How to resolve issue of Error decoding incoming SAML message? - windows-server-2008-r2

I am getting error Error decoding incoming SAML message for SAML request.
I have configured the ADFS 2.0 , windows server 2008 , SAML 2.0. and SSO is working well using SAML 2.0
Now my client need windows server 2012 and they have configured it and restored old servers config. in to new server but SAML authentication giving me the below errors.
Error in SAML : Error decoding incoming SAML message
org.springframework.security.authentication.AuthenticationServiceException: Error decoding incoming SAML message
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:91)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:323)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Could not decode artifact response message.
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:123)
at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
... 44 more
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Error when sending request to artifact resolution service.
at org.springframework.security.saml.websso.ArtifactResolutionProfileImpl.getArtifactResponse(ArtifactResolutionProfileImpl.java:109)
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:98)
... 50 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:109)
at org.opensaml.ws.transport.http.httpclient.OutputStreamRequestEntity.writeRequest(OutputStreamRequestEntity.java:46)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at org.springframework.security.saml.websso.ArtifactResolutionProfileImpl.getArtifactResponse(ArtifactResolutionProfileImpl.java:96)
... 51 more
The issue is at the side of adfs server configuration but I didn't get the solution.
Give any suggestion regarding ADFS 2.0 configuration or etc is best help for me.
It give me the error like Error when sending request to artifact resolution service. but I don't know how to start artifact resolution service?

Spring SAML seems to have trouble connecting to the endpoint specified in the ADFS's IDP metadata which you have imported. You can see the endpoint URL in the metadata in element ArtifactResolutionService. Make sure it is possible to connect to this URL from the Spring SAML instance.
As another option, you can use different binding which doesn't require direct backend connectivity to ADFS. You can instruct IDP to use HTTP-POST when sending message back to SP by removing the Artifact assertion consumer service from your SP metadata and uploading the new version to IDP.
It is also possible to control which binding should be used by IDP when sending responses to SP using WebSSOProfileOptions and property assertionConsumerIndex, as you can see in the manual, chapter 9.2.1.

Changed default binding to POST in SP metadata and saved the file as my_sp.xml under this folder
"C:\glassfish3\glassfish\domains\domain1\applications\SunflowerSET\WEB-INF\classes\resources\security" on server
Downloaded metadata from new ADFS server (ADFS101) and stored that as FederationMetadata.xml under this folder C:\glassfish3\glassfish\domains\domain1\applications\SunflowerSET\WEB-INF\classes\resources\security on server.
Deleted relying party trust rule from ADFS
Configured new relying party trust  rule on ADFS101 using the new my_sp.xml metadata.

Related

IdP initiated SSO with Okta IdP and Azure B2C SP via SAML

We have a partner we are integrating with. We want to add a link to their system so they can click on it, automatically get logged into our Azure B2C and redirected to a specific page on our site. We have the requirement that they use SAML to connect.
These are the steps I have followed. I am not sure if I am missing something or if I need to try another path like building .net a bridge SP to connect to the Okta IdP and then redirect the user.
setup and Okta IdP
written a C# web app
Connected the web app directly to the Okta IdP, just to test
Posted the web app to azure
Created custom policies for the Okta service provider in Azure B2C
Create user journey Azure B2C
In Azure application insights I keep getting "Exception" with no detail.
If I look at the SAML request in the browser I end up getting this 404
https://XXX.b2clogin.com/XXX.onmicrosoft.com/B2C_1A_signup_signin_saml/client/perftrace?tx=b7024f56-034f-4edb-9d60-386514c037f3&p=null
Claims provider
user journey
metadata url
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkat2zx10HirumDC696">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXX.okta.com/app/XXX_testsamlbridge_1/exkat2zx10HirumDC696/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://XXX.okta.com/app/XXX_testsamlbridge_1/exkat2zx10HirumDC696/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
B2C_1A_OktaSecret
{
"metadata":{
"updatedUtc":"12/10/2021 4:57:15 AM",
"tenantID":"XXX.onmicrosoft.com",
"storageKeyId":"B2C_1A_OktaSecret"
},
"keys":[
{
"kid":"30D7ACFD91E97D5733BB4388C0C45350120A2092",
"exp":1952890376,
"nbf":1637357516,
"x5c":[
"MIIDqDCCApCgAwIBAgIGAX06HeGMMA0GCSqGSIb..."
],
"x5t":"MNes_ZHpfVczu0OIwMRTUBIKIJI",
"kty":"RSA",
"e":"AQAB",
"n":"q1XSJo0UyHeCIIO2NfnIU5VC5leYRZvtITk..."
}
]
}
I went through all three methods and found my error in one.
Method 1 Exceptions, found but didn't tell me anything new
Method 2 trace, didn't find any traces which was weird
Method 3 trace export. well there were no traces so I still couldn't find it.
I added screen shots below.
Error message
Exception log
Trace log
Search Transactions

