I have a peculiar problem with an MVC5 web app. It uses a pretty standard implementation of OWIN an the Thinktecture ResourceAuthorizationManager.
It is configured to work with ADFS.
The problem that I am facing is that after the app has been deployed and has been running on the server (IIS in server 2012R2) for some time, when you try to login you get stuck in an authentication loop. I have added a trace and it shows that IsAuthenticated is false, even after successful postback from ADFS.
If I recycle the app pool it all starts working as expected for a short while.
I am in great need of some pointers of where to look.
Edit:
Found the solution elsewhere. Answer can be found here: Intermittent redirection loops during ADFS authentication
In your global.asax.cs add an empty Session_Start event.
protected void Session_Start()
{
//Needed for Thinktecture to write AspCoookie
//https://github.com/IdentityServer/Thinktecture.IdentityServer3/issues/1003
}
Related
I have a Java Web App which is integrated with Azure AD. Now when I run the app locally, everything works fine.
But When I deploy the WAR file to the Azure App Service, the authentication redirection seems to be going in an infinite loop.
The application is running in loop between login.microsoftonline.com and mysite.azurewebsites.net.
I have read in blog posts that this happens with OWIN cooke in .Net , but not sure if this is case with Java as well.
All the traffic is through HTTPS only, but still the issue exists.
Is there any setting in Azure Portal to overcome this ?
Owin middleware is only available for .NET, so yes, we cannot fault that.
The redirect would be triggering from the portion of your code that evaluates a condition like 401 Unauthorized and constructs an authentication Url and redirects the user to that.
I'd suggest you enable as much diagnostics as possible and look into logs to..
Azure AD is sending the tokens in response as expected and not an error
The code acceptig/parsing these tokens is working correctly
I have created a NET Core web app for my company utilizing single-tenant Azure AD authentication. The app is an administrative tool for setting variables used by other (legacy) applications. The root url is like "https://mycompanyadmintool.azurewebsites.net". It works very well.
Now I have been asked to add what we can call "legacy authentication" to the app. This is a temporary solution and will hopefully be discarded soon. Basically this means that when the application is called with a url like this: "https://mycompanyadmintool.azurewebsites.net/<some Guid or string or number or whatever>", the Azure AD login should be bypassed. Then the last part of the URL will be verified and the authentication succeeds or not.
No matter what I try, I can not bypass the Azure AD authentication (except from disabling it totally!) and make this work without a lot of hacks and cheap tricks (lots of bad code).
I am fairly new to .NET Core and middleware +++ and need some guidance here. I have tried to look into the MVC routing, have a feeling that a part of the solution might have something to do with routing.
Does anybody have a suggestion on how to do it the "right" way? Grateful for any help or advice.
you could try to open a separate branch in the request pipeline with a separate authentication. This should work using the app.Map or app.MapWhen methods: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware
app.Map("/subpath", sub_app=> {
sub_app.UseWhateverAuth(); // <= custom auth
// ...
sub_app.UseWhateverMiddleware();
sub_app.UseMvc();
});
I would like to secure my Azure WebApi with 3rd party providers (FB, G+... I basically just need a valid email). Was looking at Auth0 and seems like it will do the thing paired with Jwt middleware in web api project, but I was wondering if the same can be done using Azure only.
Azure Web App authentication confused me a bit - it does not seem to give anything to my Asp.Net web app. I still have to configure all the middleware in Startup.cs and the app still works fine if I completely turn authentication off.
I could do the same thing Auth0 does - issue my own Jwt tokens based on access tokens from FB or G+ - but would like to avoid that.
Could you please point me to the right direction?
You have a couple options:
App Service Authentication
Configure the authentication via middle ware
App Service Authentication
The App Service Authentication does not require any code inside your application because your App Service has a gateway that inspects request for authorization. Depending on the setting you can either secure the entire site or secure individual resources (by using the [Authorize] attribute on the endpoint in MVC/WebAPI).
With the latest release you can control authorization on a site by site basis including manually triggering the sign in by navigating the user to the <yoursiteurl>/.auth/login/<provider>. By defualt the token store is enabled so you can make a request to <yoursiteurl>/.auth/me and get back information from the provider.
Middleware Authentication
This is the default way authorization happens in the Single Page ASP.NET Template. The middleware authentication uses OAuth/OpenId to secure the resources. This option does it at the application layer instead of at the gateway. If you are using ASP.NET Identity (from the single page project template) the email from the persons log in will automatically be stored in the Users table. The tutorial in the link above gives lots of details on how to get it working.
Make sure you use the [Authorize] attribute to trigger the Authorization in either case.
Hope that helps you get started in the right direction.
I am have been fighting this error in IIS 7.5 for sometime now, and no solution I find seems to help. As I understand it, a 401.2 error means that the browser and the site in IIS are using two different types of authentication.
I have two Web Services hosted in IIS 7.5. Web Service A makes a call to Web Service B. This is where the 401.2 error happens. Both Web Services have Windows Authentication Enabled with 401 Challenge. The only enabled provider on each is NTLM. The Web.Config for both services is set up to have
<authentication mode="Windows" />
Here is what the call from Web Service A to WebService B looks like:
WebServiceB.Credentials = new System.Net.NetworkCredential("ValidUser", "ValidPW", "ValidDomain");
var output = WebServiceB.DoSomething(input); //Throws 401 WebException
As far as I can tell, both the Web Services and IIS sites should be using Windows Authentication, and nothing but Windows Authentication, yet I continue to get these 401.2 errors. Why?
I guess it is related to double-hop issue. Pleae try with delegation of creditential to second call.
May be the following link help you. Please have a look at it.
How can I fix the Kerberos double-hop issue?
this turned out to be an issue with the way the user was configured with a third party software. Thank you for all of your responses.
My ASP.NET MVC application is using Forms authentication with [System.Web.Mvc.Authorize] . I would like to use [System.Web.Http.Authorize] attribute to protect my Web API controller and because i'm calling it with HttpClient from my MVC controller I've have implemented a custom delegating handler like the one in the following post:
ASP.NET MVC 4 Web API Authentication with Membership Provider
When debugging i can see that the principal is set and the user has right roles but still I'm being redirected to the login page?
So basically when i log in and visit the WebAPI action with browser everything works (as would if i use AJAX from my views), but when i use HttpClient inside my controller (which i know is a new request with different context) with Basic authentication and set the principal i always get redirected.
I've tried so many solutions/workarounds and i'm always redirected to login page.
Anyone has an idea.
Here's an explanation:
System-web-http-authorize x System-web-mvc-authorize
Another interesting point is you use your custom authorization. I did it and it worked. Following example:
Customized authorization Mvc 4
Good Luck