We are currently testing azure web-app functionality for our own apache application. The application works with non security, but the application itself needs direct active directory access via ldap.
Example settings inside the application:
<ldap>
<connectionUrl>wehavenoidea:389</connectionUrl>
<roleBase>OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</roleBase>
<userPattern>{0},OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</userPattern>
<roleSearch>member={0}</roleSearch>
<useIndirectLookup>1</useIndirectLookup>
<indirectAdminDN>CN=AdminUser,OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</indirectAdminDN>
<indirectAdminPassword>ourpassword</indirectAdminPassword>
<indirectUserBase>DC=ourdomain,DC=onmicrosoft,DC=com</indirectUserBase>
<indirectSearchFilter>sAMAccountName={0}</indirectSearchFilter>
<rolemap>
<role target="Admin">Admin</role>
<role target="Accounting">Accounting</role>
</rolemap>
</ldap>
I have set up the app registration inside azure active directory with the required permissions. I can't find the connection url for the AD though.
Does anybody here know how to set this up?
Kind regards
Related
I have created a custom identity provider in adb2c for my openid connect server but getting error while running it through User Flow -
Setps I did :
Created a new openId Connectprovider.
Created a new user flow for open-id connect provider :
I am not sure how to debug this through adb2c as that's a quite generic error and if I am missing any steps.
This issue may cause if your client ID is incorrect in the web.config file for the app
Try to Open Web.config file for the app
In Web.config file,try to find the app key ida:ClientId.
The client ID provided in the portal for your app should be used as the value of the app key.
The file's modified section looks like
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
Credits to MsDoc
I am using Azure Active Directory B2C in an application(Xamarin.forms). When i try to call the azure login page (which is a sign-in-policy), i am prompted with the following error:
"We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: xxxxxxx-xxxxxx-xxxxxx-xxxxxxx
Timestamp: 2021-01-28 17:08:40Z
AADB2C90011: The client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' provided in the request does not match client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' registered in policy"
i dont know what is going on, application id seems correct.
How do i fix it?
The client ID may be missing or incorrect in the Web.config file for the app.
You could have a try with follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
I have already implemented this: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native sample into an external app, but i got errors while login with an openid identity provider.
To reproduce this problem I checked out the latest master of the sample, tried to reproduce this error within the solution and it also occurs there.
I just changed the B2CConstants file values and everything is working for local accounts.
In my Azure B2C I have created 2 identity providers for different AD's in my signin/signup policy.
For Android and iOS everything works fine as expected, also the login with the identity provider.
If I log in with the UWP App via the identity provider i get the following error:
"We can't connect to the service you need right now. Check your network connection or try this again later."
This message shows up in the external Popup Window after Login (normally it should redirect back to the App without error)
In my external app, sometimes its possible to login via the identity provider if I first login with local account ⇒ logout and login again with identity provider credentials. But its not really a workaround because the error comes again on the next login.
I configured the identity provider with following documentation:
https://learn.microsoft.com/de-de/azure/active-directory-b2c/tutorial-add-identity-providers
I tried following things:
add Capabilities:
<Capabilities>
<Capability Name="internetClient" />
<uap:Capability Name="enterpriseAuthentication"/>
<Capability Name="privateNetworkClientServer"/>
<uap:Capability Name="sharedUserCertificates"/>
<uap:Capability Name="userAccountInformation"/>
<Capability Name="internetClientServer"/>
</Capabilities>
found it here:
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/issues/137
And tried also setting the registry and redirect url which is created from the app during execution:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/UWP-specifics#properties-of-platformparameter-specific-to-winrt-and-uwp-corporate-network
some additional information, I developed the identity provider login with a signIn/signUp (default) policy, that was working at the beginning, the error occurs only sometimes.
After I changed to a only signin (default) policy, the error occurs nearly every time (only works with the workaround which i described already).
Im not quite sure what im missing or doing wrong, hope someone can help me.
Thank you!
We have web application deploy on Azure App Service. Our database is also on Azure which is configured to use AAD authentication (We have assigned AAD Admin).
We are using below connection string in web app to connect to this server and database using below connections string.
Data Source=xxxxxxx.database.windows.net;Initial
Catalog=xxxxxxx;Persist Security Info=False;Authentication=Active
Directory Integrated
Please note: This connection string is working fine when using thru local system. But getting below error when we use this conn string in Azure App Service:
Failed to authenticate the user NT Authority\Anonymous Logon in Active
Directory (Authentication=ActiveDirectoryIntegrated). Error code
0x4BC; state 10 The format of the specified domain name is invalid
According to your description, I found you used the Active Directory integrated authentication.
To use integrated Windows authentication, your domain’s Active Directory must be federated with Azure Active Directory. Your client application (or a service) connecting to the database must be running on a domain-joined machine under a user’s domain credentials
If you published the web app to Azure, Azure's web app server will not be in your domain’s Active Directory. So the SQL server will not pass the auth.
I suggest you could try to use Active Directory password authentication instead of the Active Directory integrated authentication.
Replace the connection string as below use azure AD user name and password. It will work well.
