C# ASP.NET web page that has requirement to MFA to Azure SQL Database.
I have working in development environment.
When I deploy to web server error is received of...
"Showing a modal dial box or form when the application is not running."
I understand why it doesn't work, but how do I get a redirect to work against Azure SQL Database to get a token for the SQL Connection ?
Best answer was:
Acquire AAD token using ASP.Net web forms
What am I missing to make MFA to Azure SQL work in asp.net?
result = await authContext.AcquireTokenAsync(
parameters.Resource, // "https://database.windows.net/"
_clientId,
_redirectUri,
new AD.PlatformParameters(AD.PromptBehavior.Auto),
new AD.UserIdentifier(
parameters.UserId,
AD.UserIdentifierType.RequiredDisplayableId));
Follow up, I have the basics of this worked out.
Enable HTTPS (this was an on-prem, internal use web app, was not https, it is now).
Ensure .net 4.7.2
Ensure URI()'s match azure application registration (was missing this)
The redirect and URI back are causing me to change the design and flow of the web page, but that's a side effect of the MFA requirement.
Will post some follow up code example once i have it working the way it should, but a quick test has it working, much easier in windows application as opposed to a web app.
Related
I have this legacy intranet app using an AngularJS SPA consuming an an ASP.NET Web API (on .NET 4.6.1) and I can't manage to get the user authenticated on the domain inside the API, when calls are made by AngularJs.
Inside the API I have situations where I need to get the domain authenticated user. I have tried several combinations inside IIS to set both the AngularJS app and the API with Windows authentication, Impersonation, Authorization Rules. I've read several questions in Stackoverflow and other forums and also searched through several articles but I can't manage to find a solution, I'm feeling helpless in this one.
When I make a direct call to the API using a tool like Postman or through Swagger, System.Web.HttpContext.Current.Request.LogonUserIdentity.Name shows the correct authenticated user.
When I make the very same call to the API but through the client, like loading a page that requests data from the API, the user shown in LogonUserIdentity, is the one set on the app pool.
The authentication between the client and the API uses bearer token.
Here's my current scenario:
IIS:
Windows authentication enabled for both the client and the API, Impersonation enabled for both the client and the API
Authorization rules for ASP.NET and IIS set with allow all users for both Client and API
Session state in-proc, using cookies and with UseHostingIdentity set to false on both Client and API
Both the client and the API are using the same AppPool, with integrated Pipeline, .NET CLR v4.0,
If there's more info to supply please let me know, I'll update the question with the required info.
I have an ASP.NET MVC app, running as Azure Web App.
I use pre-authentication/EasyAuth, and for 5 deployment slots it works fine. Each of them has their own Azure AD App Registration.
But the production site (not a deployment slot, root of the app) throws an error when after logging in, at the /.auth/login/aad/callback path:
I have compared Azure AD App manifest with one that works, and the only difference is the names, description and URLs - as expected.
Using Kudu to view an error, it seems to come from the EasyAuthModule:
So, basically this was an issue with the App Registration used, were created from another deployment slot.
Even though Authentication / Authroization for the web app was set up as Express, the correct App Registration was selected - it turns out it did not get the Client Secret transferred from App Registration to the Web App (in my case, it had the wrong key):
To fix it, you can switch to advanced as shown above, open the associated App Registration and create a new key:
The key is not shown until you save, and is only shown once. Copy it, and insert it into the Client Secret input of the Web App.
After saving all the blades, it is possible to switch back to Express auth. setup and the key will remain.
As I cannot comment I'll add my case as an answer in a bit more detail than I would have to a comment.
I had the exact same error messages From Easyauth in an ASP.NET MVC app running as Azure App Service Web App.
The initial error message was just "The page cannot be displayed because an internal server error has occurred." And via FTP and/or Visual Studio Server Explorer and/or Cloud Explorer I could check the real error page after setting the detailed error messages on from App Service Logs. Those errors were the same as with MartinHN got using Kudu.
So in the more detailed error the predominantly shown 500.74 error originally pointed me to the wrong direction (MFA). But Request Url (.auth/login/aad/callback ) where the error message indicated the internal server error was occurring in, led me to this SO question.
In my case though I had the Advanced Configuration already selected in App Services Active Directory Authentication. And the client secret key was not just wrong. It turned out that the client secret had expired. But it wasn’t obvious to me as I don’t have access to the AAD. I had to contact a separate AD team to check the secrets.
So expired client secret (keys) can also cause this very same error.
Scenario:
I have an website developed in angular js and integrated with STS, while logging in I am presented with the STS login and after logging in with valid credentials - I am redirected to the main website. this far it is working cool.
To mention here, I have web api and wcf services which are hosted from within my website only, thus when the authentication is done at login - there is no issue in accessing the services as well (which are also protected by STS)
Finally we need to open SSRS reports from within the application using a report viewer control.
Challenge
The challenge we face here is that - due to the double hop
from STS authenticated Web app -> SSRS(windows authenticated) -> back to Services(STS authenticated)
SSRS fails to access the services. Locally we have made it work by creating a separate web api project which exposes the service links and is without any authentication.
However we need to ensure that the reports can be accessed only by users who carry a valid claim generated by the identity provider.
Is there a way the SSRS can be made to be a RP with a trusted relationship with the STS?
Any help will be highly appreciated :).
I'm trying to consume a Java Web Service from third party, so i dont have any control over it. I have a pfx file which is password protected, and i installed it in my development box.
This is the code i'm using:
var proxy = new MyServiceReference.WsaaServerBeanService();
var result = proxy.login("test");
I'm getting System.Net.Sockets.SocketError.TimedOut exception when invoking the login web method. The first thing that come to my mind is an authentication issue. Apart from installing the pfx, do i need to send some other info to the web server to authenticate?
System.Net.Sockets.SocketError.TimedOut
Does not indicate an authentication issue, it indicates that you either are not able to contact the remote web service endpoint, or you are and the service is taking too long to respond. Make sure you can actually hit the endpoint from your machine via telnet, a web browser etc...
Authentication failures will usually return immediately.
I'm very new to ASP.NET and I've been struggling trying to get the username of the client sending requests to a web service script on the server side.
After searching online I found two properties that supposedly gives the server page access to the client username;
User.Identity.Name
and then I got another piece of code from an ex-senior colleague who left before figuring this problem out, his function used UserPrincipal.Current.DisplayName
and for both of these I'm getting a blank string.
I've searched for what my problem could be and I'm suspecting it's because I don't authenticate the user on the server side somehow.
I just accessed those two properties/variables directly (UserPrincipal.Current.DisplayName and User.Identity.Name)
can anyone help shed some light on this issue please? I haven't a clue what I'm doing wrong/ not doing.
Your suspicions are correct; you have to explicitly authenticate the user via a built-in .NET mechanism such as Forms Authentication or Windows Authentication for User.Identity to be populated by the framework.
You didn't specify from where the requests are coming (web, windows app, windows service, etc), but this article provides nice overview of getting Forms Authentication set up with asmx.