I have a .Net website using AD user credentials. The website is deployed on IIS 8. The users are frequently unable to login as the AD server cannot authenticate the user. Username/password are correct. However if I recycle the application pool then the users are able to login again. This happened almost every day, or sometimes even a couple of hours.
Dim result As EAuthenticationResult = EAuthenticationResult.NotAthorised
Try
For Each provider As MembershipProvider In Membership.Providers
If provider.ValidateUser(userName, password) Then
result = EAuthenticationResult.OK
Exit For
End If
Next
'result = EAuthenticationResult.OK ' REMOVE --BRIJESH(Bypass authentication)
If result <> EAuthenticationResult.OK Then
ModelState.AddModelError("_FORM", "The username or password provided is incorrect.")
End If
Catch ex As Exception
ModelState.AddModelError("_FORM", "Failed authenticate the user against AD.")
result = EAuthenticationResult.Failed
End Try
Return result
The server is low-balanced and currently the issue is occuring on one of the server. It returns with "Failed authenticate the user against AD." but I am not able to see the details. On the application pool log following error keep occuring on the server with issue happening. Not sure if it is related.
> Event code: 4005 Event message: Forms authentication failed for the
> request. Reason: The ticket supplied has expired. Event time:
> 20/05/2019 9:15:23 AM Event time (UTC): 19/05/2019 11:15:23 PM Event
> ID: 14857b08bdfe4bf996c34404b09c936b Event sequence: 523 Event
> occurrence: 25 Event detail code: 50202 Application information:
> Application domain:
> /LM/W3SVC/1/ROOT/StudentSupportServices-1-132027582820585785 Trust
> level: Full Application Virtual Path: /StudentSupportServices
> Application Path:
> D:\Inetpub\legacyprivate\eduweb.StudentSupportServices\wwwroot\
> Machine name: PRWWWFN03 Process information: Process ID: 6704
> Process name: w3wp.exe Account name: ***** Request information:
> Request URL: **** Request path: *** User host address: ***** User:
> Is authenticated: False Authentication Type: Thread account name:
> **** Name to authenticate: Custom event details:
Related
I am trying to authenticate a Xamarin.Forms app against my Azure Mobile App backend (which has been set up to use Azure AD authentication) using Microsoft Authentication Library (MSAL). This is so that the app can access tables API Controllers etc, but I am having issues authenticating fully.
In the app (client side) it kind of seems like I am able to successfully login because I got the Azure AD login screen in Safari web browser but straight after entering my credentials I get redirected to the app and I am presented with the following error from MSAL:
You do not have permission to view this directory or page.
I did some digging and attached a debugger to my Mobile App backend and that revealed the following:
Microsoft.Azure.AppService.Middleware Verbose: 0 : Received request:
POST https://myapp.azurewebsites.net/.auth/login/aad
Exception thrown:
'System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException'
in Microsoft.Azure.AppService.Middleware.Modules.dll
Microsoft.Azure.AppService.Middleware Warning: 0 : JWT validation
failed: IDX10500: Signature validation failed. Unable to resolve
SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ',
RawData: eyJ0eXAiOiJ......
token:
'{"typ":"JWT","alg":"RS256","kid":"-sxMJMLCIDWMTPvZyJ6tx-CDxw0"}.{"aud":"d03a8a86-2d38-4017-a8e6-d1813c7a8b99","iss":"https://login.microsoftonline.com/03afca2b-f47f-4d0b-9a25-d464aff5d399/v2.0","iat":1550228705,"nbf":1550228705,"exp":1550232605,"aio":"ATQAy/8KAAAAJ5N6SdnFdK7rYxWxvwbUKLAjZesFNkwaj2jR7tQg+E10FU5giL0DQM7SWbfwwYNG","name":"GFSSD
TEST","oid":"ea10e59f-4466-451c-b7df-e9727ae5b899","preferred_username":"gfssd#mycompany.com","sub":"aPg-fkuZz4lwGIPSGbQ-nOoj7BPwT4_bBsb9UvATAdI","tid":"03afca2b-f47f-4d0b-9a25-d464aff5d399","uti":"tpY2tvyphUib1O2N4wIQAA","ver":"2.0"}
Microsoft.Azure.AppService.Middleware Information: 0 : Sending response: 401.83 Unauthorized
Any ideas why it doesn't seem to authorize properly?
