I have CC.net (v. 1.8.3) and CCTray (also v. 1.8.3) installed and LDAP security set up. However, when I add my build server to CCTray and select WinLogin authentication, no builds show up, and I get a login failed notification in the CCNet logs.
If I change the authentication to username/password, it works as I'd expect, however, when closing and restarting CCTray, builds show up as unknown status until I go into configuration to give things a kick. I'd also like to get the AD authentication working without manually specifying username and password because we have a custom build dashboard already using AD auth and I could secure everything through configuration as I should be able to.
Anyone have any ideas or can anyone confirm that they've been able to get AD authentication to work through CCTray or through the CCNet APIs?
WinLogin authentication is broken in CCTray. I'm only able to authenticate (not without problems), if the service is executed as a console application (ccnet.exe). I've never had success with the ccnet windows service (ccservice.exe). I've tried both 'via dashboard' and '.NET remoting' options - no difference.
Related
We are developing a cross-platform mobile app using Xamarin.Forms that uses Azure Active Directory Authentication. For that case we use Microsoft.IdentityModel.Clients.ActiveDirectory nuget. It works fine with any case other than this one:
UWP user is trying to login with a corporate account while being connected to a network that hosts the ADFS - after typing user#domain the adal page tries to redirect to organization login page and fails with message - We can't connect to the service you need right now. Check your network connection or try this later.
The problem does not appear when we are running the app from Visual Studio. It only appears when the app is installed through .appx.
The problem does not appear when user is connected to other network - I have tried to log in while being connected to a HotSpot set on my Android phone and I successfully logged in.
The problem does not appear when user is connected to the corporate network, but logs in with account that is not in our ADFS.
The method we use to log in:
AuthenticationContext.AcquireTokenAsync(resource, clientId, RedirectUri, platformParameters)
We set parameter useCorporateNetwork for platformParameters to true, in project properties -> Package Manifest -> Capabilities, we set flags like Private Networks (Client & Server)
When trying to login without setting RedirectUri, then the corporate login page will appear and you will be able to type your password/login and have them validated, but it will be useless for us as we need to Redirect the login to our API - when logging in like that you will have error that specified redirectUri is other than configured for used clientId.
I have been trying different approaches like using native WebAuthenticationCoreManager, but it doesnt support RedirectUri (if it does and will work please write how!), setting Loopback Exempts for our app and AuthHost.exe (nothing changed).
I am happy to use anything that will work, it can be native UWP approach as we can use platform dependency.
EDIT
When I am trying to connect through VPN then when logging in I get the message - We can't connect to the service you need right now. Check your network connection or try this later. - even when I am running the app from visual studio.
As for trying to find the cause of the problem with Fiddler I was stunned - when I monitor the authhost.exe process with fiddler (I select the authentication popup window as target process) - then the authentication finishes successfully. The moment I stop monitoring with fiddler - it fails again.
Interesting that you got it working with Fiddler attached to AuthHost. In your troubleshooting have you tried the following options?
Enable capabilities in AppPackage manifest
privateNetworkClientServer
enterpriseAuthentication
sharedUserCertificate
Add loopback exemptions
CheckNetIsolation.exe LoopbackExempt -a -n=<YourPackageFamilyName>
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a.p_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso.p_8wekyb3d8bbwe
Enable private network for AuthHost
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe" /v EnablePrivateNetwork /t REG_DWORD /d 1 /f
Not sure if it related but I was experiencing the same issue with a UWP app that was connecting to an azure mobile app back-end. In my case it involved corporate authentication (ADAL) along with a network proxy that was sitting in the middle. Besides the manifest permissions specified above; I also had to update the web.config on the server side to enable proxy authentication pass through. See the following link for more information.
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>`
Fix it so that .NET apps can access HTTP thru authenticating proxy server by default
We have created a dns for external and internal employees to visit an application website. They can both reach the website hosted in iis. they can both download the application that has been deployed using clickonce.
