In SharePoint 2010, I have a Silverlight app running on WebApp1 which accesses a file on WebApp2.
Every time this happens, I see a login window pop up to give credentials to access WebApp2. In fiddler, I'm able to see that this comes after a 401 response to an attempt to access ClientAccessPolicy.xml on WebApp2
After entering credentials, I no longer see the login window, but as soon as my session expires, I'm prompted for it again.
I'm logged into the box as an administrator and I am a domain administrator on both WebApp1 and WebApp2.
I've checked folder AND item permissions on ClientAccessPolicy.xml and 'Everyone' has Read permissions at least. I've tried giving myself explicit full-control permissions as well.
How can I get it to stop prompting me?
I've played with a ton of IIS security settings (IIS-wide authentication, site-level authentication, IIS Manager Permissions...) in addition to adding both fully-qualified URLs for WebApp1 and WebApp2 to "Trusted Site" in IE9, where I've set User Authentication to Automatic logon with current user name and password
Related
My company is using this service Aha! Ideas for internal idea-sharing. Everything is set up correctly with Aha! and the page site loads and requests the email for the user. Once they put it in the Microsoft credentials from the host machine so an SSO and they are redirected to the secure page. On machines where the user has not authenticated against our domain on the workstation, they are redirected to the Microsoft login and after they login, the user is redirected to the site.
So Great!! that is all working perfectly.
Now, I go into App Studio in Microsoft Teams and set up the site to load as an App in the Sidebar. I have added the main URL as a tab, I have set up the Valid Domains and included login.microsoftonline.com and I have set ADD App ID to the one used in the SAML2 setup of Aha!.
When I load the app I get the page requesting my email, this is from Aha!, and when I submit it should use SSO from Teams to log me in. I am logged in to Teams using my company Microsoft Account. At a minimum, it should redirect to the login.microsoftonline.com and request my username and password. Instead, I get nothing but a blank page.
Anyone have any ideas as to why it's not working, or what I might have done wrong?
'SSO' in the truest sense with Teams -definitely- won't work - it requires changes to the app itself, which you don't control, but even aside from that, depending on how the app ends up doing it's authentication, this still might not work, as you're seeing. Is there maybe a chance Aha! is working on Teams integration?
I have an Episerver Application. But I am unable to access any page of it. As this is redirecting me to /util/login.aspx page all time and I do not have the Login credentials with me this time.
Is there any way to skip that authentication or fake login using any other technique.
thanks.
Unless if you have an SQL provider for authentication the username and password will come from the domain or local computer.
If you are running an epi site locally you typically configure it to use the login credentials (i.e. windows role and membership) from your local computer.
Read more at https://world.episerver.com/documentation/developer-guides/CMS/security/Authentication-and-authorization/
Does the "Everyone" user group have Read permission for the pages?
If you're running the site locally, you can skip authentication altogether by modifying the applicable <location /> element(s) in web.config, allowing you into admin mode to validate permissions.
I installed a Kentico 9.0 website and everything worked fine. Then I tried to configure Windows Active Directory authentication using this documentation: https://docs.kentico.com/display/K8/Configuring+Windows+AD+authentication. However, when I open the URL, the login popped up, I used my working login credentials and the login pops up back constantly.
I changed back the web.config and saw the event log, and there was nothing logged about my numourous login attemps.
The documentation was straight forward, so I am guessing there is a permission issue in my environment. There is one little warning in the documentation but it doesn't say how to do it:
Prerequisite
For Windows authentication to work, the application must be able to access the following attributes of user objects in Active Directory (i.e. the attributes cannot be protected or confidential):
memberof
userAccountControl
My application is in a virtual server in a domain. And the Active Directory service is in different server in the domain. Does it mean I need to do something for my application's permission to AD? I am using NetworkServices application pool identity.
Thanks.
You (your laptop) have to be in company intranet and logged in to your laptop with your AD credentials. If you meet those conditions IE or Chrome should not even prompt you for credentials as they are already known, so browser just passes your AD account information to Kentico.
