I have a Rails website that allows an authenticated client to post XML to a specific URL. In this particular instance, the post request is coming from a BizTalk 2009 server. Rails keeps responding with 401 Unauthorized and I'm not sure why.
The authentication on the Rails side is handled by Restful Authentication via HTTP basic auth. I have tested posting XML to the production site using curl and the credentials of the client in question and it appears to work fine. The owner of the BizTalk server and I have verified the credentials and the URL.
Is there something particular about the way BizTalk handles its basic authentication? Or is there something weird with Rails or Restful Auth? Any ideas? The web server on the Rails side is Nginx with Passenger 3.
What credentials are you using to authenticate? It would need to be that of the BizTalk service account that is sending the request. What adapter are you using?
Unfortunately, the problem went away undetected. I had to modify the auth code to deal with authentication problems in Internet Explorer (see http://rails_security.lighthouseapp.com/projects/15332/tickets/5-using-http-basic-authentication-with-ie-not-working). It's possible that BizTalk would have the same problem, but I can't verify.
It's also possible that the owner of the BizTalk server updated the credentials used to contact our service, but again I can't verify.
As we have bigger fish to fry, it's not worth it to us to track down the exact issue since all is working fine now. Of course that could change and I'll dig deeper and perhaps update this thread.
Related
I've been beating my head for hours on this request.
I have an on-premise installation of an Azure MultiFactor Authentication Server. I'm building a new ASP.Net MVC 5 application that will do an LDAP lookup for users in Active Directory (also on-premise) with no ADFS configured.
I've gone through the sdk for MFA Server and can easily enable SMS requests to be sent. I get the otp code from calling pf_auth.pf_authenticate(authParams, out otp, out callStatus, out errorId);
This works for test. But I need to direct this request to my on-site MFA Server. I can't find anything that tells me where I can set this value.
I know that if I login to a machine on that domain it automatically sends the SMS text to my phone and I can enter it into the next screen to complete a login (the default user portals set up with MFA). I would assume that this would possibly work when I call ValidateCredentials on my application's newly created PrincipalContext. But how do I submit the sms code without some sort of RequestId to synch up the communication.
I'm sorry if this doesn't make much sense. It's just all the examples I can find are for using MFA with a local ADFS. I only have Active Directory which is causing me to do the custom LDAP lookup.
Any help or direction is greatly appreciated.
OK, sorry for the delay in responding to this post. After getting no responses I moved on but have recently noticed that there have been 45+ views since my post and thought I should update for others who might be experiencing a similar issue.
Turns out that when using MFA on premise you can point multiple applications to a single MFA server, like Remote Access, VPN, etc.
However if you are attempting to setup a Web Application hosted on IIS you need to install a copy of the MFA server on the IIS server hosting the application.
When installing you can point to the existing MFA setup so that both machines are in the same configuration. This local install also adds a custom IIS Plugin that does the request interception and directs it through the MFA pipeline. If everything looks good the request is then forwarded to your web application like normal.
This is really pretty straight forward but the documentation for MFA setup was sorely lacking. Hopefully in the future there will be a decent sample app provided by Microsoft that demos this process using local MFA and not just the Azure hosted solution.
Question
Is it possible to use OpenID login using only client side technologies?
Basicly I want to implement OpenID for steam login, I have found very few examples online, mostly in PHP using pre existing libraries.
My goal is to create a client side only solution using only Javascript and HTML. The understanding I have of OpenID is very limited so any resources to better help me understand would also be very welcome.
Any help is appreciated.
I have looked over http://openid.net/developers/libraries/ and found http://kjur.github.io/jsjws/ but I am unsure if it will work outside of a server envrionment.
You could do that, yes. But then your server will not have any way to verify the data the client sends you.
If you really trust the client, this might be fine. But the normal OpenID process only trusts your own server and the remote OpenID server, but not the client - which is why your server calls back to the OpenID server after the client told your server the login.
So I am trying to secure an ASP.NET Web API Service so that an iOS (iPhone 4/5) application can access it RESTfully using their Windows user name and password (don't ask :) ), and I have followed this article here, and for the most part it works, I just modified it a little to use Active Directory Services to validate the user name and password, but I am wondering if there are better ways to secure a ASP.NET Web API that will be used from non-browser clients as well as browsers possibly?
This is hosted with IIS7, so should I just let IIS control the authentication?
Need a little guidance... Thanks
It's a bit unclear specifically what you are looking for, in my experience assuming I'm authenticating against a server the keys were
Put access to the APIs behind https
Send the request via POST.
If you're also coding the iOS side, make sure you are implementing authentication challenging properly. Here's an article on the iOS side: http://mobiledevelopertips.com/networking/handling-url-authentication-challenges-accessing-password-protected-servers.html
We have 2003 windows server with moss 2007. We get the windows login prompt when opening 2010 office doc. I removed the http handler verbs from web config but still the site prompts for the credentials. It is a forms auth site with anonymous acccess enabled. Weird part is removing the verbs worked in development but in production it seems removing the verb has no effect. I checked if client integration was enabled in the auth provider. We have SP service pack installed in development not in production. But I am not sure what is going on. I will appreciate any clues.
One solid recommendation is to use a product like Fiddler on the client to see what kinds of things are being requested on the client side. In many cases, the office clients try to reach back to SharePoint to check things like versions, authors, check in/out status, etc. This kind of thing can cause the client to prompt for authentication.
I believe that we can allow Firefox to sent NTLM data to SharePoint sites to do automatic authentication, and I think that this is doable with IIS.
I'd like to do the same thing with an internal Rails site.
Does anyone know of way that I could authenticate NTLM type user information through a Apache/mongrel setup (provided of course that it's already running on a Windows box inside of an Active Directory domain)?
I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.
There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.
Bit of extra info in case anyone stumbles across this.
I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.
Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.
So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.
I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?
You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.
I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.
If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.
If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.
Hope that gets you started on the right track :-)
You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.
Old question I know but I came across this looking for a similar answer.
you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.
This particular project looks promising and is looking for contributors:
Rack middleware for transparent authentication with NTLM.
I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.
Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).