I have a web application hosted in IIS and configured with Windows Authentication. It is supposed to be SSO (Single sign-on) and work without prompting users for their credentials. It works in this way if I access it via server name or cname. Example:
https://serverName/applicationName
https://cname/applicationName
However, it asks for user credentials if I access the application via full domain name such as:
https://serverName.domain.com/applicationName
https://cname.domain.com/applicationName
Any ideas what the issue would be?
Related
I have an MVC site running on IIS 10. The IIS server and our users are all on the same domain. My question: is there a way for the MVC website to determine the domain user without having the login prompt appear when accessing the website? I turned on Windows Authentication - this causes the login prompt, but it does give me the domain user. The Allow Anonymous returns the IISUSR account. I'd like to access the domain user, but not have the login prompt appear. Thanks in advance.
We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
The user is presented with a username and password box.
Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from
Microsoft. Which one do you want to use? Work or school account Work
or school account Assigned by your work or school
Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
The page redirects to the url
https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?
You would need to either remove AD FS from the Local Intranet zone on the relevant machines so they prompt, or better, look in to the User Agent based targeting in AD FS and configure those machines to send a User Agent that triggers Forms Based AuthN.
Have a look at https://technet.microsoft.com/en-us/library/dn727110.aspx for more info on this.
Answer is actually pretty simple (with some help from Fiddler):
Add &prompt=login to the query string generated by the ADAL JavaScript when redirecting to login.microsoftonline.com. This causes the MS portal to redirect to the ADFS Forms Auth URL instead of the one using integrated security.
I am trying to authorize my GET calls in web api, it is working fine( when projects runs on the browser token authenticate properly ) where i published same project in IIS, every time I got a alert box of user name and password. How could i disable this alert box. what credential he is asking for authenticate. I gave all the registered user name and password from my database. I am confused , help me
Check what type of authentication has been enabled for the site in IIS.I believe you are using Basic authentication type.By default, Basic authentication requires the Windows user account to have local logon rights at the Web server. If you want to disable select the particular website and change the authentication type to Anonymous.
We have a service account defined for anonymous access which is used for several web sites hosted on the web server. This account has access to several network resources like report server, file servers and so on.
While deploying a new web site, we used the same service account for anonymous access. IIS takes the username/password for the account and then a dialog opens for confirm password.
Accidently, we gave a wrong password in both the text boxes, the new site with wrong password is working fine but all other previously hosted sites which were using the service account, started giving the unautorized access error.
Is it possible that when we entered wrong password for the new web site, the password of the account got reset and all sites stopped functioning?
If this was IIS5.x then yes it's possible that the password update you performed did indeed change the anonymous account password.
If this was IIS6 then there are a number of pre-conditions that must be met before changing the password in IIS manager changes the password for the anonymous account. This MS knowledgebase article covers this is detail:
IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password (MS KB:332167)
In IIS7 this capability was retired.
I have a web application using windows authentication. I also want to authenticate non-domain users against AD. Can I have domain members can enter site directly, and non-members enter their domain username and password.
How can I do this?
It is possible to do this but you probably want to have 2 distinct web applications running accessing a similar set of application code.
Web application 1 is configured to use Windows authentication.
Web application 2 is configured to use Forms authentication. You need to have some additional code in this application which allows a user to authenticate themselves using LDAP against the active directory. This code is placed in an authentication provider if you use ASP.NET.
Assuming your using ASP.NET, you can write a custom provider that first auths against your AD, then a non AD store.
Or you can use multiple providers, ActiveDirectoryMembershipProvider and then for example SqlMembershipProvider.