we got to work MFA on Windows Server 2016, with NPS, IIS, MFA, Azure etc. and the verification via phone call works great. Now we have problem with Mobile phone authentication.
When I log in to the appropriate web site with my domain\login and password (which is synchronized to Azure), I authenticate via phone call and in the next step I click on "Activate Mobile App" and then "Generate authentication code". I get a QR code, which I scan with MFA mobile application. After few seconds I get an error message "Unable to add the account" - Unexpected error. Please contact your local IT administrator to resolve the problem."
In the MultiFactorAuthSvc log is this message:
WMI error: -2147217394
Couldn't read credential identified by 'PfSmtp'. Element not found.
The time in log is 1 hour late. I don't know if this could be the problem.
We used this tutorial to install MFA:
https://learn.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice
Thank you for any advice.
Ok, after many hours of trying, here is the solution:
As next troubleshooting made sure the Mobile App Web Service site host name on the MFA server resolves to internal MFA server IP.
And here is the link to the article:
https://s4erka.wordpress.com/2018/01/24/mobile-app-authentication-with-azure-multi-factor-authentication-server-error-calling-the-local-authentication-service-troubleshooting/
Related
I am getting an Authorization Error from OAuth 2.0 Playground when trying to Authorize APIs. I have checked the permissions on the app multiple times (as I am the OWNER), I have fixed security issues(google asking questions), tried multiple browsers and multiple email accounts(under new projects). Below is the error message:
Error 403: access_denied
The developer hasn’t given you access to this app. It’s currently being tested and it hasn’t been verified by Google. If you think you should have access, contact the developer (recipe.tracker.app#gmail.com).
Learn more
Request Details
access_type=offline
response_type=code
redirect_uri=https://developers.google.com/oauthplayground
prompt=consent
client_id=765247627523-mhvqb7sc2or6rittk8dp0ti7b1ba8eel.apps.googleusercontent.com
scope=https://mail.google.com
Daniyal dehleh's original answer that solved my problem
Solution to my OAuth 2.0 Playground error:
Go to your developer console.
Go to OAuth consent screen.
Go to +Add users, under test users.
Add the users for the test (even the owner email address if not working without it)
I had the same issue.
Solution for me was to
https://www.google.com/settings/security/lesssecureapps Enable less secure apps
https://accounts.google.com/b/0/displayunlockcaptcha Enable this functionality
add the Email to Test users while app is in development mode
enter image description here
So I'm working on a project to redeploy an application that was previously hosted as an Azure Mobile Service as an Azure Mobile App. Said application has a frontend (hosted as a Web App in Azure) and backend API (this is the Mobile App) that is called directly from the frontend's javascript. The upgrade had been going well up until I started working on the Microsoft Account Authentication piece. Following the instructions at...
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-net-upgrading-from-mobile-services
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-microsoft-authentication
...got things mostly rolling. My application has been registered in the Microsoft Account Developer Center, I specified a Redirect URI following the 'https://{{my_backend_mobile_app_name}}.azurewebsites.net/.auth/login/microsoftaccount/callback' format, I configured the Microsoft Authentication/Authorization in the appropriate blade of my mobile app in Azure using the ClientId/Secret from the Microsoft Account Developer Center. Things go mostly well when I test it out: I can go to the frontend of my application and click on the 'Sign In' button, a new window opens with Microsoft's Login.Live site where I am prompted to login with a Microsoft account, I do so successfully and am redirected to the Redirect URL specified in the Microsoft Account Developer Center and it has Code and State values appended in the query string.
However, the page that is shown when I get redirected there is a 'You do not have permission to view this directory or page'. If I copy the URL, open a new tab, paste it in and hit enter it takes me to a 'You have successfully signed in' page. But neither way takes me back to the frontend of my application where it would log me in and continue into the site as everything is still happening in the new window that was opened for signing in. If I close that window, the authentication process sees that as a 'Cancelling' of the login and requires me to login again (which just repeats the above process). If I leave the window open and go back to the window with my frontend site, it is still waiting for a response from the login process.
So this leads me to my main question: How do I get the Microsoft Account Authentication process to actually return the login response to my frontend site rather than to the login window?
Side note, I've updated the SDK's for both the frontend and backend from the Mobile Service ones to the Mobile App's ones. In doing so I had to add in an OWIN middleware (per the instructions in link #1 above, under the 'Updating the server project' header) to my backend app. My current hypothesis is that this OWIN middleware isn't configured correctly for authentication and is getting in the way blocking the callback from working properly; thus, I am messing around with the app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions()); piece.
