In SAML implementation, I am able to send request to the ADFS server (<server_name>/adfs/ls ). It should redirect to authentication sign in page (<server_name>/adfs/ls/auth/integrated). But its not taking to Single Sign on page.
I have checked the web.config file, windows authentication moved at the top.
<microsoft.identityServer.web>
<localAuthenticationTypes>
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
<commonDomainCookie writer="" reader="" />
<context hidden="true" />
<error page="Error.aspx" />
<acceptedFederationProtocols saml="true" wsFederation="true" />
<homeRealmDiscovery page="HomeRealmDiscovery.aspx" />
<persistIdentityProviderInformation enabled="true" lifetimeInDays="30" />
<singleSignOn enabled="true" />
</microsoft.identityServer.web>
I am not sure what I have missed here. I am invoking SAML Request from SP running Coldfusion app to ADFS.
Related
We are running a classic ASP app, and the upgrade to IIS 8.5 caused our Request.Server variables to be blank:
AUTH_USER
LOGON_USER
Windows Auth is the default authentication type, and server admin has verified all other options are disabled like Anonymous Authentication
Anything else we should be trying?
I saw this in another forum, but not sure how to use:
Response.Write(User.Identity.Name.ToString())
...the above line with User.Identity breaks our ASP page.
Tried both:
<% WindowsIdentity.GetCurrent().Name %>
<% HttpContext.Current.User.Identity.Name %>
...and it breaks the page.
The web.config file is:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<tracing>
<traceFailedRequests>
<remove path="*.asp" />
<add path="*.asp">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="500" />
</add>
</traceFailedRequests>
</tracing>
<httpErrors errorMode="Detailed" />
</system.webServer>
So as part of the payment process in my site, I have to visit an ExternalURL to validate certain fields and as a result of the Validation completion, I will be getting a POST back to my Action Method with some response variables. The problem that I am facing is that the cookies fail to persist even though I have tried out the following Steps.
Have already explicitly assigned the SameSite Flag for the cookie to be Lax.
Have already made some changes to the Web.config that I will be including below.
Part of the Web.config that I modified.
<system.web>
<authentication mode="None">
<forms cookieSameSite="Lax" requireSSL="false" />
</authentication>
<compilation debug="true" targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" executionTimeout="500" />
<!-- Added this line for restoring Cookie values after the redirect to an external URI. -->
<httpCookies requireSSL="true" />
<sessionState cookieSameSite="None" cookieless="false" timeout="360" />
</system.web>
<system.web.extensions>
<scripting>
<webServices>
<jsonSerialization maxJsonLength="2147483647" />
</webServices>
<scriptResourceHandler enableCaching="false" enableCompression="false" />
</scripting>
</system.web.extensions>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
<!--<rewrite>
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=lax" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>-->
</system.webServer>
The method from where we call the External URL has this piece of code.
HttpCookie ckpaymentTRID = new HttpCookie("PaResTransactionID");
ckpaymentTRID.Value = resultPaymentObj.TransactionID.ToString();
ckpaymentTRID.SameSite = System.Web.SameSiteMode.Lax;
ckpaymentTRID.Secure = true;
HttpContext.Response.Cookies.Add(ckpaymentTRID);
The method where I receive the POST from the External URL consists of this
var SomeCookiee = HttpContext.Request.Cookies["PaResTransactionID"];
Also, I have browsed through this article here and am aware of the changes pre and post the .NET framework update.
Thanks in advance for the help!!!
Turns all the web.config setting changes were inconsequential as the remaining were actually enough to make the cut. Here is actually how I got a hint about how to solve this issue :
As I was being redirected from my application to the External-URL.....in Google Chrome, under dev tools you get to see the cookies that have been passed... I was always getting a warning saying that "since your cookie is not a secure cookie, chrome by default changes the SameSite setting from None to Lax and so your cookie doesn't persist throughout the request at all.".....which then prompted me to change the web application settings to run as https://localhost rather than http://localhost in VS2019. Once I did that, I saw that I no more needed the explicit HttpCookie or sessionState settings to be modified or in fact placed at all in the web.config and the Cookie value persisted in spite of the External Domain Re-Direction.
