We have an on site ADFS 2016 server setup to authenticate clients to web applications. This seems to work fine for browsers other than IE or Edge.
When using those browsers the client gets a 401 and gets prompted for their credentials when trying to access the ADFS login page.
This version of ADFS doesn't use IIS so there is nothing to set there.
We made sure the ADFS DNS entry is an A record.
We tried adding the adfs url to the trusted sites in the client browser with no success.
Is there something else that needs to be setup for this to work?
This issue may relate to your primary authentication setting in ADFS being set to Windows Authentication. This may be a bit different in Windows 2016, but in 2012 R2, if you open your ADFS console, select Authentication Policies in the left-pane and then Edit Global Primary Authentication in the right-pane, you can see the primary authentication settings for Extranet and Intranet users.
If you would like Windows Authn to be your primary authentication, you may then need to enable Windows Integrated Authentication in IE / Edge. There are a couple of steps for this I can provide if this is your case.
UPDATE: Appears as though this turned out to be Kerberos and SPN issue. Your ADFS machine name and ADFS service name should NOT be the same. The core of the issue I believe is the SPN "HOST/AdfsMachineName" is registered with the AD computer object for the ADFS server and the SPN "HOST/AdfsServiceName" is registered with the ADFS service account. If AdfsMachineName and AdfsServiceName are the same, this causes a duplicate SPN scenario.
Check the output of the below command.
Get-AdfsProperties | Select-Object -ExpandProperty WIASupportedUseragents
Should look something like this.
PS C:\Users\admin.contoso> Get-AdfsProperties | Select-Object -ExpandProperty WIASupportedUseragents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge
PS C:\Users\admin.contoso>
This controls which user agents, browsers are allowed to do WIA. I suspect this list only contains non IE-Edge user agents.
Related
I have an ASP.NET MVC app. It is hosted on Windows Server 2012 R2 joined to an AD domain.
The operating regime requires a Http proxy and credentials. When using a browser, the logged in credentials of the (human) domain user are applied transparently.
My ASP.NET app uses HttpWebRequest. Although the documentation says it would use the proxy as set in Internet Explorer, it does not appear to be doing so. So I assign the proxy manually and set UseDefaultCredentials to true, which the documentation says the credentials of the "currently logged on user" will be used. But the response came back with:
The remote server returned an error: (407) Proxy Authentication Required.
Under IIS Authentication settings, I already have enabled ASP.NET Impersonation: <identity impersonate="true" />. (Is this the right thing to do?) How do I find out the identity of the process that is used to make the HttpWebRequest?
Or what must I do to use the credentials of the logged in domain user using my app to access the proxy?
I think you may refer to this answers on another question right here
I think it's exactly related to your question
This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.
I have an instance of SSRS 2014 running on Windows Server 2012r2 and cannot seem to properly grant access to the localhost reportserver to myself. I have admin rights to the server. I have logged into the server and run IE as administrator in order to grant my username all site-wide roles (System Administrator, System User) as well as all roles for the Home folder. Yet when I run IE not as administrator and attempt to access the reportserver, I get:
User 'servername\myusername' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
I have tried rebooting the server (just in case) - no help.
What am I missing?
I have answered my own question by following the directions here:
http://www.sqlservercentral.com/blogs/pearlknows/2014/03/06/configuring-native-mode-ssrs-on-local-host/
Specifically I used SQL Reporting Services Configuration to add a Report Manager HTTP URL.
I'm trying to set up a TFS2010 (with SP1) server and I keep running into hurdles.
The latest prevents me from doing anything useful as every HTTP request to "https://tfs.myserver.com/tfs" results in a HTTP 401. It doesn't matter if these requests come from the TFS Administration Console or from a web-browser. Every time I'm prompted to authenticate I enter the domain Administrator's fully-qualified username and password and I always get this error message:
Team Foundation Server
TF30063: You are not authorized to access https://tfs.myserver.com/tfs. - The remote erver returned an error: (401) Unauthorized.
Only a few settings in the Administration Console work (such as "Change URLs") but others, like "Group Membership" (either on the Application Tier node or on a Team Project Collection) results in the same prompt-then-fail.
The SSL certificate is valid, and the URLs seem consistent. I can't think what I'm missing out on.
EDIT: There is nothing relevant in the usual Event Logs. The Security log does show my Audit Failures, but I don't understand them because I'm entering the usernames and passwords correctly (the very same I use to access the servers over RDP):
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
What's different about Group Membership & security dialogs is they go through the client APIs and access via IIS. All others such as change server urls go through the server model straight to the DBs. That means IIS cannot authenticate on your domain for some reason ...
From the description, it seems like a domain joined machine. Does IIS have access to the domain controllers? (is it connected to the domain network) The wizards verify you can reach AD but if you disconnect afterwards ... If IIS can't reach AD it will not be able to authenticate. TFS relies on IIS for windows authentication. It appears it can't do that.
Some other things to try:
On the application tier panel of the admin console, try changing the account (domain account) that the server runs as.
Did you choose Kerberos authentication in the advanced wizard? If you do that with a domain user as the service account, there's a pop-up dialog telling you that you need extra AD administration. If you did that, you can change to NTLM from the admin console.
Try to access it via http://machinename:8080/tfs (instead of FQDN) both locally and remotely. Try http://machinename:8080/tfs/web from the web browser as well. make sure you're not having a proxy server issue (routing NTLM through proxy servers can be problematic - if you have bypass local in IE settings then address without dots won't route through the proxy and takes that out of the troubleshooting picture). You can also completely disable proxy in IE just for troubleshooting.
Create another web site manually with a hello world aspx running as the same account with anonymous & basic auth disabled and integrated windows auth enabled. Ensure it works.
After growing frustrated with trying the helpful suggestions people made but not getting anywhere I decided to start-over and try again. I completely uninstalled TFS, SQL Server, and SharePoint services and reinstalled from scratch.
This time it worked fine - no meddling with security was necessary and the system just worked out-of-the-box.
Looking back, I think the problem was that I set-up TFS with the advanced option to use SharePoint, and then I probably fiddled around with settings I wasn't familar with and ended up making a hash of things.
Note to future self: practice in a VM before deploying in production.
I have a Windows 2008 server running IIS 7 and I'm trying to configure Windows Authentication and ASP.NET Impersonation, specifically for an intranet site which uses MVC. When a user hits the site from IE they are automatically logged to our site using the captured Windows username.
I have everything working in IIS 6 with:
Anonymous access off
Integrated Windows Authentication on, and:
<identity impersonate="true"/> in the web.config.
In IIS 7, I can't seem to get it working, even in classic mode.
Under Authentication for the site in IIS 7, I have Windows Authentication and ASP.NET Impersonation enabled, everything else disabled. When I hit the site locally, it works. From a remote machine (on the same domain, using IE, loading it as an intranet site using the machine name i.e. http://servername/site/) I get challenged for my Windows credentials. Even if I enter in valid Windows credentials it fails, and clicking cancel gives me a HTTP Error 401, "The requested resource requires user authentication".
Turning ASP.NET Impersonation does not help anything. Any suggestions?
The problem turned out to be that the server had lost connection with the domain. I tried to remote desktop into the machine using my domain user account instead of a local admin, and I got the error:
The trust relationship between this workstation and the primary domain failed.
I remove the machine from the domain and re-added it, and after that both Windows Authentication and ASP.NET Impersonation work correctly.