I have installed the ADFS 2.0 on windows server 8, When I am going to fetch the page (FormsSignIn.aspx) which is under adfs/ls dierctory I am getting below error
There was a problem accessing the site. Try to browse to the site again.
I have checked the logs in event viewer and got the below message
Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
I have checked all the possible way but not able to reslove this problem.
Please assist.
If you are wanting to utilize Forms authentication in ADFS, you do not access this page directly, rather you configure the ADFS web.config for forms authn and you claims enable your application / service provider (SP). The methods for claims enabling an application can vary depending on the version of Windows Identity Foundation (WIF) used.
Related
I am using Aacotroneo/Laravel-Saml2 and have successfully setup a login system using ADFS. In another system I am using simpleSAMLphp elsewhere on the same domain successfully with WIA so I know ADFS is setup for that and that everything is setup correctly except the laravel application.
I have installed a browser addon to check the SAML logs for responses and requests. The only thing I can think of is that there is no client request ID sent through from laravel.
&client-request-id=d1ccbbdd-d55e-4828-eb24-0080000000b4
Any suggestions are appreciated. If I have missed a saml2 setting I am more than happy to try them, a lot of them don't seem to work or make any difference whether set to true or false.
Is it possible I need to setup encryption certificates and certain true/false combinations?
Thanks
Check this article
ADFS has non-standard SAML2 Authentication Context Class urn:federation:authentication:windows
By default this class has lower priority than urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
I would suggest making the following changes to AuthNRequest:
<samlp:RequestedAuthnContext Comparison=”minimum”
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
</samlp:AuthnContextClassRef>
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</samlp:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
I currently have an asp.net web api 2 site hosted in IIS secured with windows authentication. A requirement has now come in for us to support client certificate authentication in addition to windows, and I'm struggling to find out:
- if this is possible at all
- if there are any working examples available
I thought might be able to add an additional owin middleware or messagehandler or filter, but can't see any existing ones that do this specifically for windows rather than just relying on IIS. I know thinktecture identitymodel can do client cert, but not sure if the two can be combined?
Example of forms +win that i thought might be similar is here https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
Right so I managed to figure it out. Thankfully, if a controller returns a 401, IIS automatically adds the negotiate/ntlm headers, so if a user is on a windows browser, it will then automatically authenticate as usual. So with that in mind, to keep windows auth working, I:
updated the site in both IIS and VS to allow anonymous AND windows auth
added the [AuthorizeAttribute] as a global action filter (which causes the 401 to be returned if the user is not authenticated by the time they hit the filter)
To get client certificate auth working, I used the magnificent Thinktecture.IdentityModel library, which allowed me to add only one line to my Startup.cs file (we're using OWIN so this was easy)
app.UseClientCertificateAuthentication();
See https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs for an example
I'm getting this error when I try and access my website:-
HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.
Most likely causes:
• No authentication protocol (including anonymous) is selected in IIS.
• Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
• Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
• The Web server is not configured for anonymous access and a required authorization header was not received.
• The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.
Things you can try:
• Verify the authentication setting for the resource and then try requesting the resource using that authentication method.
• Verify that the client browser supports Integrated authentication.
• Verify that the request is not going through a proxy when Integrated authentication is used.
• Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.
• Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module UrlAuthorizationModule
Notification AuthorizeRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x80070005
Physical Path D:\Logs
Logon Method Anonymous
Logon User Anonymous
More Information:
This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.
View more information »
Microsoft Knowledge Base Articles:
• 907273
• 253667
I have to use Anonymous authentication only, can anyone help please?
This unbelievably vague question and answer actually led me to the proper solution for the specific problem of HTTP 401.2 Unauthorized against an Anonymous Authentication resource in IIS. The "Authorization Rules" element within IIS allows a explicit Allow/Deny entries, with an explicit option for "All Anonymous Users." Specifying this solved an access problem I spent the better part of a day trying to resolve, and I thought I'd add the additional detail here.
For me, the solution was to go into IIS Manager, select the website, right-click on Authentication, select Open Feature, and then enable Anonymous Authentication.
This SO question has more possible solutions since it seems that there's a myriad of different reasons:- HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers
Ok, Finally i got solution to my problem.
'Authorization Rules' were not set up on system.
I setup required 'Authorization Rules' and able to browse site successfully.
For a mobile application (Cordova & AngularJS), I use Azure Mobile Services with Web Api.
I am currently experimenting with different OAuth implementations to see which one fits my needs the most.
Tried OAuth from ngCordova, OAuth.io, WAMS server flow and Auth0 with WAMS delegation.
I also came across the option using the "JsonWebToken DelegationHandler for WebAPI". With this approach, I should use the "System.Web.Http.Authorize" attribute. When I debug the JsonWebTokenValidationHandler, everything looks good (IsAuthenticated is true etc.), but at the end, a 401 is being returned.
I guess, WAMS overwrites the user principal. A look at the WAMS log reveals that "The 'Bearer' HTTP authentication scheme is not supported." As soon as there is such an authentication token present it seems to get rejected by Azure Mobile Services.
