I am trying to figure out how to set the default domain in IIS when choosing basic authentication. I have an LDAP string but I'm quite clueless as to how to extract the information I need from it for setting the default domain setting.
When I programatically connect to an Active directory I use the string:
DirectoryEntry _entry = new DirectoryEntry ("LDAP://xx.xx.xx.xx/CN=Users,DC=dc1,DC=dc2,DC=dc3", "user", "password");
What information do I need to pull from this string for the default domain setting in IIS?
Any help would be appreciated. Thanks.
Guessing from the (sanitized) LDAP string you gave, your Windows Active Directory domain would be like dc1.dc2.dc3--say if dc1 is "site", dc2 is "company", and dc3 is "net" then the domain is "site.company.net".
Or on a command prompt you could type echo %USERDNSDOMAIN% and see the same thing.
Related
When I try to create a local account w/ a username of "test#mydomain.com" I get:
http://localhost:4343/#error=server_error&error_description=AADB2C90161:+A+self-asserted+send+response+has+failed+with+reason+'Internal+Server+Error'.
Correlation+ID:+cb299c64-219b-4870-9b4e-7c85fbbd2ae3
Timestamp:+2018-02-20+21:05:54Z
&state=9ac8534f-ad75-46c1-94a8-514a71acc6bb
I've wired up App Insights and I can see the "Internal Servier Error" but there is so much noise I can't pinpoint the problem.
Why can't I register w/ a username like that?
How do I interrupt the app insight log to track down my issue?
Note: I'm using custom policies if that matters.
Answer for the first question is that a sign-in name of type "userName" can't contain the '#' character in the value property.
i.e. You can't set it to an email address.
How can I build connection string for connecting to Azure SQL Database using Azure AD account?
Currently, I am using the following but it does not seem to be correct. It does not use Authentication Type: Active Directory Password.
Part of PowerShell script I am using:
server=$Server.database.windows.net;initial catalog=$Databasename;Authentication=Active Directory Password;Integrated Security=False;uid=$Username;password=$Password
I really appreciate your help.
I managed to resolve the issue; It was actually the order of properties.
The following connection string worked
Data Source=$Server.database.windows.net;initial catalog=Master;User ID=$Username;password=$Password;authentication=Active Directory Password
However, this does not work
Data Source=$Server.database.windows.net;initial catalog=Master;authentication=Active Directory Password;User ID=$Username;password=$Password
The only difference is the order of "Authentication" tag.
I never thought order of properties matter in ConnectionString.
In the example, they use this format:
Data Source=n9lxnyuzhv.database.windows.net;
Authentication=Active Directory Password;
Initial Catalog=testdb;
UID=bob#contoso.onmicrosoft.com;
PWD=MyPassWord!";
So try to use PWD instead of Password.
I have been playing around with the Azure SFTP connector for API Apps and Logic Apps (under the new preview site (portal.azure.com)) but have not had much luck getting it to work.
The Connector requires the following package settings to be set: ServerAddress, ServerPort, SSH Server HostKey, Root Folder, Accept Any SSH Server HostKey (bool), and Encrypt Cipher. It does not ask for a user name, and after activating the API app and attempting to use it I get the expected response of HTTP 400 with:
[
"User Name Value cannot be null, empty, or cannot contain only white-space characters."
]
The Swagger api definition does not define any way to pass in the username and I cannot see anyway to define it in the connector settings, does anyone know how to set the username?
You can configure the user and pass at the security component in your App API panel, select it an then you can set the user and password.
Check this url for more info: http://azure.microsoft.com/en-gb/documentation/articles/app-service-logic-connector-sftp/
I am new to openAM. I am trying to use openAM (954) to secure my web service using J2EE agent 3.0. I have deployed my webservice (using CXF) on Glass fish 3.1.x.
I have created necessary configuration given in URL http://docs.oracle.com/cd/E19575-01/820-4803/ghuqg/index.html
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
Are there any additional configurations required? Please let me know, I am not able to find any other information on this anywhere.
Following is the request we are sending. I am not sure about UsernameToken wsu:Id whether it is correct? How do we get this value from OpenAM dynamically at each time when we send the request.
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-27777511" xmlns:wsu="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>amadmin</wsse:Username>
<wsse:Password Type="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Amit4001</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<demo:greetPerson>
<!--Optional:-->
<arg0>Ashish</arg0>
</demo:greetPerson>
Please help me solve this issue.
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
I'm currently struggling to learn OpenAM as well and I think your specific problem is that you have not yet set up a policy (not a policy agent) after users have successfully authenticated.
