The Windows Authentication uses following dialog window for users who is not authenticated through NTLM:
Users without being the right permissions gets the same login dialog, that prompts to provide another credentials.
Is there way to append a custom message to the dialog via controller context or AuthorizeAttribute?
It is a browser native dialog prompt so you can not change it. One solution is to implement Forms authentication, create your own login dialog, and in the backend check the credentials against Active Directory.
Related
I've built a .net core 7 web application.
It implements windows authentication, and works nicely on premise.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();
I've deployed to an azure app service, and I get got this error when I browse to the application:
InvalidOperationException: The Negotiate Authentication handler cannot
be used on a server that directly supports Windows Authentication.
Enable Windows Authentication for the server and the Negotiate
Authentication handler will defer to it.
So I added a Microsoft Azure AD identity provider, which created for me a new app registration. Now I can browse to the application, enter my credentials, but it once I do, I get another dialog saying "Approval required, enter justification". After I submit my request approval, I get an email saying my request was received. I don't know who gets the approval request, or why a request is being generated. We could have hundreds of employees using the application, and will eventually have dozens of applications, so an approval request might not be manageable. Can it be turned off, or am I implementing the authentication wrong in the first place?
Approval Request:
Email:
If you have the right premissions, you might be able to grant consent on behalf of all users yourself. This ensures that end users will not be required to consent when using the application. To do this, navigate to your App Registration Overview and click on 'Go to Enterprise applications'. From there, click on the Permissions in the left menu. At this page you can grant admin consent to all users.
These global settings can be changed, but only by an administrator. How you can do that is described in this article: https://intercom.help/eventtemple/en/articles/5152672-need-admin-approval-approval-required-when-connecting-outlook-office365
We have configured our enterprise web application to be protected by Azure AD SSO. It works great. The first time the user navigates to the enterprise web application page, they are redirected to the https://login.microsoft.com login page and prompted to enter their username#company.com and then they are authenticated using the Windows credentials through Kerberos (or at least I think it's Kerberos. It doesn't require a password). They are now signed into our enterprise web application.
Now the user closes their browser, which closes the session with our enterprise application, then opens it again.
They go back to the enterprise web application page. It redirects to https://login.microsoft.com, and this time it remembers who they are, because it has the username#company.com in the "Choose an account" dialog. But it didn't automatically sign them in, making for a very unfriendly user experience.
The user now has to click on their account from the "Choose an account" screen, and there is always only just the 1 account there. It still doesn't require a password, but still it breaks the seamless flow of things.
How can we make the Azure AD SAML SSO set up so that it automatically logs in the user without having to click the account in the "Choose an account" dialog?
I wasn't getting response here so I cross-posted on MSDN (sorry). I got a prompt response here: https://social.msdn.microsoft.com/Forums/azure/en-US/f9e7c013-fbdc-4bbb-9e9c-22bf187f6c79/bypass-the-azure-ad-sso-8220choose-an-account8221-prompt-and-automatically-login-cookie-stored?forum=WindowsAzureAD
You have to pass the domain hint in order to achieve this. This
happening primarily because of realm discovery and domain hint will
help you skip this.
Ref:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal
We have a web application implemented in Java/JSP and Azure AD single-sign-on authentication has been implemented using OpenID connect protocal. And the sign-in approach is working as expected, but the major issue is with sing-out. While signing out the user we are following the below approach.
1) User clicks sign-out button.
2) He will be redirected to application application sign-out page.
3) Clear the application session in sign-out page.
4) Then redirecting the user to Azure AD logout page, see below URL...
https://login.microsoftonline.com/common/oauth2/v2.0/logout?
post_logout_redirect_uri=our_application_sign_out_success_page
The above approach is working as expected, but the problem is, if user copy and paste above URL in the browser tab when the user have a valid session in another browser tab, his AD session is getting cleared.
But the expected behavior is, the logout should happen only when user clicks the sign_out button.
This is expected behavior, the server is not able to detect whether the request is sent from clicking or paste in the address bar and navigate manually. And the server should'n care where is the request from, it only do the job you told it.
And if you have other applications also using the Azure AD as the identity data provider, the sign-out request will not affect the other applications when you sign-out from your web application. Also if you want to implement the single sign-out, you have to implement LogoutUrl in the web application and register it on the Azure portal.(refer here)
After submitting app to windows store, our app is rejected with the following message.
"We were unable to launch your app from the 'My Apps' launcher. When we launch your app from the My Apps launcher, during an authenticated O365 session, we are prompted to re-authenticate to your app."
What we did is, once the user logs into our app with o365 credentials, our app gets added to user's O365 my apps dashboard. When the user clicks on, our app in O365 launcher it launches the login page of our app instead of automatic login.
Step-by-step:
User visits our web page "http://portal.myedutor.com/users/sign_in"
User clicks on "Login with Microsoft credentials"
User signs in using O365 account
Now user has an active session with our application
User visits "http://portal.office.com" and signs in using same credentials
Within a couple of minutes user sees the "IGNITOR" app in "O365 My Apps dashboard"
Clicking on the app user is taken to the homepage of our application
Now the problem we are facing is, once the user clicks on our app in step-7 he is again asked to login, we are not able to send any session information on app click. We are using open ID protocol for SSO.
Kindly guide us how to maintain session in such scenario. Thanks a lot in advance.
One thing that might be missed here is when you register your app with Active Directory, you used the main login page for SIGN-ON URL, aka, http://portal.myedutor.com/users/sign_in.
However, in order to directly redirect you to the Office 365 login page, you should use Office 365 redirect URL in this case.
For example, when I was testing it locally, I make sure I used localhost:xxxx/account/singin for my SIGN-ON URL, like below,
I am trying to authorize my GET calls in web api, it is working fine( when projects runs on the browser token authenticate properly ) where i published same project in IIS, every time I got a alert box of user name and password. How could i disable this alert box. what credential he is asking for authenticate. I gave all the registered user name and password from my database. I am confused , help me
Check what type of authentication has been enabled for the site in IIS.I believe you are using Basic authentication type.By default, Basic authentication requires the Windows user account to have local logon rights at the Web server. If you want to disable select the particular website and change the authentication type to Anonymous.