I'm trying to use Azure AD as a standin for production level ADFS systems during development of an application. Up until today, everything worked fine. I don't know what I touched to break everything, but now I'm getting the following error:
AADSTS700016: Application with identifier 'https://foo.bar.localhost:44300/' was not found in the directory '[[GUID]]'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I don't know what's changed, or why this worked last week and not today. I've been trying to change any number of settings - even deleted the app and re-created it, and nothing seems to help. Most of the other articles online keep referring to old versions of the Azure portal, so the clicks/links/menus that they are referring to no longer apply. There's a little popup on my sign in screen that says that I can enable "Advanced Diagnostics", but I don't know where those results show up so that I can see it.
Some things that I've checked:
- Under "App Registrations", the Endpoints for "Federation metadata document" and "WS-Federation sign-on endpoint" match what my application is using (so I'm going to the right place).
- When I click my application, under "Authentication", the Redirect URIs contains "https://foo.bar.localhost:44300/". I've tried with or without the trailing slash (and, sometimes, both).
Those are the biggest two places that other articles imply there may be an issue. Does anyone have any other ideas? Are there specific user-level things that I should be doing? Has something changed (very recently) that would be affecting my ability to use this feature? How are Enterprise Applications related (they're a Premium feature, and my Subscription is not)? I need to get my log-ins working again so that I can get my development process back underway. Thanks!!
Finally found the right setting. Turns out, many of my old applications were created when I was a "personal" user. I've since become a domain/work user, and it puts some things in place differently than before. In this case, I had to change the Application ID URI listed under "Expose an API" for my application. Setting this (where it wasn't set to anything before) allowed my application to be found and my login to succeed.
Related
I know this looks like a dumb question, but I just found out that, last month, something terrible happened to my GitLab instance: someone signed up on it and became admin himself, without my invitation, as I was the only administrator. So he wiped off every internal and/or private project inside of it, groups too (and I don't even know whether he had stolen all of them before erasing or not, I'm worried because they were proprietary code). How did it happen? Does this have anything to do with, since the version was CE-13.3.0? If so, would version upgrading be enough to be safer, or should I make some particular configurations, such as disabling sign up page?
It is best to follow "GitLab instance: security best practices", which does include indeed:
Ensure open sign-up is disabled on your instance.
Open registration is disabled by default on self-managed instances with GitLab 13.6 and above installed.
If new sign-up is enabled and your instance is open to the internet, anyone can sign up and access data.
Administrators who would like to further restrict access on their instance can follow our documentation on how to configure user access.
Regarding the CVE mentioned, follow also "Action needed by self-managed customers in response to CVE-2021-22205", in your case: "CVE-2021-22205: How to determine if a self-managed instance has been impacted" (unless the log events have been wiped out as well).
We created an application with SCIM support over two year ago now and it always worked fine. However recently we have been getting reports from customers that users were no longer deleted/disabled from the target enterprise application.
I already saw there was another question like this one a few years back but that seems resolved and this seems like another issue.
We did a little research on our own and noticed that azure is not sending any requests at all when we remove a user from the assigned user list. We checked the incoming logs from our application and IIS logging and both do not show any requests are sent our way. (we do get logs from POST/GET/PUT of other provisioning related tasks, like creating a user).
In azure audit logs we do see the following:
Remove app role assignment from user
Add a deletion-marked app role assignment grant to user as part of link removal
Which seems to me that azure is doing something, it's just not sending it to the targeted application
Current situation:
We have user A that was created in azure ad and is assigned to our application. Provisioning configuration was done by means of SCIM in azure. And the user is also created in our application, so the connection seems fine.
When I remove the user from the assigned user list in our enterprise application, I expected that counts as a softdelete, causing Azure to sent a PATCH or a PUT to set the active property of the user to false. In case I would delete them entirely from AD I expected them to be removed with the DELETE. I read that it takes up to 30 days which is no problem, but the problem is that user that are no longer assigned are still active in the target application, which is no good.
I have some basic properties mapped on the user and the one thing that might be involved with this issue would be the Not([IsSoftDeleted]) mapping which is mapped to our active property. I don't see how that is wrong, but that's all I can think of at this point.
Anyone that can has any idea what is going here?