SonarQube OAuth Gitlab Redirection Glitch

I run into a strange glitch with SonarQube (9.1.0.47736 Developer Edition) + GitLab ( 14.4.2-ee) Authentication.
Both services are running on self-hosted servers and have self-sigend certificates.
On the server which runs Gitlab (user facing) there is an nginx reverse-proxy to have an HTTPS end-point to the useres. (Base URL in SonarQ setting is set accordingly.)
The glitch is that when a user authenticates with his/her Gitlab credentials, he gets redirected onto the Gitlab landing page, and not on SonarQube.
In Gitlab the Callback URL is set to https://IP:PORT/oauth2/callback/gitlab as described in the docs.
If one then manually re-visits the SonarQube address, the user is logged in, so the authentication actually worked.
Before landing on the Gitlab page, there is a blink of such page:
And in the SonarQube web.logs there is this warning:
WARN web[AX0pVQ771Ww8x0fzAAGu][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.generateError(OAuth2AccessTokenJsonExtractor.java:72)
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:40)
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:18)
at com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:53)
at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:97)
at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:92)
at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:115)
at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:102)
at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:92)
at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:75)
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:68)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:89)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.plugins.PluginsRiskConsentFilter.doFilter(PluginsRiskConsentFilter.java:77)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
at jdk.internal.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:81)
at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:68)
at jdk.internal.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
The self-signed certificates of the GitLab service is imported in SQ's truststore, as the Authentication and repository access is working without problems.
Any ideas?

How can I overwrite Google service account credentials in spark config?

The application is already have service account set up in the core-site.xml
I'm trying to overwrite it during application execution by setting Google service account credentials but it's failing with this error.
Sample code:
spark.conf.set("fs.defaultFS", "gs://<bucket Name>")
spark.conf.set("fs.gs.auth.service.account.private.key.id", "<private key id>")
spark.conf.set("fs.gs.auth.service.account.email", "<service account email>")
spark.conf.set("fs.gs.auth.service.account.private.key", "<private key>")
val df = spark.read.csv("gs://test/test.csv")
Error:
java.lang.IllegalArgumentException: A JSON key file may not be specified at the same time as credentials via configuration.
at com.google.cloud.hadoop.repackaged.gcs.com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
at com.google.cloud.hadoop.repackaged.gcs.com.google.cloud.hadoop.util.CredentialConfiguration.getCredential(CredentialConfiguration.java:106)
at com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemBase.getCredential(GoogleHadoopFileSystemBase.java:1613)
at com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemBase.createGcsFs(GoogleHadoopFileSystemBase.java:1699)
at com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemBase.configure(GoogleHadoopFileSystemBase.java:1658)
at com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemBase.initialize(GoogleHadoopFileSystemBase.java:683)
at com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemBase.initialize(GoogleHadoopFileSystemBase.java:646)
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2796)
at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:99)
at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:2830)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2812)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:390)
at org.apache.hadoop.fs.Path.getFileSystem(Path.java:295)
at org.apache.spark.sql.execution.datasources.DataSource$.org$apache$spark$sql$execution$datasources$DataSource$$checkAndGlobPathIfNecessary(DataSource.scala:705)
at org.apache.spark.sql.execution.datasources.DataSource$$anonfun$15.apply(DataSource.scala:389)
at org.apache.spark.sql.execution.datasources.DataSource$$anonfun$15.apply(DataSource.scala:389)
at scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:241)
at scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:241)
at scala.collection.immutable.List.foreach(List.scala:381)
at scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:241)
at scala.collection.immutable.List.flatMap(List.scala:344)
at org.apache.spark.sql.execution.datasources.DataSource.resolveRelation(DataSource.scala:388)
at org.apache.spark.sql.DataFrameReader.loadV1Source(DataFrameReader.scala:239)
at org.apache.spark.sql.DataFrameReader.load(DataFrameReader.scala:227)
at org.apache.spark.sql.DataFrameReader.csv(DataFrameReader.scala:596)
How can this can be fixed?
This can be done via using unset method in hadoopConfiguration
sc.hadoopConfiguration.unset("fs.gs.auth.service.account.json.keyfile")
Any service account key set via conf in spark submit or set in core-site.xml can only be unset from hadoopConfiguration.unset

opensaml::BindingException when logging out of a Shibboleth Service Provider with Azure ActiveDirectory as IdP