I have an ASP.NET webpage that reads a user's CAC card. When publishing to a test server, it works fine; however, in my local development environment with IIS Express I get empty strings when using Request.ServerVariables("CERT_SUBJECT"). I AM able to retrieve the "LOGON_USER" variable, but the "CERT_*" are all empty strings.
Currently my project settings contain
Anonymous Authentication = false
Windows Authentication = true
SSL Enabled = true // Created the default IIS express cert. Have also tried false with no luck
In addition, I have also attempted to modify the applicationhost.config like so
<security>
<access sslFlags="SslRequireCert"> <!-- originally none -->
</security>
<authentication>
<anonymousAuthentication enabled="false" userName="" /> <!--originally true-->
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true"> <!--originally false-->
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true"> <!--originally false-->
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
Any thoughts on further configurations I need to make to allow my development environment to see these variables during debugging? Thanks.
The following settings turned out to be correct. The project properties should be set to
Anonymous Authentication = false
Windows Authentication = true
SSL Enabled = true
and the applicationhost.config like so
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert"> <!-- originally none -->
<anonymousAuthentication enabled="false" userName="" /> <!--originally true-->
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true"> <!--originally false-->
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true"> <!--originally false-->
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
In addition, in the project settings under the web tab, click the Create Virtual Directory button.
Finally, look at the project properties. There is a setting called Ssl URL. Copy that. When debugging, unless you have your project to start up in SSL mode it will start up with a regular http address and render an access forbidden error. Paste the Ssl URL in the browser and hit enter. The page will now prompt you for your CAC password and you'll be able to view the CERT server variables using Request.ServerVariables.
Are there any special considerations that need to be made when upgrading websites from
Windows 2008 R2 / IIS 7.5
to
Windows 2012 / IIS 8.0 ?
Some information that might be pertinent, I don't know, but in my sites, I use Negotiate:Kerberos as my Windows Authentication Provider and that is combined with an SPN inside my Service Endpoint Identity.
Here's my error:
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Now, the error is complaining about this line under the <system.webServer> config section:
<windowsAuthentication enabled="true" authPersistNonNTLM="true" useKernelMode="false">
Here is a condensed version of the <system.webServer> config section :
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false" />
<windowsAuthentication enabled="true"
authPersistNonNTLM="true"
useKernelMode="false">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="Negotiate:Kerberos" />
</providers>
</windowsAuthentication>
</authentication>
</security>
<!--required for impersonation-->
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Here is a condensed version of the <system.serviceModel> config section :
<system.serviceModel>
<services>
<service name="Deploy.Web.Services.Service"
behaviorConfiguration="DeployServiceBehavior">
<endpoint binding="basicHttpBinding"
bindingConfiguration="DeployBasicHttpBinding"
behaviorConfiguration="DeployEndpointBehavior"
contract="Deploy.Web.Services.IService">
<identity>
<dns value="" />
<servicePrincipalName value="HTTP/SERVERNAME" />
</identity>
</endpoint>
</service>
</services>
</system.serviceModel>
We figured it out!
Inside of IIS 8.0 > Server Parent Node > Features View > Management Section > Feature Delegation :
Authentication - Windows was set to Read Only instead of Read/Write. Once we changed it to Read/Write, the sites started working again.
So lesson learned, that's one more area you need check when upgrading!
I have a website which has been running on IIS7 for about 2 months. We have the default documents set up to load a default.asp page when users go to the domain with no page. Suddenly this morning, I am getting errors and the default document will not load. If I type the default.asp, the file loads just fine.
