I am using a digest like (but not digest) custom authentication scheme where the authentication header field of the http request contains username:encryptedtokendata
I do not have any problems with this scheme on on Windows 7 and Azure emulator. However when I deployed my service to Azure's Windows 2008 Server SP2 my authentication header fails to make it through to my wcf service. It is null.
IIS on Windows 7 & Windows 2008 Server has both anonymous and membership authentications enabled (because i use membership for certain authentications). Every other authentication is disabled.
Any ideas what might be causing this issue for me? I searched stack-overflow and google up and down without any luck.
I would check and make sure your authentication module is getting installed in Azure and that it is listed correctly in IIS there. You should be able to remote into the instance and troubleshoot it just like you would on premise.
Related
I am moving some old web applications from an old Server to a Server 2016. We are using a domain account for the application identity and we need to use windows authentication. I am getting a 401.3 error when I try a test.html page on the server. I am only getting this for static content though as I tried a home.aspx page and that page worked.
Things I have tried/checked
Static Content is installed under the Common HTTP Features
The domain account used for the app pool has full access to the directory containing test.html
Tried NTLM first as provider instead of Negotiate on IIS Windows Authentication Providers
Tried "Enable Kernel-mode authentication" checked and unchecked
Tried all settings of "Extended Protection" under Advanced settings for windows authentication.
Tried ProcMon. All I get when I filter for test.html is 2 QueryOpen operations with result SUCCESS
The solution for this was that we need to have the account that was running the application pool set up in the "Impersonate a client after authentication." Our local group policy had this locked down. I am guessing the default install may have IIS_USRS group in this policy but our server did not.
I need to be able to verify if a new siteminder web agent is already registered on the policy server. Is it possible to do this using Java?. I couldn't find the 12.5 SDK details or sample files.
Any input is welcomed.
The PolicyMgmtAPI in the Java SDK is what you are looking for. I have done this sort of thing with the Perl PolicyMgmtAPI (get trusted host, get agent, etc...)
If you want to do this from the Policy Server it is pretty easy. If you plan on implementing this type of thing in an application server you will need to also create a 4.x agent in order to communicate with the Policy Server for the PolicyMgmtAPI calls.
I have deployed an MVC 3 website on IIS of my Windows Server 2003 edition. I have set the authentication to Basic, Integrated, and Windows in order to enable site to use Windows authentication, and automatically log in into website if the user has launched the site from the same domain. If user access the site from another domain, it should prompt the Windows credentials and should allow user to log in.
However the problem is that, user is presented with Windows login prompt every time (irrespective to same or different domain), and also when user provides valid credentials it doesn't allow user to access the site.
What could be the problem here? Or, can anyone provide me proper guide to configure IIS to use Windows Authentication while deployed on Windows Server 2003?
What is the version of IIS you are using ? Could you try to force NTLM authentication and see whether it will change anything ? Followin technet article will tell you how to change to NTML http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true. Please backup the server/iis configs before attempting any modifications to the metabase
I have a WebApi project that wraps the Dynamics CRM Online web service and provides a REST api. I have a simple controller that gets some contacts from CRM and returns them to the caller.
Everything works fine when I run it in the local emulator. However, when I deploy the project to Azure, I can reach the home page, but the controllers all return http 500 errors. Why would this happen? And how can I troubleshoot to get more details?
UPDATE
The issue is with the absence of Microsoft.IdentityModel.dll on the Server 2012 instance running the web role in Azure. I found this by opening web role instance in RDP, installing Fiddler, and making the request from Fiddler to the local IIS server. It responded with the detailed error.
Now my issue is figuring out how to enable IdentityModel on a Windows Azure Web Role. You're supposed to be able to add it via the Server 2012 Add Roles and Features wizard, but it's totally locked down on the Web Role. You can't check any boxes that aren't already checked. Is this even possible?
The issue is giving the Web Role access to Windows Identity Foundation when it's inherently not there. Marc Schweigert provides clear steps to do this here:
http://blogs.msdn.com/b/devkeydet/archive/2013/01/27/crm-online-amp-windows-azure-configuring-single-sign-on-sso.aspx
Go to the 23:00 mark of the video and you'll see the 4 necessary steps:
Reference Microsoft.IdentityModel.dll (need WIF SDK installed)
a. Set copy local = true
Create RegisterWIFGAC.cmd in your web role project
Create Startup Task in ServiceDefinition.csdef that invokes RegisterWIFGAC.cmd
Add GacUtil to the project (used in the startup task) to put Microsoft.IdentityModel.dll in the GAC every time the web role starts).
Can a computer that is NOT a part of the domain (but is on the network) authenticate against to a web site published by IIS8 where the authentication for that site is "Windows Authentication" only with a single provider of "Negotiate:Kerberos" (and with Kernel-mode authentication disabled)?
I ask because I am trying to do just this, but I cannot get past the authentication to the site (yet alone trying to pass the authentication to the database). I see the "WWW-Authenticate: Negotiate" header on the response to the client, but the client only ever seems to send a "NTLM Type1: Negotiation" (NTLMSSP) in the subsequent (re)requests. Either that or I am interpreting the results from Fiddler2 incorrectly!
I am using Kerberos as most of the clients will be domain computers and I need to pass user credentials from the web application back to the database. I was hoping that I would be able to do the same with non-domain computers and they would simply be prompted for a username/domain/password that would be validated and converted to a Kerberos ticket on the server.
Note that for testing purposes, Windows 8 is both the server and the client. In production, the server will be Windows 2008 Server R2 and the client will be primarily Windows 7 (though there will be some Windows 8 clients).
Kerberos will not work on accounts/computers which are not part of the domain.
You have two options to achive your goal:
Request the user data with Basic auth and pass that to LogonUserEx. See this for answers.
Authenticate the user by other means and use S4U2self (protocol transition).