We are a software dev company company with a product that is deployed at our client's site. Recently, we started seeing an issue with our login in conjunction with Siteminder.
They have Siteminder turned on but we are not integrating with it for SSO. They get to our login page just fine. When a user inputs their login credentials our application returns a login error and does not allow them to login.
Upon further investigation, we found that our login process is receiving 2 different requests! One with the correct username and PW and another request is blank username and PW. As soon as we turn Siteminder off, it works correctly.
We are not sure if this is an issue in our code or with Siteminder's setup. We have other instances of the application that work correctly. We did no code changes to integrate with SM when we first deployed and it was working fine before. We sent a code update and then it started not working. It all points to us but we cannot find it in the code. Any help here would be great! We are not sure how SM really works with this.
This probably is not something that Siteminder is causing. Did you trace the JS requests to see if there are two submits being done on the page
Generally WE Disable the webagent to remove the siteminder component from the infrastructure. if the end user is able to access application without the siteminder component the the problem relise on siteminder part.
and if user is facing an issue while accessing the an application without the siteminder composts . then there is no issues on siteminder components.
Related
Some of our customers are having problems logging onto our site using Safari.
We have 3 sites, Main,Login and API, they are all running .NET Core 2.1.
Login is using Identity Server 4 with OIDC.
For the customer: They login in and then the page turn white.
Looking in the log it seems to log in, redirect to the main site, the main site redirects back to the login site (because it thinks the user is not authenticated) the login in site thinks they are logged in and redirects to the main site and gets stuck in a loop.
I have seen that Safari cookie size might be an issue I changed to MemoryCacheTicketStore to reduce cookie size, did not help.
One particular customer gets this problem 2-6 tries, then on the next try it works.
We have many customers that use Safari without any problems so it is not a problem for all customers.
I haven't been successful in reproducing the problem either.
Any suggestions on a solution or perhaps how to dig deeper into the problem?
/Jimmy
I have found a topic that explains a reason why IdentityServer has issues in Safari. https://github.com/IdentityServer/IdentityServer4/issues/1278. Unfortunately, haven't found a proper decision yet.
I am trying to set up a company website to use an adfs log in system, using the instructions found on https://www.linkedin.com/pulse/how-implement-sso-aspnet-mvc-application-adfs-tuomas-kesti, but my site does not redirect to the adfs page, and instead loads the home page of the site as if nothing happened. Looking at the network page in inspect element shows that the site never calls or redirects to the adfs page.
In my web.config file, the realm and reply values are set up to the main site, with the issuer value being the adfs site and follows the same format of "https://sts.domain.com/adfs/ls/". The adfs site is up and running with and the thumbprint from its certificate is added in the tag. passiveRedirectEnabled is set to true in the tag.
Im not sure what the problem is, and looking it up online doesn't find me any results. If anyone has an idea on why my site isn't autocratically redirecting, that would be appreciated.
Yes, it seems that the code in your tutorial doesn't redirect automatically when no JWT is available. I.e. the last code sample should contain an 'else' that responds with a redirect to the ADFS login page.
Have a look at these samples for Azure AD:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples
I found them very helpful and they can (mostly) be used with a standalone ADFS as well. Most of all, they cover all sorts of solution architectures and framework versions.
I just created a webform that is hosted in my Azure subscription. I set it up with authenication via my works Azure directory for authenticating users. In debug this works fine and I am able to login with my work credentials and then view the website via local host.
I have published this to my Azure and it says it is running and working fine. So when I try to connect to the website it continuously redirects me to the localhost resulting in an error.
I have checked the web config.
Here is the google network chain of events when it occurs.
I am really lost as to what is wrong and what I need to do to fix this so any help would be greatly appreciated. I'm sorry I can't offer more but I don't even know what is wrong to begin with or where to look. Is there some setting in Azure that I need to add the website too?
I have solved this issue. Since it was such a pain I will keep this up as I couldn't find any answers on this. It was actually quite simple.
You have two options. The one I did and which worked was changing the publish profile as below:
Add the domain where the authentication is occurring. So if you have your web app hosted by a different azure account that which is authenticating the users, use the one that is authenticating.
This will create two versions of your app on the site one for local host and one for the actual site.
