Authenticating my web site with MSA in Debug mode - oauth-2.0

Issue: On Launching the Web application in debug mode, Authentication is getting failed.
Detailed steps that i have implemented in debug mode:
1.Registered my application in Microsoft developer center
2.Modified my project URL to the same domain name, that i have used to register.
3.Used the Client ID and Secret key, from the registered application in web application.
4.Launched the sample application with the registered URL, in visual studio.
5.On clicking on Microsoft button, to authenticate- i am getting landed in error page.
6.Error URL: https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.
+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
Queries:
1.Is it possible to verify the MSA Authentication in local environment in debug mode?
2.Does Microsoft authentication page re-directs to my localhost (at any case).

Your problem lies in your step 2. "2.Modified my project URL to the same domain name, that i have used to register."
To whatever URL you are using to register your app you have to append /signin-microsoft, i.e., if the URL for your app is, for example https://localhost:44300, then when you register your app with Microsoft the Redirect URI has to be https://localhost:44300/signin-microsoft. Therefore:
1.Is it possible to verify the MSA Authentication in local environment in debug mode?
Yes, follow my steps above (it has nothing to do with debug mode)
2.Does Microsoft authentication page re-directs to my localhost (at any case)
Yes, if you append /signin-microsoft to your app URL when registering it

Related

When browse from web server, Windows authentication not working

I have two servers,
WEB01_Server
APP01_Server
So my ASP.NET MVC application has two Projects
Sample_Web
Sample_Service
So my application architecture like following
so both these projects I hosted in APP01_Server So I enable the windows authentication(using IIS) for Sample_Web project and once I browse this web project in App server URL windows login prompt coming and successfully able to log in.
Once I browse with WEB01_Server URL, it also windows AD login prompt coming and but cannot log in.
Additionally, I enabled Windows authentication in WEB01_Server this application IIS web site instance and result is same.
Configuration wise What else I need to configure ?

HTTP 403 Error when deploying ASP.NET App to Azure Web App

I am trying build up a Staging Environment for an ASP.NET MVC Web App, but am stumbling from problem to problem, the last one having been this one: HTTP 500.79 Error / System.UriFormatException when deploying ASP.NET App to Azure Web App
Currently I am getting a HTTP 403 - Forbidden, "You do not have permission to view this directory or page." error when trying to access the page.
Authentication-wise the App uses Azure Active Directory as Authentication Provider, which is working fine in local testing (using a Test-AAD) and in production. The local and productive apps are not using Azure Web Apps. I noticed on the Azure App Service page that there is a possibility to specify authentication right within Azure, but I don't really want / need to use that, as everything is specified within the app resp. configured in the web.config (ClientID, ClientSecret and Tenant). Anyway, when I tried filling in the Authentication on Azure directly it did not work either, so I removed it again.
What happens now is that the redirect to the Login page on login.microsoftonline.com works, and according to the AAD Admin the login attempt is being successful, or at least shows no pecularities. However, when being redirected back to my page, I get a generic 403, without any additional information that could help pin the problem down.
I did check all sorts of logs for further details, and the only pecularity I found is that for some very odd reason, all requests are made to a completely gibberish URL:
Requested URL / specified Reply URL: https:\\skillmanagementtest.azurewebsites.net
Actually requested URL according to logs: https:\\Skillmanagementtest:80
I have absolutely no clue where this URL originates from, however, "Skillmanagementtest" with that capitalization seems to be the name I specified for the Azure Web App:
Screenshot resource group items
The web.config is being transformed properly during the CI/CD pipeline and I double-checked the auth settings there (tenant, clientID, clientSecret), and I am really out of ideas what may be causing this problem.
One hint I found on other problems was to check the IIS logs, but when I attempted accessing the directory these logs were said to be placed in I was rejected access, even though I have owner permissions on the App Service...
UPDATE
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
Check to ensure that what you have in your web.config and app settings matches what you have in the reply URLs for your app registration in the portal. There may be some reference somewhere where the reply URL does not match.
Are you using the openid sample? https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
Also ensure that you are logging in with a user who has the right permissions under the tenant and to the app itself. My colleague and I made a short video that includes the right configurations that may be helpful for this use case. https://www.youtube.com/watch?v=MohaxN6fsDs
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.