When users click logout, I'm redirecting them to "/Shibboleth.sso/Logout"
This successfully brings them to the Microsoft logout page, then they get redirected back to the SP.
However, as they return to the SP they get a SOAP error message.
opensaml::BindingException
The system encountered an error at Wed Sep 30 19:13:08 2020
To report this problem, please contact the site administrator at help#example.com.
Please include the following message in any email:
opensaml::BindingException at (https://app/Shibboleth.sso/SLO/SOAP)
Invalid content type for SOAP message.
When configuring the SP on Azure, I uploaded the metadata as-is.
This populated the fields on Azure, and things mostly worked.
However, it pulled the logout url as the first entry from the metadata:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://app/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://app/Shibboleth.sso/SLO/Artifact"/>
Rather than using the SOAP url, instead Azure should be using the "https://app/Shibboleth.sso/SLO/Redirect" location.

Trying to get AAD and Azure SQL Authentication Working

I'm trying get integrated authentication working between my app, and azure SQL. The app is running on a VM that is joined to an Azure AD domain (Domain Services) on IIS.
I have followed this official MS document on setting up auth:
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure (Note - we are not using managed instances for SQL).
1) The admin group has been added via the portal
2) The contained database user (also part of the admin group) has been created, per the doc.
3) The IIS application pool is running as the same user as well.
Attempts to connect to the site return this error:
[AdalException: Integrated Windows authentication supported only in federation flow.]
ADALNativeWrapper.ADALGetAccessToken(String username, IntPtr password, String stsURL, String servicePrincipalName, ValueType correlationId, String clientId, Boolean* fWindowsIntegrated, Int64& fileTime) +829
System.Data.SqlClient.<>c__DisplayClass2_0.<AcquireTokenAsync>b__0() +132
System.Threading.Tasks.Task`1.InnerInvoke() +121
System.Threading.Tasks.Task.Execute() +47
[AggregateException: One or more errors occurred.]
System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) +4323177
System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) +12865803
System.Threading.Tasks.Task`1.get_Result() +33
System.Data.SqlClient.<>c__DisplayClass134_1.<GetFedAuthToken>b__0() +39
System.Threading.Tasks.Task`1.InnerInvoke() +121
System.Threading.Tasks.Task.Execute() +47
[AggregateException: One or more errors occurred.]
Our web.config is using this as a connection string:
name="LocalSqlServer" connectionString="Server=tcp:XXXXX;Initial Catalog=XXXXX;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication='Active Directory Integrated';" />
We're hoping to be able to remove any mention of plain-text passwords within our web.config, and azure authentication should be able to provide that.
Any help would be appreciated!
EDIT:
In an attempt to start fresh, I migrated the application to another fresh Azure VM. This time, the process initially lead to this error:
Unable to load adalsql.dll (Authentication=ActiveDirectoryPassword). Error code: 0x2.
After installing the .dll, it then leads me to the same error I posted above. Not sure if this initial error could shed some light on the underlying problem.
The error message is "Integrated Windows authentication supported only in federation flow"
From the portal, if you select "Azure Active Directory" and then select "Custom Domain names"
Do you have a single line on the list with "Primary" Selected?
If that is the case, you could try adding a new custom domain, mark that as federated and then use a user from that domain for the integrated authentication.
Recheck if the VM is on-premise or on-cloud because if your machine is on-prem and it is a joined AD, you should see it as a device in Azure Active Directory. Otherwise, when the machine is not integrated with ADFS, you will end up with the exception message "Integrated Windows authentication supported only in federation flow".
There are two possibles solutions:
- Integrate the machine into ADFS
- Use Active Directory Password with a valid account on Azure Active Directory.
In my scenario, I couldn't move the machine so I use an AD account.

Resources