I have developed a google app engine application which supports integrated windows authentication using JAAS.
For enabling integrated authentication on Mozilla firefox i have made following configuration
network.negotiate-auth.trusted-uris = domain of the trusted uri
network.negotiate-auth.allow-non-fqdn = false
network.negotiate-auth.allow-proxies = true
network.negotiate-auth.using-native-gsslib = true.
My application doesnt support ntlm so havent made any configuration related to that.
Everything works fine locally. I mean the browser is able to get kerberos service token and send it to my application.
But when I deployed in google app engine. Then browser unable to send kerberos token. I always got NTLM token.
Below is the flow
1. I hit the trusted url from mozilla browser from local network.
2. My application challenges browser for service token with 401 Negotiate challenge
3. Browser tries to get service token.
4. I observed that it sends NTLM token.
I want to know why the browser is sending NTLM token to app engine and how should I handle such scenario ?
Related
Components:
HTML, Bootstrap, AJAX Single Page Application (SPA) --> Deployed on-premise on tomcat 1
Azure Application Proxy 1 fronting SPA with pre-authentication as passthrough
REST API (API) --> Deployed on-premise on tomcat 2
Azure Application Proxy 2 fronting API with pre-authentication as Azure Active Directory
Microsoft MSAL Javascript library: https://github.com/AzureAD/microsoft-authentication-library-for-js
Flow:
User accesses SPA using Application Proxy 1 external URL eg. https://appProxy1.com/spa
The SPA has a sign-in button, when clicked invokes the Microsoft js MSAL library.
The user is presented a pop-up and upon entering credentials, is authenticated against Azure AD and an OAuth token is fetched.
Once authenticated successfully, the user is allowed to perform search on the SPA.
When the user searches, the SPA invokes the REST API using the application proxy 2 url eg. https://appProxy2.com/rest/.search
The REST call is blocked by browser due to CORS. It seems that Application Proxy/Azure AD is not allowing cross origin calls.
Note:
CORS has been enabled in the REST API code and SPA is able to invoke the REST API if Application Proxy 2 pre-authentication mode is set as passthrough.
I have gone through https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-understand-cors-issues. This workaround is possible if HTML application and REST service are deployed on the same application server.
Question:
Is there any option to enable/configure CORS on Application Proxy.
Currently there is no way to configure/enable the CORS on Application Proxy.
There a user voice request for CORS App Proxy. Please feel free to up vote this user voice request.
I'm implementing a Power BI Embedding solution into third party application which uses the same Active Directory as Power BI. However the application has URL with HTTP and not HTTPS.
Now, for getting the authentication token for embedding, I've created Azure AD Web App and I want to add Redirect URI for that application, but it is not allowing me because it is HTTP.
What can be the solution to get authentication token for Azure AD for embedding?
Thank you.
Apps that are registered for Microsoft identity platform has Restrictions on redirect URLs. The redirect URL for web apps and
services must begin with the scheme https, and all redirect URL values must share a single DNS domain. http://localhost is also supported as a redirect URL.
You can create self signed certificates for https domain (for test purpose).If your app runs in Production Environment, it should be signed by a
trusted certificate authority.Check here to know more.
Refer this post for : Trust a self signed cert from IIS
I need to make an app via app engine, I am familiarizing with the [demos] (https://github.com/google/earthengine-api/tree/master/demos). I have successfully deployed all of them except for "export-to-drive". I am able to deploy it, but I get a 500 Internal Server Error. It is the same on the cloud shell, but when I run it locally it run well.
Since the web console shows no error, I checked in the cloud shell console and got those errors:
redirect_uri_mismatch
invalid_grant
I tried to authorize all the redirect domains I could think of, but nothing changes. I know it is not my API key because it is working when I run the code locally.
You need to set up both Service account and OAuth 2.0 Client ID credentials to authorize requests to Earth Engine.
Make sure that client_id and redirect_uri are properly configured as instructed here
Note that the value redirect_uri must match an authorized URI you have set up in API console > Credentials >
Client ID for Web application > Authorized redirect URIs
.
I have MVC application hosted Azure and secured by Azure AD. We use OWIN middle ware cookie authentication and openidconnect approach for authentication by Azure AD. We have below observation which appears to be security flaw.
1) Access application in chrome browser. After Azure AD authentication redirects , application is loaded fine. By now , there will be a authentication cookie created by OWIN with name ".AspNet.Cookies" which is in memory cookie , meaning the cookie will be lost once browser is closed.
2) Now copy the cookie ".AspNet.Cookies" and close the browser. In memory cookie is deleted. However if we initiate a request ( proxy request using fiddler) to application by attaching the cookie , the server accepts the cookie and application is loaded.
What this implying is that , cookie generated from one browser session could be reused with another browser session.
This looks like a security flaw. is there a way to fix the problem. Or we are missing any settings on Azure AD ?
Any inputs are highly appreciated.
Thanks,
Madhu
We have developed a web application using angularjs and web api. The application is deployed in IIS 8.5. Users are in AD domain, our site is added in local intranet zone and also selected automatic login only in intranet zone option.
We are using web api token based authentication using OWIN in our application. So we disabled all IIS authentication methods other than anonymous authentication. The token will be generated at the server side while login to the application and this token will send back to the client side. We are saving this token in sessionStorage and will attach in the http request header like "Authorization : Bearer auth_token".
But in some times, mostly if we wait more than 1 minute, we could see that "Authorization: Negotiate some_token" is sending in our api calls. So the server will respond with a 401 unauthorized error.
Anybody experinced in same?
Thanks in advance
We were able to avoid this issue by applying
document.execCommand('ClearAuthenticationCache', false);
in our app.js file.
By enabling anonumous authntication at the rool level also solves our issue.