I need to add a new textbox field in the update password page in ad fs 3.0, hovewer I can not find any solutions how to do. I found a few articles about the sign in page. It is possible to do ?
I will be appreciated for any help
There's tons of examples here - ADFS : Continuing the Login and Home Realm Discovery (HRD) and Change Password customisation adventure.
Essentially, you do this with onload.js.
Related
We are hitting a bit of a brick wall with this one – if you go to this article and look at the final screenshot, it includes a message 'To sign in with your new password, click here' and the click here must be configurable:
http://www.rebeladmin.com/2019/02/step-step-guide-using-microsoft-authenticator-app-public-preview-reset-azure-ad-user-password/
Can anyone tell us how to config that link on the success page please? Otherwise, the user will have to manually enter in the URL to login which seems a bit bonk.
Any help appreciated!
That option isn't configurable for SSPR and it's most likely by design for security reasons.
I don't see any legitimate use case for configuring this URL either. When the user clicks the link they should be taken to login.microsoftonline.com and after successfully logging in will be taken to the original site the user was trying to access since it's embedded in all links across the SSPR experience by means of query parameters.
In our website, we are displaying a change password link which redirects user to "https://account.activedirectory.windowsazure.com/ChangePassword.aspx", where user will be able to change the password.
On successful change password, we need a way to redirect user back to our application. Currently it is redirecting user to "https://account.activedirectory.windowsazure.com/profile/default.aspx".
Any help or hint is appreciated.
This is the default behaviour and currently this is not possible. There is already a similar feature request on feedback.azure.com where you can suggest new features, enhancements or bugs.
If you would love to see this feature you can upvote this feature -> http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/7156218-redirect-new-users-to-application-not-manage-wind
My experience is that they are actively looking at these features and also implement them (when enough users request them).
I am trying to implement custom authentication using the new ASP.NET Identity in an MVC 5 project.
I have a single username and password that I want to use to restrict which pages of the website the user can see via [Authorize] tags on controllers and views. (Easy)
I am migrating from a FormsAuthentication model whereby this was as simple as putting the credentials in the web.config.
Because I only have a single username and password I don't want to use a database as the UserStore, instead I want ASP.NET Identity to retrieve the username and password from a custom configurationsection in the web.config (don't worry about that part).
After much search, I can't find a code sample that doesn't rely on a database for ASP.NET Identity authentication.
So i'm looking for a code sample that at the point of authentication, the user can put in custom code to check the username & password against the credentials in the custom ConfigurationSection of the web.config.
Can someone please point me in the right direction thanks.
Update : I've tried looking at this code sample but it doesn't even compile out of the box.. poor.
http://code.msdn.microsoft.com/Simple-Aspnet-Identiy-Core-7475a961
Update : The reason that I don't want to use FormsAuthentication is that I am writing a NuGet package that will be installed into a web application. One of the things the NuGet package will do is create a custom ConfigurationSection in the web.config that includes (among other things) a single username and password. I thought this would be safer as it wouldn't alter any existing FormsAuthentication settings currently in the target web application.
Update : I think I have got it working. Will post findings soon.
-- Lee
You don't have to migrate to Identity framework, FormsAuthentication still works. And Andrew is correct, using Identity framework makes little sense here, since it is all about managing users.
However, if you insist on using it, you can implement your own UserManager and IUserStore. Some guidance can be found in Scott K. Allen blog post. See the links on the bottom - samples of implementations - you can take some of these and convert to your needs.
I would imagine your IUserStore will be simple, because there is only one user and most of the methods don't have to be implemented. And for the ones required (I think you'll need FindUserById and related) you'll need to reach to web.config via ConfigurationManager
I have a website that uses Windows Authentication to authenticate its users. Normally when a user accesses the site on an IE browser the username field is populated with the computers domain name and user name. This is usually incorrect and the user enters the correct username and their password and can access the site.