According to your description, I assumed that you are using the JavaScript client library for Azure Mobile Apps. I checked this issue on my local side and found I could encounter the same issue as you mentioned as follows:
Then I tried to deploy it to azure web app (https://brucechen-mobile.azurewebsites.net/login.html), I found it could work as follows:
After searched the web I found a similar issue and refer to this blog about Fix the Ripple Issues. I log onto azure portal and choose my mobile app, then click "All Settings > CORS", add the URL for my local web application as follows:
Then, click "SETTINGS > Authentication / Authorization", add the ALLOWED EXTERNAL REDIRECT URLS as follows:
Based on the above settings, it could work as expected on my local side as follows:
I am currently trying to sync my on-premise Active Directory (hosted on Windows Server 2012 R2) with Azure's AD using the AD sync tool. However, I cannot get past the "Windows Azure Active Directory Credentials" step.
I have two accounts (for the sake of this post, let's call them A and B), both of which are global administrators on Azure. When I enter the credentials for account A, the sync tool insists that "The user name or password is incorrect" even though I can log onto the Azure portal with those exact credentials on my browser. It may be worth noting that account A does not require additional verification to sign on.
Account B has additional security verification and thus I created an app password for the sync tool (this feature is not present on account A since it does not require verification). Whenever I use the generated app password, I am greeted with the configuration error: "Unable to establish a connection to the authentication service. Contact Technical Support." Anything else in the password field will return "The user name or password is incorrect", leaving me to assume that the app password is valid, but my request is just not going through.
Each log-in attempt with account B and the app password has generated the following errors in my Server Manager logs:
System.Management.Automation.CmdletInvocationException: Unable to establish a connection to the authentication service. Contact Technical Support. ---> Microsoft.Online.DirSync.Common.DirectorySyncConfigurationException: Unable to establish a connection to the authentication service. Contact Technical Support.
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at Microsoft.Online.DirSync.PowerShellAdapter.PowerShellCommand.ExecuteCommand(Command command, Boolean refreshPath)
Unable to establish a connection to the authentication service. Contact Technical Support.
Unable to establish a connection to the authentication service. Contact Technical Support. AuthIdentityToService() failed for adminwebservice.microsoftonline.com site with MBI_SSL policy. HResult:-2147186590. Contact Technical Support. (0x80048862)
So far, I have tried:
restarting my server
re-installing the sync tool
clearing my DNS cache
restarting the Azure sync service
disabling all firewalls
If anyone could help me interpret the errors or even provide me with a possible solution, I would greatly appreciate it!
The endpoint used by Azure AD Sync (and DirSync) does not allow the use of app passwords. Only a username/password combination can be accepted and it has to be a global administrator. If you follow our guidance to create a strong password for "account B", you have essentially created the same thing as an app password.
/Andreas Kjellman
Senior Program Manager, Microsoft, Identity and Access Management, sync services
We have created a dns for external and internal employees to visit an application website. They can both reach the website hosted in iis. they can both download the application that has been deployed using clickonce.
Issue is we want to password protect for external employees.. Internally its ok because we use windows authentication and have a group of users for specific applications.
we created an ad account and password. when i setup windows auth and restrict to this one ad account. i enter in username and password when going to the external dns. thats fine.. i click on the application to install.. and when its trying to install i get + The remote server returned an error: (401) Unauthorized.i'm getting a security error even after i put in the credentials , it somehow still fails when going to install.. what can i do to better password protect applications that will be accessed from the outside using clickonce.. or fix this issue thanks
I am stuck at the moment on trying to configure the Windows authentication on a web site.
The site is configured (in IIS 7.5) as follows:
Windows authentication and ASP.NET Impersonation - Enabled.
The 'Enable Kernel-mode authentication' is checked.
Providers section contain all 3 possible: Negotiate, NTLM, Negotiate:Kerberos.
The site connects to a SQL Server using Windows authentication as well.
The Web server is marked as trusted for delegation for the SQL server.
When I browse the site locally from the web server everything works; when I browse it from a client computer I get the well known error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I read I should set some SPNs - but in my case - to what\whom ?...
The access to the SQL Server is done individually to users (also, the Web server, SQL server and the users accessing the site are in the same domain; the application pool also uses a domain account)
An advice would be much appreciated ...
I think you're getting "Anonymous Logon" because you have anonymous logon enabled.
Try enabling only Windows authentication and ASP.NET Impersonation and disabling the rest
Also might help to check the internet explorer security settings for the 'zone' you're in from the client computer (i'm guessing internet) at the very end set internet explorer to prompt for user name and password