The second option(I have not tried this but it should work) is to go to the Azure account where you are authenticating the users and go to applications and then configure. Change the APP URL from local host to the url you are trying to get to.
Here is an excellent link that explains how to do this clearly.
Click this link for detailed explanation
I also had this issue and took these steps to resolve
navigate to the app registration in AAD
Open the manifest
Change the ReplyUrl to the url of the app (e.g. http://appname.azurewebsites.net)
Then I got the error
Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long.
Next I cleared all cookies from the browser, and this changed the error to just
Bad Request
So I went back to that ReplyUrl and changed it to https://appname.azurewebsites.net/.auth/login/aad/callback and now it appears to work.
Note I also had to make sure I didn't have the site open in any other tabs before it started working
I had this issue when I switched an app from our company Azure over to a customer's Azure. In my case I'd forgotten to update the ida:ClientId, ida:AADInstance and ida:TenantId, which then meant that the value I'd set for ida:PostLogoutRedirectUri was ignored (I think) and instead my app redirected to localhost.
Once I changed those ida values to the values from the app settings and subscriptions settings on our customer's Azure it all worked as expected.
It took a while to track down all the values in Azure portal as they are all called something different, or aren't named at all:
ClientId can be found at Azure Active Directory > App Registrations > YourAppName. It's called 'Application ID' in Azure
Domain can be found on Azure Active Directory > Overview. It's currently in the top left in the format somename.onmicrosoft.com
TenantId this is the Azure AD instance ID, get that from Azure Active Directory > Properties and then it's called 'Directory ID'
I spent a lot of time trying to work out where the localhost port that was being redirected to was in the code, but it simply isn't there as far as I can see, so I have no idea how Azure was choosing what localhost address to redirect to!
You need to set another parameter in configuration that is replyUrl and assign to your web app, other wise it takes the url from which it was originated.
I was able to fix this by changing my Startup.Auth.cs file redirectUri from "https://localhost:44316/" to https://myapp.com/
We have a aspnet web application that works fine locally. No issues at all.
When published to IIS 7.5 the site loads up, lets me login in and works perfectly. I can login using my own and any other account that is registered.
Problem is - when I close the browser down and then reopen and login again it does nothing.
No error message from IIS, no 'invalid attempt' from the login controls. Nothing.
If I attempt to login with a made up username and password I get the error I expect from the login controls - 'Invalid user name and/or password'.
If I restart or simply change any settings for web site in IIS it works again once -then fails on the next attempt.
I have set 'Rapid-fail protection' to false. I have checked the logs. But I am no nearer to understanding what the problem is.
Can anybody point me in the right direction as I am losing the will to live ! :)
Thanks in advance
I recently decided to change from using Windows Authentication for my internal web applications to Forms Authentication. I've not used the latter very much and one site explained you have to enable both Forms and Anonymous for this to work. The idea is to verify user passwords against an active directory then grant them access accordingly. I had this working just fine locally and when publishing to IIS 7.5 it still worked. It was just a basic Visual Studio project that would redirect to our homepage.
The problems arose when I tried accessing this same project securely with https, I included the full domain and it would load the new login page but when I clicked login it would do nothing. Since then I've scoured the web and found numerous mentions of this and that and tried many of them to no avail.
It was only later I created a blank project with a single button and one line of the code on the page to see if a post back had fired. After publishing I only enabled Anonymous Authentication in IIS and browsing to this basic test app using http when you clicked the button, false on the page changed to true - indicating a post back. Yet with https it just remains false. I think this may be why the active directory login wasn't working as it too had Anonymous enabled.
I'm still pretty new at the secure side of things but with the details passing over I have to use a secure connection just for the login then it can redirect to the usual applications we use internally.
I'd appreciate any thoughts you may have regarding this.
Thanks!
We use this configuration (anonymous IIS access, forms authentication, and https) successfully all of the time.
There are three things that you should do to track this issue down:
1) Verify that there are no javascript errors in the page that break the button (i.e. a javascript file not being delivered to the page)
2) Check the windows event logs for exceptions from asp.net/iis.
3) Install and run fiddler, select Fiddler Options... from the Tools menu, click on the HTTPS tab and ensure all of the checkboxes are checked, then run your website and look at the requests and responses, particularly when you press the button.