If you haven't try the following steps:
Navigate to Access Control -> YourRealm -> Policies -> New Policy
Name: yourpolicyname
Rules (click new):
Name: URLPolicy
Resource Name: http:// your-webservice-url/*
Check allow get and post
Name: GetUrlPolicy
Resource Name: http:// your-webservice-url /* ? *
Check allow get and post
Subjects (click new)
Type = OpenAM Identity Subject
Name: UserAccess
Add users you want to be able to authenticate
You have to add in the * ? * if you have any GET parameters in your web page.
Hope that helps, I know the documentation around is terrible.
For your agent policy, in the Global tab: General section > Agent Filter Mode, remove ALL and add SSO_ONLY (leave Map Key blank and Map Value as SSO_ONLY). Note that this configuration isn't hot-swappable, so OpenAM has to be restarted to apply.
Here is a procedure for installing the agent on the server you want to protect:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/jee-install-guide/index/chap-glassfish.html
Here is a good procedure for configuring the agent policy centrally on the OpenAM server:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-agents.html#create-agent-profiles
You might want to also control which URIs (webapps) to protect instead of the entire website. To do that, in the agent policy:
Application tab: Not Enforced URI Processing section > add the URI to protect, for example: /application1/*
Application tab: Not Enforced URI Processing section > check the "Invert Not Enforced URIs" checkbox so that it will actually enforce the "Not Enforced URI" values
i want to validate a set of credentials against the domain controller. e.g.:
Username: joel
Password: splotchy
Domain: STACKOVERFLOW
In .NET 3.5 and newer you can use PrincipalContext.ValidateCredentials(username, password).
Otherwise you're in trouble.
Following the code in the Microsoft Knowledge Base article How to validate user credentials on Microsoft operating systems, i get to the point where you call AcceptSecurityContext:
ss = AcceptSecurityContext(
#pAS._hcred, //[in]CredHandle structure
phContext, //[in,out]CtxtHandle structure
#InBuffDesc, //[in]SecBufferDesc structure
0, //[in]context requirement flags
SECURITY_NATIVE_DREP, //[in]target data representation
#pAS._hctxt, //[in,out]CtxtHandle strcture
#OutBuffDesc, //[in,out]SecBufferDesc structure
ContextAttributes, //[out]Context attribute flags
#Lifetime); //[out]Timestamp struture
except that the function fails with:
SEC_E_NO_AUTHENTICATING_AUTHORITY (0x80090311)
The function failed. No authority could be contacted for authentication. This could be due to the following conditions:
The domain name of the authenticating party is incorrect.
The domain is unavailable.
The trust relationship has failed.
This would be a useful error, except that i can validate the same credentials from .NET 3.5 using:
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domain))
{
valid = context.ValidateCredentials(username, password);
}
What could be happening that allows .NET to validate a set of credentials, while native code cannot?
Update: LogonUser also fails:
LogonUser("joel#stackoverflow.com", null, "splotchy",
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, out token);
with
1311 - There are currently no logon servers available to service the logon request
Update Two: i've tried both the preferred Negotiate provider, as well as the Windows NT4 legacy "NTLM" provider
String package = "Negotiate"; //"NTLM"
QuerySecurityPackageInfo(package, [out] packageInfo);
...
AcquireCredentialsHandle(
null, //[in] principle
package, //[in] package
SECPKG_CRED_OUTBOUND, //[in] credential use
null, //[in] LogonID
pAuthIdentity, //[in] authData
null, //[in] GetKeyFn, not used and should be null
null, //[in] GetKeyArgument, not used and should be null
credHandle, //[out] CredHandle structure
expires); //[out] expiration TimeStamp structure
I presume that this is to solve the same problem as another question that you posted.
I kind of understand what you are trying to do now. Let me recap what you wrote on another post.
Username Password Domain Machine on domain? Validate as
======== ======== ================= ================== ==============
iboyd pass1 . No Local account
iboyd pass1 (empty) No Local account
iboyd pass1 stackoverflow.com No Domain account
iboyd pass1 . Yes Local account
iboyd pass1 (empty) Yes Domain account
iboyd pass1 stackoverflow.com Yes Domain account
You want to
Authenticate a user from a domain that your machine doesn't trust
Authenticate a user from a domain that your machine trusted
Authenticate a local user
You can achieve the first two cases by doing proper SSPI handshaking with the domain controller. The KB article that you are referring to in another question is doing loop back SSPI handshaking. It's not going to work in case number one because the client machine does not trust the domain that you are authenticating to. That should be why you are seeing SEC_E_NO_AUTHENTICATING_AUTHORITY.
To cut it short, if you want to do exactly the same thing as
PrincipalContext.ValidateCredentials(username, password);
you need to handle the local user differently from the domain user. For domain user, you need to call ldap_bind_s to bind to the domain controller using the given credentials. For local user, you need to use ADsOpenObject to bind to the WinnT://YourComputerName using the given credentials. This is what PrincipalContext.ValidateCredentials doing from what I read in the Reflector.
I don't see there is any equivalent one single native API doing the same thing for you.