We have created a dns for external and internal employees to visit an application website. They can both reach the website hosted in iis. they can both download the application that has been deployed using clickonce.
Issue is we want to password protect for external employees.. Internally its ok because we use windows authentication and have a group of users for specific applications.
we created an ad account and password. when i setup windows auth and restrict to this one ad account. i enter in username and password when going to the external dns. thats fine.. i click on the application to install.. and when its trying to install i get + The remote server returned an error: (401) Unauthorized.i'm getting a security error even after i put in the credentials , it somehow still fails when going to install.. what can i do to better password protect applications that will be accessed from the outside using clickonce.. or fix this issue thanks
Related
i having a problem when i tried to use a domain user as a specified user name in basic settings-> connect as. I want to access a shared folder that located in another server.
The web server always says if the username or password isn't correct and always throw 500.19 error when I started to browse the application.
Error Capture
However when I explore the app from IIS, it can be opened. I even tried a remote login to the server using the same username and password and it's just fine.
Image 2
The server I am using for running the web server is a Workgroup computer and in a DMZ. Is that a reason why IIS can't authecticate domain user?
Sorry for my terrible english here, because i'm in panic situation right now. I hope you can understand what i'm asking about and hope somebody has an answer. Thanks
You're right, if your computer is not joined to the Active Directory domain, you won't be able to authenticate using a Domain account.
Should the site be publicly accessible? If so, you would want to set your authentication to Anonymous and then configure the authentication settings to authenticate either as a built in user (NETWORK SERVICE, AppPoolIdentity) or a local machine user created specifically for the application.
I have implemented AAD authentication in one of my webapp, using OWIN. everything is working as expected on dev environment but it is not working on PROD. At login it goes to AAD page, it authenticate users and it redirects back to my registered page, but register page is not opening at all. In title it show working only. I am completely lost, how to resolve this, Please help me to resolve the same.
Thanks in advance!
I got the solution for this. The issue was - to store the Tokens the Owin context created a local db (AzureTokenCache.mdf and .ldf files) in App_Data folder. This uses SQL express. Now we all know that using PaaS we cannot use any Software. Hence my authentication failed every time saying that error connecting to database. I moved everything to SQL Azure and it worked for me.
I am currently trying to sync my on-premise Active Directory (hosted on Windows Server 2012 R2) with Azure's AD using the AD sync tool. However, I cannot get past the "Windows Azure Active Directory Credentials" step.
I have two accounts (for the sake of this post, let's call them A and B), both of which are global administrators on Azure. When I enter the credentials for account A, the sync tool insists that "The user name or password is incorrect" even though I can log onto the Azure portal with those exact credentials on my browser. It may be worth noting that account A does not require additional verification to sign on.
Account B has additional security verification and thus I created an app password for the sync tool (this feature is not present on account A since it does not require verification). Whenever I use the generated app password, I am greeted with the configuration error: "Unable to establish a connection to the authentication service. Contact Technical Support." Anything else in the password field will return "The user name or password is incorrect", leaving me to assume that the app password is valid, but my request is just not going through.
Each log-in attempt with account B and the app password has generated the following errors in my Server Manager logs:
System.Management.Automation.CmdletInvocationException: Unable to establish a connection to the authentication service. Contact Technical Support. ---> Microsoft.Online.DirSync.Common.DirectorySyncConfigurationException: Unable to establish a connection to the authentication service. Contact Technical Support.
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at Microsoft.Online.DirSync.PowerShellAdapter.PowerShellCommand.ExecuteCommand(Command command, Boolean refreshPath)
Unable to establish a connection to the authentication service. Contact Technical Support.
Unable to establish a connection to the authentication service. Contact Technical Support. AuthIdentityToService() failed for adminwebservice.microsoftonline.com site with MBI_SSL policy. HResult:-2147186590. Contact Technical Support. (0x80048862)
So far, I have tried:
restarting my server
re-installing the sync tool
clearing my DNS cache
restarting the Azure sync service
disabling all firewalls
If anyone could help me interpret the errors or even provide me with a possible solution, I would greatly appreciate it!
The endpoint used by Azure AD Sync (and DirSync) does not allow the use of app passwords. Only a username/password combination can be accepted and it has to be a global administrator. If you follow our guidance to create a strong password for "account B", you have essentially created the same thing as an app password.
/Andreas Kjellman
Senior Program Manager, Microsoft, Identity and Access Management, sync services
I am stuck at the moment on trying to configure the Windows authentication on a web site.
The site is configured (in IIS 7.5) as follows:
Windows authentication and ASP.NET Impersonation - Enabled.
The 'Enable Kernel-mode authentication' is checked.
Providers section contain all 3 possible: Negotiate, NTLM, Negotiate:Kerberos.
The site connects to a SQL Server using Windows authentication as well.
The Web server is marked as trusted for delegation for the SQL server.
When I browse the site locally from the web server everything works; when I browse it from a client computer I get the well known error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I read I should set some SPNs - but in my case - to what\whom ?...
The access to the SQL Server is done individually to users (also, the Web server, SQL server and the users accessing the site are in the same domain; the application pool also uses a domain account)
An advice would be much appreciated ...
I think you're getting "Anonymous Logon" because you have anonymous logon enabled.
Try enabling only Windows authentication and ASP.NET Impersonation and disabling the rest
Also might help to check the internet explorer security settings for the 'zone' you're in from the client computer (i'm guessing internet) at the very end set internet explorer to prompt for user name and password
I have a server which is part of a domain. When I publish a web application from Visual Studio with a domain user everything is ok. But when I try to publish with a local machine user (not part of a domain) I get ERROR_USER_NOT_ADMIN. Both users are in Administrators group. I tried specifying user as username, .\username and machinename\username but it's not working. Is there anything else I should do to be able to publish with a local machine user?
I received this error when I published with an incorrect password.
Not the best answer in the world but I post this to point out that an incorrect password does indeed return this exact error though you would never know it when you read the error message.
This error can also be received when deploying ASP.NET Core application with Visual Studio 2015. In order to fix the problem in this case, add the following lines in the .pubxml file:
<ADUsesOwinOrOpenIdConnect>False</ADUsesOwinOrOpenIdConnect>
<AuthType>NTLM</AuthType>
You can't do that, server you aim to publish in to needs an authorized domain account to allow access to your Visual Studio publishing service. Local accounts are specific to your local machine regardless whether they are administrator logins. They are just local admin login not domain admin logins.
Get your administrator to set up a domain user (don't use domain admin accounts this is a security risk) for publishing purposes or use your current domain user account