Error Info:
Module: DefaultDocumentModule
Notification: ExecuteRequestHandler
Handler: StaticFile
Error Code: 0x80070002
here is a section from my applicationhost.config:
<system.webServer>
<asp>
<cache diskTemplateCacheDirectory="%SystemDrive%\inetpub\temp\ASP Compiled Templates" />
</asp>
<defaultDocument enabled="true">
<files>
<clear />
<add value="Default.asp" />
<add value="Default.htm" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
</files>
</defaultDocument>
<directoryBrowse enabled="false" />
<globalModules>
<add name="UriCacheModule" image="%windir%\System32\inetsrv\cachuri.dll" />
<add name="FileCacheModule" image="%windir%\System32\inetsrv\cachfile.dll" />
<add name="TokenCacheModule" image="%windir%\System32\inetsrv\cachtokn.dll" />
<add name="HttpCacheModule" image="%windir%\System32\inetsrv\cachhttp.dll" />
<add name="StaticCompressionModule" image="%windir%\System32\inetsrv\compstat.dll" />
<add name="DefaultDocumentModule" image="%windir%\System32\inetsrv\defdoc.dll" />
<add name="DirectoryListingModule" image="%windir%\System32\inetsrv\dirlist.dll" />
<add name="ProtocolSupportModule" image="%windir%\System32\inetsrv\protsup.dll" />
<add name="HttpRedirectionModule" image="%windir%\System32\inetsrv\redirect.dll" />
<add name="ServerSideIncludeModule" image="%windir%\System32\inetsrv\iis_ssi.dll" />
<add name="StaticFileModule" image="%windir%\System32\inetsrv\static.dll" />
<add name="AnonymousAuthenticationModule" image="%windir%\System32\inetsrv\authanon.dll" />
<add name="RequestFilteringModule" image="%windir%\System32\inetsrv\modrqflt.dll" />
<add name="CustomErrorModule" image="%windir%\System32\inetsrv\custerr.dll" />
<add name="HttpLoggingModule" image="%windir%\System32\inetsrv\loghttp.dll" />
<add name="RequestMonitorModule" image="%windir%\System32\inetsrv\iisreqs.dll" />
<add name="IsapiModule" image="%windir%\System32\inetsrv\isapi.dll" />
<add name="IsapiFilterModule" image="%windir%\System32\inetsrv\filter.dll" />
<add name="CgiModule" image="%windir%\System32\inetsrv\cgi.dll" />
<add name="FastCgiModule" image="%windir%\System32\inetsrv\iisfcgi.dll" />
<add name="ManagedEngine" image="%windir%\Microsoft.NET\Framework\v2.0.50727\webengine.dll" preCondition="integratedMode,runtimeVersionv2.0,bitness32" />
<add name="ConfigurationValidationModule" image="%windir%\System32\inetsrv\validcfg.dll" />
<add name="ManagedEngine64" image="%windir%\Microsoft.NET\Framework64\v2.0.50727\webengine.dll" preCondition="integratedMode,runtimeVersionv2.0,bitness64" />
<add name="RewriteModule" image="%SystemRoot%\system32\inetsrv\rewrite.dll" />
<add name="ManagedEngineV4.0_32bit" image="C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll" preCondition="integratedMode,runtimeVersionv4.0,bitness32" />
<add name="ManagedEngineV4.0_64bit" image="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll" preCondition="integratedMode,runtimeVersionv4.0,bitness64" />
<add name="WebDAVModule" image="%SystemRoot%\system32\inetsrv\webdav.dll" />
<add name="WindowsAuthenticationModule" image="%windir%\System32\inetsrv\authsspi.dll" />
</globalModules>
I have also verified that the modules physically exist on disk. I am not aware of any changes on this server, and the default document has definitely been working up till yesterday. Server is Windows Server 2008 x64 with IIS 7.0.
I've recycled the app pool, booted the server, removed and reentered the default documents. the error looks like it cant find the default document module..
What else can I try?
My coworker and I have been chasing this all morning and someone on IRC pointed us to the resolution. Turns out that IIS was having trouble with the default document b/c the website root folder had gotten marked as Hidden. Apparently, when the folder is Hidden, the default document module cannot find it and you get the ERROR_FILE_NOT_FOUND shown above.
We verified this behavior on a Dev server by setting the web root folder to Hidden and sure enough got the same error for the default document. Removed the Hidden attribute and the default document loads correctly.
I have seen a lot of questions about this today, and no one has posted an answer that fit our problem. I want to say thanks to whoever that was on IRC! And hopefully this will help others to post it here.