Azure AD/ADFS SSO Across ASP.NET MVC Applications

I have read through a ton of articles from MS on authentication through Azure AD. There are so many options and nothing I've read seems to solve my issue.
Here's the situation:
I have 3 different web applications (all ASP.NET MVC 5). They are all hosted internally in our network on the same server/IIS and use windows integrated authentication against our internal AD.
Let's call these applications App_A, App_B, and App_C.
App_A is located at appA.mydomain.com within our DNS
App_B is located at appB.mydomain.com within our DNS
App_C is located at appC.mydomain.com within our DNS
The use case is as such:
A user navigates to App_A does some work and is eventually redirected to App_B
The user does some work in App_B and is eventually redirected to App_C
The user does some work in App_C
When the user is on a domain-joined PC, they are never prompted to log in. Windows takes care of that for them through the integrated authentication.
Now, this is what happens when a user wants to do the same work on a non-domain device (such as an iPad) whether on VPN or connected to the internal WiFi:
When the user loads App_A they are prompted to log in and do so with their windows credentials
When they get to App_B, they are prompted again (different sub-domain)
And when they get to App_C, they are prompted again (different sub-domain)
Having to log in multiple times with the same Windows credentials is not the experience we want for our mobile users.
What we would like to have happen is have the mobile user log in one time when they hit App_A and not have to log in again when they hit App_B or App_C. As well, we would still like the users on domain-joined PCs not to have to log in at all as they are already authenticated to their machines.
Just for your information, we are also syncing our AD to Azure AD, so we have that to authenticate against if the solution requires it. I am looking for what I need to do to setup my MVC apps to allow this sort of authentication.
Any help you can provide with this would be GREATLY appreciated.
The scenario you describe should work by getting all apps to use Azure AD as shown in https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet and by ensuring that they all skip the home realm discovery and go straight to your domain, as shown in http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/

Window authentication not working in MVC4

Scenario
User A can access all pages in MVC4 website except one. But user B can access all pages (no restriction).
What I had done so far?
Deployed website on IIS 7.5.
Enabled window authentication and disabled Anonymous authentication for hosted website on IIS.
Testing website.
Testing Results -
(1) When User B is logged on same system (development system) where the website is deployed, he can access the website without prompt dialog.
(2) But when same website is published on server (production system) with same settings, website still asks for credentials with pop up.
** Both of the development system and production system are in same domain (let's name it domain.com).
Question
Why is the same user in same domain is been asked for credentials by website?
As per my research for Window Authentication, I want to conclude following lines (also as reference for me) -
(1) Window Authentication (abbrev. WA) will always show prompt for verifying users if you had configured WA properly.
See anonymous authentication disabled and windows authentication enabled in below snapshot.
(2) Even if one set NTLM as top provider than Kerberos (in IIS), the IIS will still ask for Window credentials. Snapshot show how to do that.
(3) If you want to avoid showing prompt on browser for WA, follow steps-
(a) Open IE browser --> Internet Options --> Security tab.
(b) Add site to Local Intranet zone so that browser will send logged-in username and password to IIS.
Note - The above points universally apply to MVC and ASP.NET.
Answer to my question Why is the same user in same domain is been asked for credentials by website?
Because I had set anonymous authentication enabled along with Window authentication on development system. (Silly mistake).

How can I add localhost:3000 to Facebook App for development

I am working on a Rails 4 app. On my laptop, development is done at localhost:3000. The actual domain of the site is roomidex.com.
How can I set up a Facebook app so it works on production and development?
Here is the current configuration:
App Domains: roomidex.com
Website With Facebook Login:
Site URL: http://www.roomidex.com
When I try to do a Facebook login on localhost:3000, I get this not surprising error:
{
"error": {
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration.",
"type": "OAuthException",
"code": 191
}
}
On the Facebook App page, click "edit App" then click "Advanced" in the left-hand navigation. Then for "Valid OAuth redirect URIs" add http://localhost:3000... or whatever you want the accepted redirect to be.
You can create a test app that's connected to your main app. On the Dashboard or Settings page for your main app. scroll down and you'll see "Test Apps" in the menu that runs down the left side of the page. The test app will inherit settings from the main app, but it will permanently be in development mode, and it will have its own ID.
More info on test apps here:
https://developers.facebook.com/docs/apps/test-apps/
The protocol for setting up an app to work on localhost has changed. After you get your test app set up, this explains the steps for setting it up to work on localhost:
https://stackoverflow.com/a/24253054/2803458
Your error is saying
localhost URL is not allowed in the application
I know, FB does not give a s**t about explaining, what do to in those moments, however, as far as I am concerned, I have found workaround.
Basically, you need to "whitelist" locahost url in your app
Here is what you are going to do
Go to the app edit/summary page
In the fourth field App Domains, you should already have roomidex.com, so add another address localhost
The urls mentioned above are only valid, if each one of them is put into tabs, where you set, how you app integrates with Facebook (website with facebook login, App on facebook, Mobile web, …)
I do this: I put my working URL, in your case roomidex.com into Website with facebook login, and my test, localhost URL, either into App on facebook or Page tab
June 2015
Go to My Apps > Settings > Basic
App Domains
localhost
Site Web
URL : http://localhost:8888/
Mobile URL : http://localhost:8888/
It didn't work with port 80 or without any port unfortunately.
Adding localhost to the Valid OAuth redirect URIs in the test app did not work for me but adding 127.0.0.1 did.
Facebook now requires "Valid OAuth redirect URIs" to be https.
To use https locally (localhost:3000), I used [ngrok][1] which allows you to use https by providing a tunnel. To do this:
I went to their website and downloaded their program
I extracted the file for the program
In my console, I went into the directory where ngrok was extracted to and entered 'grok http 3000' on my Windows machine, others may use './grok http 3000'
After entering that, ngrok provided a https address which I put into the Valid OAuth Redirect URIs field in Facebook
Then I started my server and was able to access it using that https address instead of localhost:3000
Just create two applications.
One for testing and one for release. You cannot supply the app with separate URL configurations.
Just edit your hosts file with your domain that pointing to localhost and it should work fine.

Resources