Thanks!
I have had contact with Microsoft regarding this issue and it seems to be a bug on their end which they are currently correcting. It is part of a larger set of bugfixes all regarding similar issues so they could not give me a specific time when this specific issue was resolved, but they think around the 10th of July (2020).
In any case, as this was a bug due to changes pushed by MS this is no longer an issue to be solved.
Update:
I have received some replies that a few bugs were fixed connected to this issue but not all. I'm currently on vacation so i'm not sure if the main issue is fixed as well. They did promise a fix fast though.
For now all I can give you is a workaround. The issue happens when the only change that is happening is the unassignment of users, it simple won't execute this until at least 1 property from an assigned user is also changed. When anything is changed, it will fix all unassignments and disable them all, even if the unassignment was in a different sync cycle. So until the actual fix is pushed, that might be helpful to know.
I will keep this thread updated if I get more information.
Ps: The Azure team requested that if anyone else also ran into this issue they report it through Azure. Their dev team will see if your problem matches up with my issue or if it's something new. So please do that as well.
I finally decided to give Azure a try and the first thing I do - creating a simple web site - fails with: Creation of web site 'null' failed. Details say: Provisioning failed.
I am simply trying to "quick create" a simple website. Researching the Web, I see other people with the same problem, but no real solution.
I do have an active "Visual Studio Ultimate with MSDN" subscription and $150 of unexpired credits.
I must be missing something very fundamental.
Seems to be known issue:
A number of users have experienced “Provisioning Failed” errors when
attempting to deploy Windows Azure Websites. This is a known issue
with the trial version, and there is an active discussion thread on
the MSDN forums here.
It is expected that this is a temporary problem that will be fixed
soon, in the meantime there are a few things you can try: Ensure
database passwords do not contain special characters like ', ", =,
etc. Try creating a website without a database, database creation may
be causing the error. Try deploying the site in a few hours, it may be
a temporary problem in the data center.
So, to put some closure on this, I contacted Microsoft Support and they suggested trying to login to the portal through an anomymous/incognito browser session. Once I did that, I was able to create a website.
Mind you, having cleared all persistent data (cookies, etc.) in the regular browser, I still cannot do anything in Azure, from several different machines. But at least the incognito session is a workable workaround.
I've been playing around with the new "Websites" feature of Azure (which I believe is still in beta), but I've run into a problem. I've got two subscriptions associated with my account - one for personal use, the other for my company. And of course, I'd like to be able to specify which subscription is used when I create a new website. But when I try to create a website, it always picks my second subscription, and never gives me a chance to specify which one I'd like to use. Nor can I figure out how to move the website to a different subscription after I've created it.
I've walked through this several times now, and I can't spot any place where I can specify which subscription to use. Is this just a beta glitch? Or have I missed something?
I ran into the same thing, called MS support. Switch back to the standard portal to make this change.
To get to the old portal hover over the green "preview" button at the top. This doesn't seem to work in Chrome for me, just IE.
Do take a look at my response on MSDN Forums for a similar question there: http://social.msdn.microsoft.com/Forums/en-US/windowsazurepurchasing/thread/d9624b03-1d6c-484a-9fa8-8548c35a9d4f/. Basically you would need to activate this feature for each subscription separately since it is in preview mode.
Starting today, whenever I try and use security editor on either of two similar roles I get a timeout. If I try again IIS reaches an error threshold of some kind and stops that Application Pool. Then all of our users receive a "Service Unavailable" message from IIS.
I can edit other roles. This error can be recreated.
I assume I have some kind of database corruption, but I can't find an error that helps me in Event Viewer or the Sitecore logs. Where else can I look for more detail?
IIS6, Windows Server 2003, Sitecore 6.2
It sounds to me like you've got a circular reference in your roles.
Are you using the default role provider, ASP.NET membership? If so, try using the default Microsoft security tools (you can get at 'em via Visual Studio). If that doesn't work, you can programmatically modify these roles using the API.
Also, I believe there is a known issue which may be fixed in a 6.2.x update. I would check the change list at SDN. Here: http://sdn.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%206/ReleaseNotes/ChangeLog.aspx
Yep... take a look at the 6.2.0 rev 100701 update list.