EDIT:
We are new to O365 Authentication and trying to authenticate the user.
Here i am getting this error while trying to login with, office 365.
Create app in active directory add app id and return urls in app, and this is the document I followed, https://blog.xamarin.com/put-adal-xamarin-forms/
here is the error we are getting,
AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'
Trace ID: e580114e-2dd9-4cc4-b903-6cef743a2900
Correlation ID: 6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597
Timestamp: 2018-12-05 12:51:23Z
{System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized). ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'\r\nTrace ID: e580114e-2dd9-4cc4-b903-6cef743a2900\r\nCorrelation ID: 6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597\r\nTimestamp: 2018-12-05 12:51:23Z","error_codes":[70002],"timestamp":"2018-12-05 12:51:23Z","trace_id":"e580114e-2dd9-4cc4-b903-6cef743a2900","correlation_id":"6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597"}: Unknown error
--- End of inner exception stack trace ---}
Ok ,Maybe you have registered your app as a confidential client (web app or web api).
You cannot authenticate with username and password when the app is a confidential client. Only public clients, sometimes known as native clients, can do U/P authentication.
Trying to Change to native client.
Refer to this link to try
I have Azure Subscription with Default Directory with my company's account (myname#mycompany.com) as a guest.
I login to azure portal with this my company's account.
In the SQL Server, I have set Active Directory admin to an AAD group and I'm member of the group.
When I click Export (database) in Azure Portal, I select Active Directory authentication and type my username/password:
However I'm getting:
Failed to export the database: MyDatabase. ErrorCode: 400
ErrorMessage: There was an error that occurred during this operation :
'Error
encountered during the service operation. ; Exception
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unable to
authenticate request; Inner exception
System.Data.SqlClient.SqlException:Failed to authenticate the user
username#mycompany.com in Active Directory
(Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003;
state 10; MSIS7068: Access denied.; '
Failed to authenticate the user username#mycompany.com in Active Directory (Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003; state 10; MSIS7068: Access denied
According to the error information that it indicates that the user password is not correct.
Based on my test, it works correctly if you set the Active Directory admin to an AAD group and if you are a member of the group.
I keep getting this error pop up on my CRM Back End Server (this back end server is assigned async and sandbox roles while the front end server has all the other roles)
Sandbox Host - Access Denied.
Host: CRMAP01
User: DEV\CrmAsyncService
I don't know why this is happening to the Async Service account (I have the sandbox service logged in as the sandbox service account)
I have tried following the instructions outlined in this blog post but it's still occurring: http://crminpractice.blogspot.com.au/2011/05/crm-2011-error-sandbox-host-access.html
I have a NServiceBus 3.0 publisher which runs under a domain service account. The publisher has no external dependencies and locally the only dependencies are the input queue and ravendb.
I have granted the service account full control over the input queue.
When I add the service account into the local admin group the service starts fine. If I remove the service account from local admins I am getting an error in the system log on start up:
The BlahBlahBlah service failed to start due to the following error:
Access is denied.
If I look in the security log the following 4 entries are written:
Entry 1:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
Entry 2:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: MYSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Entry 3:
Special privileges assigned to new logon.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Privileges: SeImpersonatePrivilege
Entry 4:
An account was logged off.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon Type: 5
All entries are recorded during the service startup.
My question is what explicit permissions do I need to set to start this service without having the service account in the local admins?
This is still unresolved so we had to grant local admins permissions to our service account. Luckily this was just on our integration environment and we didn't encounter this issue in production.