SharePoint 2010 : authenticate the same user using either NTLM or FBA
I have been struggling for weeks now trying to achieve the following :
1- Authenticate user Foo using NTLM (windows authentication) on a SharePoint 2010 web site.
2- Authenticate the same user Foo using FBA and a custom membership provider.
The problem I am facing is that when user Foo is authenticated through NTLM he gets one profile with some permissions, and when logging in through FBA, he gets another profile with different permissions.
Is there a way to have my user Foo seen as one single user, even though he is authenticated by different authentication mechanism (NTLM or FBA)
The business need is the following : I want user Foo to be able to login automatically through NTLM when he connects using IE. The same user should be able to login through FBA if he using in iPad for example (we detect the device and redirect the user to FBA login page instead of NTLM)
Thanks in advance for your help.
Laurent
I think you can follow some steps like below.
Create a User profile service application.
Create custom column to indicate permissions
When a user logins just check, in user profile service apllication about the permission
you can import other user properties from NTML or FBA to User profile application
Related
We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
The user is presented with a username and password box.
Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from
Microsoft. Which one do you want to use? Work or school account Work
or school account Assigned by your work or school
Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
The page redirects to the url
https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?
You would need to either remove AD FS from the Local Intranet zone on the relevant machines so they prompt, or better, look in to the User Agent based targeting in AD FS and configure those machines to send a User Agent that triggers Forms Based AuthN.
Have a look at https://technet.microsoft.com/en-us/library/dn727110.aspx for more info on this.
Answer is actually pretty simple (with some help from Fiddler):
Add &prompt=login to the query string generated by the ADAL JavaScript when redirecting to login.microsoftonline.com. This causes the MS portal to redirect to the ADFS Forms Auth URL instead of the one using integrated security.
I am trying to authorize my GET calls in web api, it is working fine( when projects runs on the browser token authenticate properly ) where i published same project in IIS, every time I got a alert box of user name and password. How could i disable this alert box. what credential he is asking for authenticate. I gave all the registered user name and password from my database. I am confused , help me
Check what type of authentication has been enabled for the site in IIS.I believe you are using Basic authentication type.By default, Basic authentication requires the Windows user account to have local logon rights at the Web server. If you want to disable select the particular website and change the authentication type to Anonymous.
We have a SharePoint 2010 Web Site with Claim based Authentication configured with ADFS 2.0.
We have customized the SignOut option in Welcome.acx to point SignOut link to ADFS SignOut URL
i.e. https://myadfsserver/adfs/ls/?wa=wsignoutcleanup1.0 which takes care of signing out user from all relying parties. But, if for some reason complete sign out was not done, and user tries to browse the site he does not have access to in that case user is redirected to SharePoint's OOB AccessDenind.aspx page.
This page provides a link to user to sign in as different user, but for some reason clicking on this link does not take user to ADFS sign in page, instead it takes user back to same AccessDenied Page only. Can somebody tell me how do I get this sign in as different user functionality working ?
SharePoint creates a cookie that is stored on the local disk and you have to force it to use a session based cookie.
http://www.shailensukul.com/2010/05/adfs-2-sharepoint-2010-signout.html
I've imported a bunch of users into my Active Directory with some custom fields. Then I did a profile import from Active Directory to Sharepoint with all the custom fields and regular fields. After this, I needed each user to be in a site collection with a MySite set up for them. I did that by writing some code that ensured the user existed and then checked the profile attribute "personalspace" to see if a MySite had been created. Everything worked great until some of the users needed to login from outside the network.
I'd like to get rid of the windows authentication pop-up that a user would get if they hit from outside the network (or haven't added the site to their trusted zone in IE). I've extended my web application to create an internet zone. Then I edited the web.config of the internet site to do active directory forms authentication, along with editing the Central Administrator's web.config so that it can see the data source. This is all well and good, the user can login through a nice interface. The only problem is that now the user is detached from their user profile. Essentially Sharepoint views a windows authentication user and a forms authenticated user as two separate users.
Is there a way to link the profiles? Do I have to write a custom membership provider to log a user in and then link them up to their windows account? Is there a way to log a user in from the internet web app and then spoof their windows credentials and pass it to the intranet? Do I need to recreate all the user profiles based on the forms authentication data source?
Is this what are you looking for .. http://grounding.co.za/blogs/brett/archive/2008/01/09/setting-up-dual-authentication-on-windows-sharepoint-services-3-0-forms-and-ntlm.aspx ?
See ya
I've been trying to accomplish the same thing, with exactly the same problem - the "forms-authenticated-me" is not the same as the "windows-authenticated-me" to sharepoint, and I can't see how to map the two.
After a lot of frustrating efforts, I think I've finally realized it's not possible. In retrospect, this isn't too surprising.
here's an excerpt from http://msdn.microsoft.com/en-us/library/bb975136.aspx (my emphasis added)...
Deciding to Use Forms Authentication
Some organizations want to use Windows
users and groups in SharePoint
Products and Technologies, but enter
credentials via forms authentication.
Before using forms authentication,
determine why to use forms
authentication in the first place:
What is the business driver? If user
accounts are stored in a location
other than an Active Directory domain
controller, or if Active Directory is
not available in a particular
environment, using forms
authentication with a membership
provider is a good choice. But if you
want to force logon only via forms
authentication, but still use Windows
and all of the integrated features it
provides, you should consider an
alternative such as publishing the
SharePoint site with Microsoft
Internet Security and Acceleration
(ISA) Server 2006. ISA Server 2006
allows users to log on by using a
forms authentication Web form, but
treats them like Windows users after
authentication. This implementation
provides a more consistent and
compelling experience for end users.
You can set up the Forms Authentication to use the Active Directory Forms Authentication provider. You'll get the best of both worlds.
The login prompt will be the Forms Authentication prompt that you want, but the profile and login info will come from Active Directory.
Follow these instructions to configure the provider:
How To: Use Forms Authentication with Active Directory
I have configured WSS with OpenID to enable FBA authentication. I have added a custom login page. Im able to authenticate using the OpenID account, however when i return back to the default.aspx page i get the 'Access Denied' page.
The Question is how can i tell WSS to allow OpenID authentication into the web application?
I have used the DotNetOpenId library.
I haven't integrated with WSS myself, but assuming you have it in FormsAuthentication mode, then the only other thing I think that could be blocking you would be that while you are logging the user in (with SetAuthCookie or RedirectFromLoginPage) you need to pass in the roles the user belongs to. If WSS is rigged to only invite users in the "WebUser" role, for example, be user to pass that into the login methods.
You can find out what roles are required and what your Authentication mode is from inspecting your WSS site's web.config file.
If you are using FBA you can add the openid account as an fba account. You can easily do this by using a custom login page. Here is a sample http://blog.xsolon.net/Posts/sharepointopenid.aspx