We need to access the intranet site called as "http://mysite/myapp".
And with using IE, every domain users can access the site without any prompt.
But, if the user try it with Chrome, the logon prompt shows at first. After entering credential just once, the prompt doesn't appear anymore for the access.
I'm just wondering any way to avoid the first-time logon prompt on Chrome.
And we don't want any chrome browser setting or shortcut for white listing per user. Because we can't handle many users Chrome one by one.
Any help will be appreciated.
Thanks.
Check the details of the Integration Authentication in this Chromium documentation:
http://www.chromium.org/developers/design-documents/http-authentication
With Integrated Authentication, Chrome can authenticate the user to an
Intranet server or proxy without prompting the user for a username or
password. It does this by using cached credentials which are
established when the user initially logs in to the machine that the
Chrome browser is running on. Integrated Authentication is supported
for Negotiate and NTLM challenges only.
Basically, execute Chrome with these switches to specify the auth schemes:
Chrome.exe --auth-server-whitelist="MYIISSERVER.DOMAIN.COM" --auth-negotiate-delegatewhitelist="MYIISSERVER.DOMAIN.COM" --auth-schemes="digest,ntlm,negotiate"
I tried running the command line but it wasn't working. I had to configure the same settings via the Windows Registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthSchemes"="basic,digest,ntlm,negotiate"
"AuthServerWhitelist"="*domain"
"AuthNegotiateDelegateWhitelist"="domain,server.domain.com"
Then I Killed Chrome (cmd line: TaskKill /im chrome.exe) and restarted chrome and tried again and voila. Everything worked as expected.
Related
I am using Trino to connect to PrestoSQL for my organization in the manner below with python. The MFA authentication requires that I click a link to authenticate. The links usually look something like this: https://query.organization.com:6543/oauth2/token/initiate/b74d83f9e395e4c27d18b
Once I click the link, a JuypterLab window (screenshot below) opens, which requires me to enter my username and password. After I do that, it just keeps spinning eternally and never ends up connecting or going through. (I am using Trino jar jdbc-367, if it matters.)
This only happens in the desktop app version of JupyterLab. This does not happen in the web version of JupyterLab, nor does it happen in JupyterNotebook. On the web versions, when I click the link and enter my username/password, it allows me to connect and to proceed with my query. Is there any reason why JupyterLab desktop version cannot go through?
connect = trino.dbapi.connect(
host='query.org.com',
port=6543,
user='hsimpson',
catalog='cloud9',
http_scheme='https',
auth=trino.auth.OAuth2Authentication()
)
https://i.stack.imgur.com/29t8A.png
My app is on Azure AD and I'm using the following code to request authentication on the Auth Service:
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/Home/Index" }, WsFederationAuthenticationDefaults.AuthenticationType);
What happens is that this works in some browsers (there is no pattern) and sometimes it doesn't work in others.
When the application redirects to /home/index, sometimes the object User.Identity has the user's email but sometimes it has no information.
Why is this happening?
Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode.
For SSO implementation , please consider browser consideration doc published here
As per last update , here is supporting browser list
Mozilla Firefox (all platforms)
Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:
Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
Search for the network.negotiate-auth.trusted-uris preference. This preference lists - - Firefox's trusted sites for Kerberos authentication.
Right-click and select Modify.
Enter https://autologon.microsoftazuread-sso.com in the field.
Select OK and then reopen the browser.
Safari (macOS)
Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.
Google Chrome (all platforms)
If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoftazuread-sso.com) to them as well.
Google Chrome (macOS and other non-Windows platforms)
For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.
The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.
Hope it helps.
So for years I've been logging into my PC using a basic Windows Live account and then using RUNAS.exe to use my AD account when launching Visual Studio and SSMS and everything worked ok. I decided to move to an AD login on my laptop so that I don't need to do the RUNAS.exe for anything I want to use my AD credentials.
Got my user setup fine, and SSMS works without a hitch. The problem is TFS and the Security Device Credential PIN. My org has it set that I have to set a Windows Hello PIN when setting up. If I login to my laptop using that option, I basically can't connect to TFS. If I use my password, I have better luck.
If I use Edge to browse to my TFS server, I'm prompted for a login and by default it asks for my Security Device Credential (PIN). It accepts it, but Edge cannot connect to the site. If I launch and using 'Other Options' and retype my account and password, it works no problem.
This is crazy. Any ideas why this would be this way? I've looked and cannot find any answers on this.
I appreciate any help!
I switched to the iPhone user agent during which time I visited Google, then I changed back to the default Firefox one again. I cleared all of my history, cache and cookies but Google still thinks I am on a mobile device and insists on directing me to the mobile site. I have checked my user agent and it is definitely the correct one and I have removed every single cookie in Firefox.
How is Google remembering this information? Is there some other sort of mechanism apart from cookies that remembers user settings? It doesn't do it in any other browser.
I've seen some issues such as this on Firefox. Which add-on are you using to change the UA?
To be absolutely sure what the UA String you can Check you User Agent String
Also you can check for cookies using the Fire Cookie Add-On
Normally i can fix this issue by Closing the web browser and starting up a new instance of Firefox.
My other issue with Firefox is that it caches HTTP redirection rules from a website, so if i change a HTTP redirection rule on the server Firefox does not immediately pick this up - This problem is also fixed by closing the web browser.
I solved this problem in firefox by resetting my default agent:
Tools->Default User Agent->Default User Agent
and then going to:
Tools->Clear Recent History->Cache
I've created a basic MVC 3 website that's using Windows Azure's Access Control Service (ACS) to perform user authentication against an Active Directory Federated Service (ADFS) endpoint. I followed the "Add STS Reference" wizard and the site runs fine and authenticates users just perfectly in IE. However, when I use Chrome or Firefox it continually prompts for my credentials over and over again.
I found this post on technet that mentions the issue as it pertains to Firefox but there's no fix for Chrome mentioned, nor do I feel like the steps required to fix Firefox are practical in the real world (i.e. I can't expect end users to do this)
http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-when-using-firefox-3-6-3.aspx
Has anybody else hit this snag? What am I doing wrong?
With some help from a Microsoft Rep (Adam Conkle) over on TechNet (scroll down to the comments), I finally have an answer to this problem.
Turns out, the ADFS website that performs authentication of users (this website gets setup in IIS during the installation of ADFS v2.0) is by default configured for Integrated Windows Authentication (IWA). IWA is configured in IIS to use Extended Protection for Authentication (EPA) and therein lies the problem. Apparently, most other browsers don't support EPA yet which is why Firefox & Chrome continually prompt for credentials in a loop.
Two options...
Keep using IWA but turn off EPA in IIS for the website (described here)
Turn off IWA in favor of Forms-based Authentication (described here)
I had the same issue, sort of. I had 1 person who was being prompted in Chrome and another that was not. On a hunch, I looked at the trusted sites. The person who was being challenged had the intranet site in their list of trusted sites. I removed it and tried again. This time they were not challenged.
Thought I would put that out there in case anyone else has this issue.