I have a user now on Windows 7 IE8(I beleive) and the username field in the credential prompt is being autopopulated with domain\userName except the username is incorrect and we cannot change it. The user is unable to log into the site because of this. Has anyone experienced this before? Does anyone know why the username field cannot be changed? Solutions I have tried:
Clearing cache and stored form data/passwords etc
Site is in users trusted sites. So I had the user change the settings to "Prompt for username and password" but the prompt still comes up with the username autopopulated and does not let her change it.
I have never run into this before. Our users do not have any issue logging in, its just this one corporate location that was just set up and is running Windows 7(Rest of the company is under Windows XP) If it matters this is a sharepoint 2010 web application
Any help on this would be greatly appreciated as I have an entire group of users with this problem. Im willing to bet this would not be an issue in a different browser but they need to be able to use IE for application compatibility reasons.
Thanks!
I was able to fix it by doing the following:
Go to Start, Control Panel, User Accounts, then click Manage Your Credentials, and look for the credentials to your site, if they are there Modify and “Remove from vault” ( I suppose you could Edit them to the correct credentials but I just removed it and it did not prompt her).
She had the wrong credentials stored there. Im not sure why clearing the cache and passwords from the internet options didnt work but this did.
I had this problem with a user where the domain stored with the credentials could not be changed. This is the only item online I could find even close to my problem. The user saw "user-pcdomain\localusername" auto entered in the form. He tried to correct it with "workdomain\workusername" but got a message saying "Please enter a user name and password". Eventually we realized that his system was sending "user-pcdomain\workdomain" as his username. I've never seen a login misfire like that.
In his case he did not have his credentials stored but needed to add credentials - "workdomain\workusername" - for all of the domains he needed to access.
The point is - to expand on the answer - that IE or Windows 7 or both will store credentials incorrectly on rare occasions and the solution is be creative about adding\editing\remove credentials with Manage Your Credentials
I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn't achieve it. I gave all(text, password and hidden fields) the form fields' values including the ticket generated by Central Authentication System. But nothing happens. Either there isn't any security issue behind the login page ( :P ), or I couldn't login to the page (100% possibility :D ). For extra info:
These are login fields. ;)
username=
&password=
<=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login
Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?
Thanks in advance. ;)
I had similar problems; can't speak for you, but sounds like you have about as much website knowledge as I do (which ain't much!) - no offense intended. In my case I'm not sure I'm understanding the most most basic structural elements of the website, such as what URL to point the scan at, and then concatenating that correctly with the login pages in the policy. I'm far better at the network and infrastructure penetration testing :D
I did a search in a search engine for "Nessus HTTP cookie import", and found that Tenable discussed this on their podcast, episode 14:
http://blog.tenablesecurity.com/2009/11/tenable-network-security-podcast---episode-14.html
If you look at the "Stories" note on the above web page, there's a hint to use the "Export Cookies" Firefox add-on. The add-on has some guidance, but essentially:
Install the add-on to your browser (I'm using the OWASP Mantra browser; I urge you to look at it)
Restart your browser
Login into the subject website and authenticate
From the Tools menu, go for "Export Cookies"
Save to file, and point your Nessus scan policy at that file
NOTE: I'm still trying this now, but thought I'd post the possibility anyway in case I forget - I will update this thread with a confirm or deny shortly.
Best of luck!
UPDATE: Well, it didn't work for me on first attempt. I'm confirming I don't have any conflicting or superseding settings in the policy, but if that doesn't work it's on to Tenable Support, I fear...
According to the documentation, besides importing cookies, the other way to do it (currently at 7.0) is:
Create new scan
Web Application Tests
Credentials:
which are filled out like these (taken from documentation):
Username: Login user’s name.
Password: Password of the user specified.
Login page: The absolute path to the login page of the application, e.g., /login.html
Login submission page: The action parameter for the form method. For example, the login form for: <form method="POST" name="auth_form" action="/login.php"> would be: /login.php
Login parameters: Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This field can be used to provide
more than two parameters if required (e.g., a group name or some other piece of information is required for the authentication process).
Check authentication on page: The absolute path of a protected web page that requires authentication, to better assist Nessus in determining authentication status, e.g., /admin.html.
Regex to verify successful authentication: A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful
However, looking at the reports, in my case, it couldn't authenticate for some reason