Once you see the prompt continuously there is something wrong with your setup. Make sure
you configured everything according to documentation (Kentico + IIS)
server/host is in domain
you're in intranet and logged in with AD creds
Usually how Active Directory authentication works is you need to pass it a AD Username and password that has access to read the users. I would check that user's permissions.
So we're working to implement SSO. We are using an Active Directory Federation Server to 'tell' our website that a user is logged in via his Windows machine.
So the flow is like this
1. http://ourwebsite.com --> redirects to:
2. http://adfsURL.local --> will know that I am logged in to my Windows machine and passes me the token for:
3. http://ourwebsite.com --> I'm logged in now
What I fail to understand is how step 2 knows that I am logged in. It is just a URL that I go to, so a webserver catches this and then what? Does it check the IP address of the request and then check if there's a user logged in from that IP? Or do I misunderstand something else completely?
It uses Integrated Windows Authentication - see here and here. (Kerberos).
"Unlike Basic authentication, Integrated Windows authentication does not initially prompt for a user name and password. The current Windows user information on the client is used for Integrated Windows authentication. If the authentication exchange initially fails to authorize the user, Internet Explorer prompts the user for a Windows account user name and password, which it processes using Integrated Windows authentication. Internet Explorer prompts the user for the correct user name and password up to three times.
If, however, the user has logged on to the local computer as a domain user, then no authentication is required when the user accesses a network computer in that domain."
For this to work, the browser has to be configured correctly.
Refer : Windows Integrated AuthN.
So what I've found is that for URLs that are in the 'local zone' of your PC, browsers will actually support sending over login information to the server of that URL, if the server requests such information.
It's called NTLM, and browsers will use it to login to a server using your Windows 'credentials' (not your username/password but some token).
I refer here to that page you are redirected after you login to GAE app with your google account, which asks your permission to access your google account.
Put this toghether with custom domain and https and you get my problem.
Sorry for the lengthiness. I searched everywhere. Didn't find anything. Not sure it is an OAuth issue (think not).
My configuration:
developed myapp.appspot.com
configured custom domain myapp.mydomain.com to point to myapp
myapp is making use of GAE login service
need for https posts from custom domain (!), solved as follows:
page is loaded in HTTP from http://myapp.mydomain.com
some submit HTTPS URLs are hardcoded in the page, as https://myapp.appspot.com/someservice
same domain policy resolved server side by means of http headers
GAE login service applies both to http://myapp.mydomain.com handler AND https://myapp.appspot.com/someservice handler
The workflow is:
user not yet authenticated
user browse http://myapp.mydomain.com (not ssl)
user is redirected to google account login page
user logins
user is redirected to the abovementioned page: myapp is requesting permission to access user's google account
user grants his permission
user is in - OK
Now comes the problem:
user makes a submit to https://myapp.appspot.com/someservice (so that data is ssl transmitted), which is loginrequired decorated
login is ok, user is not again redirected to the login page,
I think this is because the google login is cross application (the same should appen if the user was already logged in into gmail, to say)
but now https://myapp.appspot.com/ is again requesting permission to access user's google account - and this is the problem
The user is prompted TWICE to grant permission to myapp to access his account:
once when he browse to http://myapp.mydomain.com
and another one when he submits data to https://myapp.appspot.com/someservice
My user doesn't like it and me too !!!
I suspect this is because the user answer (Allow or No Thanks) is saved server side with respect to the URL of the app
and not with respect to some other unique id of the app.
But I have no idea how to solve it or at least work it around.
Thank you for your patience in reading up to here.
Any help would be appreciated.
The cookie that is issued for the user's session is per-domain and per-protocol. As a result, the same session won't work on the appspot app and on your custom domain. This isn't an App Engine limitation - it's simply how HTTP works.
The best solution, currently, is to put the form itself on HTTPS as well (which is in general a good idea anyway).