Server=tcp:brandotest.database.windows.net,1433;Initial Catalog=bradnotestsql;Persist Security Info=False;User ID={your_username};Password={your_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Password";
Since the accepted answers are a bit dated, if you are out here in 2020 or later, the correct way for setting up integrated authentication is as follows:
(excerpted from here, the asp.net standard implementation)
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
add the Microsoft.Azure.Services.AppAuthentication nuget package.
modify your web.config by adding: (in configSections)
<section name="SqlAuthenticationProviders" type="System.Data.SqlClient.SqlAuthenticationProviderConfigurationSection, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
(and then)
<SqlAuthenticationProviders>
<providers>
<add name="Active Directory Interactive" type="Microsoft.Azure.Services.AppAuthentication.SqlAppAuthenticationProvider, Microsoft.Azure.Services.AppAuthentication" />
</providers>
</SqlAuthenticationProviders>
It's important to pay attention to the name you use there. Then... your connection string will look like:
<add name="MyEntities" connectionString="metadata=res://*/Data.MyDB.csdl|res://*/Data.MyDB.ssdl|res://*/Data.MyDB.msl;provider=System.Data.SqlClient;provider connection string="server=tcp:MyDB.database.windows.net;database=MyDB;UID=AnyString;Authentication=Active Directory Interactive;"" providerName="System.Data.EntityClient" />
The important notes are that the name you specify in the SqlAuthenticationProviders section must be the exact same name you use in the connection string for Authentication.
The other important note is that, coming from your old connection strings, you have to change Data Source to be Server, and Initial Catalog to be Database. UID=AnyString is necessary, or an exception is thrown.
Failure to follow these steps exactly will net you a lovely error:
System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> AdalException: The format of the specified domain name is invalid.\r\n at ADALNativeWrapper.ADALGetAccessToken(String username, IntPtr password, String stsURL, String servicePrincipalName, ValueType correlationId, String clientId, Boolean* fWindowsIntegrated, Int64& fileTime)\r\n at System.Data.SqlClient.ActiveDirectoryNativeAuthenticationProvider.<>c__DisplayClass2_0.b__0()\r\n at System.Threading.Tasks.Task`1.InnerInvoke()\r\n at System.Threading.Tasks.Task.Execute()\r\n --- End of inner exception stack trace
At the first the error doesn't make sense, but once you see that the parameters were renamed from Data Source to Server, it does make sense.
Maybe all you need to use is token (certificate) authentication as explained on below resource:
https://github.com/Microsoft/sql-server-samples/tree/master/samples/features/security/azure-active-directory-auth/token
Try to register your application with Azure Active Directory as explained on that resource.
Hope this helps.
I am trying to setup a authentification for POST requests on my Node.js server hosted # Azure.
I am using this example:
passport.use(new OIDCStrategy({
callbackURL: config.creds.returnURL,
realm: config.creds.realm,
clientID: config.creds.clientID,
clientSecret: config.creds.clientSecret,
oidcIssuer: config.creds.issuer,
identityMetadata: 'https://login.microsoftonline.com/TenantGuidOrTheWordCOMMON/v2.0/.well-known/openid-configuration',
skipUserProfile: config.creds.skipUserProfile,
responseType: config.creds.responseType,
responseMode: config.creds.responseMode,
(tenant: "Guid from AzureAD-Endpoints-Button"),
(validateIssuer: false/true)
}, (...)
Although my code redirects me to a "https://login.microsoftonline.com" page (which is nice), after entering my email-address it immediately redirects me somewhere else.
There I get an error in the browserUrl: "the client does not exist"...
and it says I should create an application # "https://apps.dev.microsoft.com".
WHY? I have a AppService "MyService", an Azure AD within the same subscription and within the Azure AD an "App registration" for "MyApp".
What is now this cruel apps.dev.microsoft site? Why is there not my registered "MyApp" shown and Vice versa?
What do I have to enter within "oidcIssuer"? the MyApp.ApplicationId? The (apps.dev.microsoft.com)-Application.ApplicationId? The AzureAD-ClientId? The AzureAD-IssuerUrl?
The same question for the clientSecret
Whats the difference between using identityMetadata with an ID instead of "common" + validateIssuer:true against using identityMetadata with "common", validateIssuer:false + tenant:"myTenant(Guid?)"
When I Use "ExpressSettings" within Authentication/Authorization-->AzureAD why can I not find the Application I defined in Azure AD?
Do I have to activate the Graph API (I dont know anything about it yet)
Are there good alternatives protecting my express.post endpoint with authentification in Azure AD? (ADAL seems to be for resources)
I dont get all this settings, properties and portals of Microsoft I am just overhelmed by all this... (not to mention there is also an "OLD" portal)
The next days I will try this Azure Step-By-Step Guide maybe It will help me somehow...
For this example you are using, you don't need to modify the params in OIDCStrategy object. Instead, you need to config your AAD settings in client_config_*.js. files. Just like the document describes at https://github.com/AzureAD/passport-azure-ad/tree/master/examples/login-oidc.
And BTW, we manage our AAD applications on the Classic Portal.
Like my answer to "Has anyone successfully used Azure AD to authenticate users for a Node.js web application?"
I setup my authentification like this instead (without code) in the new Azure Portal:
host my Node.js Server
add an AD to the subscription
Register new application within the AD
Add "https://YourNodeJS.azurewebsites.net/.auth/login/aad/callback" as Reply URL
In AppServices, pick your Node.js Server
In Settings go to Authentication/Authorization
Activate AAD
Use Advanced Mode of AAD
Enter the ClientID (GUID) of the application registered above in AD
As issuerURL enter this link: https://sts.windows.net/YourADGuid/ (you can see the GUID within "Endpoints" if you look back at your application registered in AD above)