has access to read the users. I would check that user's permissions.
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.
I'm struggling with my MVC5 webapp that is hosted on Azure. I need to secure it (of course) but I don't want to let the users create yet another account, with another password they can forget.
So I've looked into Azure Access Control (ACS). It looks nice, but the Identity Providers provided are very limited. I'm missing LinkedIn as an IP for example. Therefore a lot of users will have to create a new account with a company emailaddress. Facebook user typically use their private emailaddress.
So Azure Active Directory looks fine. You can federate with a local Active Directory. But after diving into it, it seems that you cannot create a tenant from you code. So the user must first do thing in the Azure portal, and that is confusing and I want to make things as easy as possible.
What do I need:
authentications of users without storing their password myself
creation of new users by code
be able to federate to a customer's Active Directory (on premise or Azure Active Directory)
user must be able to use whatever emailaddress they're using
Do you have good suggestions to accomplish this?
You can manage users in AAD using the Graph API.
Using DirSync or AADSync, you can propagate your on-premise users to AAD.
User will have to logon on-premise and again in the cloud but using the same credentials. (Same Sign On).
Adding ADFS to the mix gives you SSO. (Single Sign On).
Typically, only the corporate domain can be used for email address.
For other applications, look at: Azure Active Directory applications.
I am using active directory to authenticate users on my DNN portal. It's been working fine but recently it does not allow some of the users into the site. It brings the server error (404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.)
The funny thing is that not all the users are having this problem, only a few does. I checked in my Users table and these users exists and they have both the Registered Users and Subscribers roles.
I am running on DNN 4.7.0.
Your help will be highly appreciated.
can use please check that user belongs to all portals or portal have different user
in dnn if you create a user in one portal than it is not accessible outside of that portal