I'm new to Umbraco and I configured it to use Active Directory for login following the official documentation (https://github.com/umbraco/UmbracoDocs/blob/master/Reference/Security/index.md#authenticating-with-active-directory-credentials). The behavior is a bit odd.
Before I configured the AD integration, I was able to to login to Umbraco with the email/password defined upon installation. After the integration, I could login with the same email but with my AD password so I guess that the integration kind of work...
However, now, I'd like some other people to login on the site via their AD credential, however, I have no idea how to achieve that. If I invite user, it creates an account with his email but he has to define a password, so it's not AD integrated. Same thing occurs if I try to create a new user.
So at the end of the day, I have no idea how to integrate reliably AD with Umbraco. Does anyone already achieve this and can give me pointers?
I'm running Umbraco 7.10.2.
You need to first create a User account in Umbraco so that you can assign the necessary permissions etc. This is a standard Umbraco User and needs to correspond to the AD username. I'm not sure though that the Umbraco User needs a designated password though; it's possible you can just let Umbraco auto-generate the password and they will be able to log in with the AD credentials.
To fully integrate Umbraco with AD in the way you're expecting would require some extra code on your part to query AD and pull in the users, auto-generate and link them to a corresponding Umbraco User with an auto-generated password. It's doable, just will take some creative coding on your part.
Update:
If you look in the Umbraco Log after attempting to log in as an Active Diretory user without a corresponding Umbraco User you will most probably find an error with the following message:
The user <UserName> does not exist locally and currently the ActiveDirectoryBackOfficeUserPasswordChecker doesn't support auto-linking, see http://issues.umbraco.org/issue/U4-10181
The referenced Issue has more details available: http://issues.umbraco.org/issue/U4-10181
Related
I am trying to understand the basic logics for receiving GMail emails with Google OAuth. I see this document Authorizing Your App with Gmail
Now I follow the instructions in Setting Up POP3 Importing with OAuth via Google to setup POP3 with Google OAuth.
I login one Google account(Account1) and then in Google Cloud, create the Google App and OAuth Client ID.
Then I start connect to GMail account(Account2) with the web application(WHMCS). When connecting, it asks me to choose an account that create the app, so I choose Account1. But get the following error:
Error 403: access_denied
The developer hasn’t given you access to this app.
Thus I am a bit confused. Since Account1 is used to create the app and OAuth Client ID, it should be able to access the app when I choose Account1, but the app will not be able to access the data in Account2. Or does the App in the error message means Gmail, not the app I created in Google Cloud?
Should I use Account2 to create the app for receiving emails in Account2? If yes, then for each Gmail account, should I create a separate app accordingly?
Update
Now I try to do as follows:
Use Account3(The admin of Google Workspace) to create the Cloud Project, Consent Window, Client ID, etc.
Then when connecting from WHMCS on our domain datanumen.com, it asks me to choose the account, I choose Account3, and then see a new window as below:
I then select "Allow" button, but then see the following error:
Connection unsuccessful. Please close this window and try again.
Update
I try several times. And find the first time will be successful. I forget enable POP3 in my Gmail account. After enabling it, everything is fine.
I am a bit confused as to what you are trying to do here.
You created a project on Google cloud console and created client id and client secret for the authorization of your project.
All this does is create a project that will be allowed to use Oauth2 to request authorization of a user to access their data.
If I understand what WHMCS is trying to do. Its going to let you use your client id and client secret to request access of a user to access their data.
So when it asks you to authorize a user this is the user whos data you want access to. That user must be added as a test user over on Google cloud console for the project that you created.
The project you create on google cloud console is still in the testing phase. Each user you want to allow to test your application must be added as a test user. Other wise only the owner of the project can test the applicaiton.
To fix this issue for me was this simple:
Go to https://console.developers.google.com/
open the project in question.
Click "OAuth consent screen" on the left.
Under "Test users" there is a button called "+ ADD USERS"
Type the email of the account you will be testing with, press enter, then click save.
It should work now
It seems like they updated this recently because last year I did not have to do this.
workspace
The issue you may be having is that if you created this project on a workspace account then i suspect only workspace domain users are going to be able to authorize it. It cant be authorized by someone on the standard google domain. So try with a workspace domain user. The same may go the other way I have never tried tbh. I tend to keep workspace within its domain.
I have a team set up in VSTS and I am trying to upgrade certain team members who need access to the test suite functionality. I have procured several paid enterprise level accounts that show as available. However, when I attempt to change someone's access level from basic to enterprise I get the following error:
vs1720077: Subscription could not be validated.
I have the top level account so I am not sure why I am not able to upgrade these users.