Issue is we want to password protect for external employees.. Internally its ok because we use windows authentication and have a group of users for specific applications.
we created an ad account and password. when i setup windows auth and restrict to this one ad account. i enter in username and password when going to the external dns. thats fine.. i click on the application to install.. and when its trying to install i get + The remote server returned an error: (401) Unauthorized.i'm getting a security error even after i put in the credentials , it somehow still fails when going to install.. what can i do to better password protect applications that will be accessed from the outside using clickonce.. or fix this issue thanks
I have a server which is part of a domain. When I publish a web application from Visual Studio with a domain user everything is ok. But when I try to publish with a local machine user (not part of a domain) I get ERROR_USER_NOT_ADMIN. Both users are in Administrators group. I tried specifying user as username, .\username and machinename\username but it's not working. Is there anything else I should do to be able to publish with a local machine user?
I received this error when I published with an incorrect password.
Not the best answer in the world but I post this to point out that an incorrect password does indeed return this exact error though you would never know it when you read the error message.
This error can also be received when deploying ASP.NET Core application with Visual Studio 2015. In order to fix the problem in this case, add the following lines in the .pubxml file:
<ADUsesOwinOrOpenIdConnect>False</ADUsesOwinOrOpenIdConnect>
<AuthType>NTLM</AuthType>
You can't do that, server you aim to publish in to needs an authorized domain account to allow access to your Visual Studio publishing service. Local accounts are specific to your local machine regardless whether they are administrator logins. They are just local admin login not domain admin logins.
Get your administrator to set up a domain user (don't use domain admin accounts this is a security risk) for publishing purposes or use your current domain user account
I develop web app, which cooperates with to TFS2012. In my local machine its works fine, but when i deploy on server i get the following exception:
[WebException: The remote server returned an error: (401) Unauthorized.]
System.Net.HttpWebRequest.GetResponse() +6440920
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequestAndGetResponse(HttpWebRequest webRequest, WebException& webException) +195
My connect to TFS Code:
_collection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("http://xxx/tfs/TestPrjects/"));
_collection.EnsureAuthenticated();
_store = _collection.GetService<WorkItemStore>();
my web-config:
<system.web>
<customErrors mode="Off"></customErrors>
<authentication mode="Windows"/>
...
<system.web>
in ISS i activate Windows authorization:
Where is my mistake?
The details you are using to access TFS are incorrect.
The reason it works on your local machine is because the webserver is running as you, who has access to TFS. On the IIS server it's running as the app pool user, which won't have access.
Potential Solutions
Run the app pool as a user that has access to TFS (or grant the current user access)
This is ok for read only access, but if you're writing back to items you may want to not go down this route
Enable delegation so the code that connects to TFS is run as the currently authenticated windows user
This is much harder to do and only works in internet explorer out of the box. Firefox users can change a setting and Chrome users need to start chrome with a commandline switch.
wrap a using(WindowsIdentity.GetCurrent().Impersonate()) {} around your code that uses TFS and ensure you are using CredentialCache.DefaultNetworkCredentials to connect to TFS.
Use the TFS Server API
Be naughty and use server instead of the client api. The server API writes directly to the db and doesn't need to impersonate a user. I highly doubt this is a supported path and you won't find much information on it. However it still needs to run as a user with access to the db (like option 1, but supports updates as windows authed users)
I'm working on a web app that uses SharpSVN to checkout from a repo using svn+ssh. I have configured my ssh client correctly in my AppData config file by adding the path to Plink under the [tunnels] section, but checkout requests still give me an error message. The message itself isn't particularly informative (it merely tells me to remove the -q option to better debug SSH connection issues), but I trust it's an authentication issue.
Normally in Tortoise I would just use pageant, but I don't think the IIS user has access to pageant or the keys stored on it.
Two possible solutions come to mind:
Grant IIS user access to the pageant keys
Fix configurations to allow direct storage of user/password inside web.config connectionString
Ideally, I'd like to use the second option, but I have yet to figure out how to get either of these to work. Does anybody have experience with using SVN over ssh in a web application?