My first thought was, that I can probably remove a specific message handler but that doesn't seem to be the case. Does anyone have an idea to get this to work with WAMS?
There is another post with a question very similar to this one:
Azure mobile service using aad "The 'Bearer' HTTP authentication scheme is not supported" error
You can pass the application key in the header like so:
HttpClient.DefaultRequestHeaders.Add("X-ZUMO-APPLICATION", "<YOUR APP KEY>";
In that link, Matthew mentions details about how to user authentication and posts links on how to set it up properly which you may find valuable.
Folks,
I've got an ASP.NET MVC application that I am attempting to secure using the Release Candidate version of ADFS v2.0 (Geneva). I have configured the application as a relying party trust, and I've used Fedutil.exe to modify the application's Web.config so that it has the information about the Geneva server and uses the Geneva server as its claims source.
However, when I try and hit the MVC app, it redirects to Geneva, which then (after warning me about self-signed certs) re-directs me to the MVC app again. After accepting both self-signed cert warnings, the two servers play ping-pong with each other in an infinite redirect loop until finally Geneva spews the following message:
The same client browser session has made '6' requests in the last '1' seconds. There could be a possible bad configuration. Contact your administrator for details.
There are no errors in the event logs on the MVC side or on Geneva except for an event containing the above message. If someone could give me some information on how to try and debug, diagnose, and hopefully fix this problem, I would be eternally grateful.
Again, the Geneva box is the ADFS v2.0 Release Candidate and the ASP.NET MVC site was built using the latest (late '09) version of the Windows Identity Foundation SDK with Web.config modified using FedUtil.exe from the WIF SDK.
So you will all get a kick out of this... I tried this same application from Firefox and ... IT WORKS. I get prompted for my domain credentials, the ADFS v2 server re-directs me ONCE and then I end up on the home page of my application, complete with my account name and personalized greeting.
So now the real issue is this: Why the hell is IE8 getting caught in an infinite redirect loop and Firefox ISN'T ??
After even further testing, I've been able to get this scenario working, out of the box, without modification of any of the default pipeline stuff from ADFS v2 (RC) or from WIF (RTW) on BOTH Safari AND Firefox. IE8 is the ONLY browser to exhibit any problem dealing with this authentication scenario. I've tried everything, including installing and trusting the self-signed certs, adding the sites to my local intranet zone and dropping security to low and even setting first AND third party cookies to always allow.
I had the same issue with ADFS 1.0
And to resolve it, I made sure that the URL had a trailing forward slash "/" that would always work in FireFox as well as IE
eg : https://somedomain.com/Application_2/
Turns out that the host name of the relying party had an underscore in it (khoffman_2). Apparently, the underscore is an illegal DNS character and ONLY IE will reject the information with the underscore in it.
I renamed my machine from khoffman_2 to khoffman2 and the ADFS v2/MVC relying party combination works flawlessly on Firefox, Safari, AND IE.
While this isn't your problem, we have had identical problems to what you described. Our solution was to:
Enabled Basic Authentication in IIS (this solved nothing but was required for the next 2 steps)
Disable Windows Authentication in IIS (this solved the problem for some IE browsers but not all)
Disable Anonymous Access in IIS (this solved the problem for the rest of the IE browsers)
Jaxidian's answer is close.
In my case I only had to:
Windows Authentication -> Disabled
Anonymous Auth -> Enabled
ASP.NET Impersonation -> Disabled
Forms Auth -> Disabled
Windows Auth -> Disabled
This loop can occur when a user is not authorized to access a page.
We had a custom authorization attribute on our MVC controller that checks to see if the user was in a role based on the claims provided if the setting for UseADFS was true in the config files. I thought this setting was set to true and was confounded that I kept getting the adfs loop when accessing the page because I was in the groups that were authorized to access the page.
The key to troubleshooting was to make a web page that displayed my adfs claims without necessarily requiring authentication.
#if (User.Identity.IsAuthenticated)
{
<div>UserName: #User.Identity.Name;</div>
var claimsIdentity = User.Identity as System.Security.Claims.ClaimsIdentity;
<table>
#foreach (var claim in claimsIdentity.Claims)
{
<tr><td>#claim.Type</td><td>#claim.Value</td></tr>
}
</table>
}
I noticed that I was getting logged into ADFS, and my claims were getting set, so ADFS was working. The actual issue was my config file had UserADFS="true" instead of UseADFS="true" which basically caused my custom authorization code to return false on authorization. Therefore, the page kept forwarding me back to adfs to authenticate again.
Anyways, if a user does not have the correct claims to access the page, then this adfs login loop can occur, as well.
Also, if you wrote a custom authorize attribute be sure to check out the following link which describes how to prevent the loop.
Redirect loop with .Net MVC Authorize attribute with ADFS Claims
Custom HandleUnauthorizedRequest handler code for AuthorizeAttribute from that link:
protected override void HandleUnauthorizedRequest System.Web.Mvc.AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAuthenticated)
{
//One Strategy:
//filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
//Another Strategy:
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new
{
controller = "u",
action = "LoginStatus",
errorMessage = "Error occurred during authorization or you do not have sufficient priviliges to view this page."
})
);
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}