Just as Daniel commented, you must link your work ID. For troubleshooting:
Make sure in the https://msdn.microsoft.com portal you have actually linked your work ID. You still need to explicably do this
even if your MSA and Work ID use the same email address e.g.
user#domain.com. Using the same email address for both IDs can get
confusing, so I would recommend considering you setup your MSA email
addresses to not clash with your work ID.
When you login to VSO MAKE SURE YOU USE THE WORK ID LOGIN LINK (LHS OF DIALOG UNDER VSO LOGO) TO LOGIN WITH A WORK ID AND NOT THE
MAIN LIVEID FIELDS. I can’t stress this enough, especially if you
use the same email address for both the MSA and work account
If you still get issues with picking up the MSDN subscription
. In VSO the admin should set the user to be a basic user
. In https://msdn.microsoft.com the user should make sure they did not make any typo's when linking the work account ID
. The user should sign out of VSO and back in using their work ID,
MAKE SURE THEYUSE THE CORRECT WORK ID LOGIN DIALOG. They should see the features available to a basic user
. The VSO admin should change the role assignment in VSO to be MSDN
eligible and it should flip over without a problem. There seems to be
no need to logout and back in again.
Source Link: Why can’t I assign a VSO user as having ‘eligible MSDN’
using an AAD work account?
Also take a look at this similar issue: Lost capability when msdn.microsoft.com was forced to my.visualstudio.com link and VSTS Validation
I am trying to understand how to create MVC5 website with Active Directory authentication. Also I want to manage users. So for this I created a simple project in VS2013 and selected "Windows Authentication". When I run the application I get authentication popup to enter AD username and password. After that it does says on top right "Hello AD/UserName!".
But I am not seeing logic where it actually calls for authentication. Also I want to save few AD users to database and allow only them to login to website. How can I do this? Also how will my other web pages know whether user is already authenticated. Thank You.
One Approach-
Instead of selecting 'Windows Authentication', you choose 'Anonymous' (doesn't remember exact word here)
Implement logic to Authenticate user against Active Directory. Once user is Authenticate, store that user object into 'User' property of Current Context. So that you can access it and authorised user in subsequent request.
As you are aware, AD can only authenticate user against it. Providing access to few of them is authorisation part which we need to handle as part of our application. Since you want to enable access to website for few people of AD, what you can do is add those users in your application's database and allow authorisation to those only.
I have finally managed to implement Facebook as an external login provider on my MVC website which seems to be working fine, but I am wondering what is the correct / secure way to allow multiple external login provides to be linked to a single account.
Lets say I login with my facebook ID, no existing account is found with the same email address and my website persists a new account with their email address and their facebook token etc associated.
Next day I login with my Google account, If i check my database for an account which already has a matching email address what should I do?
1) Link this Google account with the existing account automatically and
log them in?
2) Ask the user if they wish to link their google account to the
already existing account we found?
3) Something else?
Thank You.
It is really up to you. But the default provided in the VS2013 template assumes a one to many relationship between your internal user and any external logins. If you retrieve a user with UserManager, you will see a IList for each external provider the user has logged in with.
As they log in with the new provider, you would normally not automatically know the user is associated with another provider's login. When you login it looks up a user via external ProviderKey, so initally would not find any relation to an internal user. At that point you could search users by name, email (with customized user store) and so on to link as needed.
Assuming primary emails registered on facebook and google for example, are verified by them (which they usually are) I don't see any issues on linking them together.
I think the main problem is linking internal account with email that was not verified to be from specific user. If i create an account with email of other user and that email is not verified, when the other user creates an account it associates the data of the first user together and that way both users are using the same account.
Can anyone identify and explain potential flaws for my first claim please?
I'm trying to use MyOpenID for my sign-in, but it doesn't seem to be sharing the email address.
If I use Google or others I do seem to get the email address, though. I thought that this was a standard field to return.
I even see some documentation here that seems to suggest they would share email:
https://rpxnow.com/docs/providers
(I'm using Ruby on Rails and Janrain for this project)
One interesting thing is that if I setup an identity page on MyOpenId, then the email IS shared with my application. I thought that there was supposed to be a way when logging in with MyOpenID to specify what data is shared during "SimpleRegistration"?
The problem was that I was testing with my own MyOpenId account and the very first time I logged in to my development server I had not paid enough attention.
When logging in the first time it said something along the lines of "blah site is asking you to share information with it. Click here to use an existing persona or to create a new one. I didn't select one and it defaulted to "don't ask again".
I was able to fix this by going in to MyOpenId and revoking permission for my site. Then the next time I logged in it asked me again and it worked.