MVC Application endpoint Authentication Required for subdomain - asp.net-mvc-3

I have a c#.net MVC3 application running on Windows Server 2008 R2 Datacenter.
If I deploy the application as an application under the main site (i.e. www.mysite.com/crm) it works perfectly.
If I deploy the application as a sub-domain to the main site (i.e. crm.mysite.com) it appears to work as expected, with the exception of one endpoint (crm.mysite.com/reports/view). That path returns the following authentication notice:
Authentication Required
The server http://crm.mysite.com:80 requires a username and password.
I am not aware of anything special for that endpoint and, as I mentioned, it works without issues when deployed under the main site.
What would cause this? How do I remove/prevent it?
I don't even know what code to provide to help diagnose the problem. Please let me know if you want to see parts of the code for any section related to this issue.
UPDATE:
I don't move the path to the application files for either situation and they both use the same application pool. The only difference is how a user access the files via IIS.
UPDATE2:
If I authenticate a user, I get this error:
Server Error in '/Reports' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Why would it think the resource doesn't exist when clearly it does?

If you have authentication on the main site, it won't automatically carry authentication across to the sub-domain. You would have to develop a mechanism to handle that such as SSO (single sign on).
Another potential issue is permissions for the directory/application (eg. c:\inetpub\wwwroot\crm.mysite.com)

Related

cross application (authentication) issue using react.js, spring, tomcat 8

My team is rewriting an existing web application that has a react.js front-end and springboot backend. In addition, The original (legacy) app is written in java (tomcat 8 & struts) and that will continue to be used for some parts of the site until a later date when we will complete the rewrite. All 3 endpoints are on the same domain in the following format: react.js (mysite.mydomain.com), spring (mysiteapp.mydomain.com), and legacy (mysite.mydomain.com/old). All 3 apps are hosted on the same server, but the application urls all route through our F5, so nothing is pointing to localhost. We did this to use the same SSL certificate across the three apps. The new and legacy apps use the same database. We are trying to make cross app calls between the new and old app. When we make the cross app calls, we want the user session to be maintained between them without them having to log in twice. We have not been able to get this to work. In our latest attempt to authenticate the user to both apps simultaneously, we are using ajax to sign the user into legacy with the same credentials. We are getting the following error back from the legacy tomcat application: HTTP Status 403 Invalid CSRF token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. The server understood the request but refuses to authorize it. We are stumped at this point and out of ideas. Code can be provided on request, but we are looking for the best approach to how to implement this and not as much locked on this path described above.

Google OAuth2 integration Error 400: redirect_uri_mismatch

I'm getting this error Error 400: redirect_uri_mismatch even after giving the proper redirect uri. You can check the images below for the reference. It works for my localhost but it shows this error for my server. My domain looks like https://xxx.topLevelDomain.com. I'm not able to find the possible cause of this issue after surfing most of the issues related to this error. Although, I guess the issue maybe because I'm using a subdomain here, but still not sure if its the issue.
Application info:
frontend is in react hosted on https://someTopLevelDomain.com
backend is in spring boot hosted on https://someSubdomain.someTopLevelDomain.com
Your application is sending from as http to a .com domain
In google developer console you have only one http domain listed and that is localhost
The redirect uri you are sending from must exactly match one that you have added in google cloud console.
To understand how to set up your redirect uri properly check Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
where is the redirect uri comming from
Depending upon the programing language, the ide and the client library you may be using will define what redirect uri your application is calling from.
For example i know that visual studio likes to add random ports with C#. I cant tell you what is generating your redirect uri i can only tell you that
The following needs to be added to your google cloud console.
http://________.com/login/oauth2/code/Google
or you need to figuer out what is setting the host on your requests and set it to use https so that you can use the one that you have there now
https://________.com/login/oauth2/code/Google

401 Unauthorized accessing Web API withing Javascript

I have web api that uses windows authentication. I've created my own Active Directory Server and a separate IIS Server. I have registered the IIS server to the domain but for some reason I'm getting a 401 issue when I use the API URL in my Javascript.
But works when using it directly from web browser
Please note that this is the same code (javascript, SQL Server, and ASP.NET Web Api) I'm developing at work. The only difference are the url for LDAP and domain. I have tried everything from changing Windows Authentication Providers. I'm just curious if I need to add my machine as a trusted to the Active Directory which I'm not sure how. I have added the Active Directory User to the IIS with Full Control but still no luck.

Oracle ADF Application and OpenAM

Using OpenAM i am trying to protect an ADF application, i have installed the weblogic policy agent as documented.
i get prompted to login with the OpenAM screens however once logged in and redirected back to the application i get the following error
Error 403 -- Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Is there any logs or anything i can look at to find the exact reasoning?
the only thing i can think of is its something to do with the ADF security.
By default the Agent is running in 'ALL' mode, which means it's also enforcing authorizations for URL (urlPolicy). So you have to create URL policies as well.
However URL policies often do not make sense for Web Apps, so you could change the agent to run in 'SSO_ONLY' or 'J2EE' mode.
BTW the agent debug log (log level set to 'message' in agent profile) will tell you why it's denying access.

AJAX Call to MVC Controller that Calls a WebService

We are working on an internal MVC3 app that purely uses Windows Authentication. There's a view that does an AJAX call to a controller action that does some processing before calling a web service. The problem we are running into is that if Anonymous access is turned off (as in Windows Authentication is on), calling the service from the controller actions results in a 401: Unauthorized error.
We have run into a problem of the double hop issue where credentials aren't passed correctly from server to server when calling a service within a service. I'm wondering if the AJAX call is somewhat mimicing the same behavior and not transmitting the correct Windows credentials to the controller which then doesn't pass the correct credentials to the web service.
I've seen some posts that shows how to pass a username and password along with the jQuery call but nothing mentions, an effective way, to bring along Windows Authentication with it.
Has anyone run into a similar issue? We would rather not leave Anonymous access on the web service as it is somewhat sensitive data that we would like to control access to.
Do you have identity impersonation turned on as described in this question:
How to get Windows user name when identity impersonate="true" in asp.net?
A colleague did some research over the weekend and determined it may have something to do with Kerberos authentication setup on the server as well as the jQuery call. In order to get around it, we just refactored the web service into a library that the application just references. We made it a web service initially as we thought in the future this data would need to be accessed from other applications. Running into this issue, we will most likely make it into a NuGet package.
Thanks for the comments.

Resources