We're working on a development of a JBoss portal. As part of the functionality, we need to integrate it with Alfresco, using a portlet. Both (portal and Alfresco) will connect to the same LDAP directory to get the users, to guarantee that the same users can access to both systems. Right now that part of the implementation is not completed, so we have created the same users/password on both.
To present the content of Alfresco, we're using a Flexspaces portlet. When the page containing the portlet is loaded, a window appears requesting the login/password on Alfresco. After the login, the browser keeps track of the session.
Then, when the users logs out from the portal, we're experiencing problems, as the portlet is having some problems, like asking login (not on Flex, but on old-fashion javascript way), but not accepting it, and showing errors of "invalid Ticket"
As the portal knows the user that needs to be logged (and when it logs out) on the Alfresco system, what would it be the easiest way to make this integration? How can we communicate to the Flex to make login and logout from the portal?
Also, we're interested in knowing how to communicate from the portal to the flex, not just for this problem, but for further development.
I started a topic on the FlexSpaces forum on the alfresco forge to help you with this:
http://forge.alfresco.com/forum/forum.php?thread_id=1202&forum_id=534
Related
I've tried this with several MS accounts that have Azure/AAD accounts in place and have attempted using both Visual Studio 2015 as well as 2017 and am getting the exact same bug/error.
Using the default ASP.NET MVC template with AAD integration out of the box (no code changes at all). The App is registered in my AAD account, and I see the tenantId and other GUIDs are in the Web.Config as they should be. I also traced the call stack as far as I could and the tenantId is initialized properly yet I still get this error:
Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID.
This happens after the permissions acceptance screen.
Here is a screenshot as well:
As requested, here is the Web.Config:
So the resolution was very simple. But this is not documented anywhere, not even in Vittorio Bertocci's book on the subject - which leads you to believe that you can log in as the Azure subscription owner after creating the Visual Studio project without any additional setup in Azure.
Since the new portal is in preview the UX is not really all that obvious. Here are the steps to take after creating a new ASP.NET project with Active Directory integration:
You have to log into Azure (in the new portal)
Click on Active Directory.
Go to your "App Registrations"
You will see your new application there. click on it.
Inside of the "Essentials" panel at the top of the app registration blade you will see a link with the header "Managed application in local directory" and the link will have the same name as the blade you are already in (This is the confusing part). Click on that link...
You are now one blade deeper and are able to see how many users this application has. It will likely be 0. - This is the issue!
Click on "Users and Groups" in the menu on the left side and you can start adding users.
Please note that the above steps may change as AAD comes out of preview in the new portal.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
While using Windows Organizational authentication in the ASP.net MVC project, I am unable to access the /Manager portion of PirahnaCMS. Whenever I attempt to login, it just redirects back to the login page. Is there a solution to this problem, or a workaround?
Someone asked this question, but no one posted a solution: How to get to Dashboard
Best Regards,
Saad
The Piranha CMS manager uses forms authentication. If you've configured another form of authentication in your main web.config the manager login won't work. In the upcoming version (2.3.0) the authentication mechanism will be replaceable, but in the current version the manager needs forms authentication.
You have two possible solutions:
1) Try configure the manager area to use Forms authentication by adding a separate web.config to this area.
2) Set the "front-application" to run in passive mode, i.e. disable the manager. Add a different web without the front-end and just the manager pointing to the same database.
Regards
HÃ¥kan
I am working on a project of developing a web UI. The project requires .NET implementation. I currently published the website on Windows server 2008 with IIS 7.5 for testing. The project asks for and login/out page as the entrance to the main UI. The login/out page should asks for username and password with some security questions. And it also enables user to change and save the password. The authentication technique has to be implemented using digested authentication.
I have already tested the digest authentication after enabling it in IIS. It works good with popping up a window asking for the username and password.However, I have a doubt whether the digest authentication allows for customized login/out page and ability of changing and saving the password (which will most likely be realized with form authentication to the best of my knowledge). I believe there might be (or not?) some ways of doing it, anyone can guide me to some references or sample codes?
Try this article: http://www.eggheadcafe.com/articles/20030701.asp
And maybe this one: http://msdn.microsoft.com/en-us/library/Ee817643%28pandp.10%29.aspx
I have been Googling a problem that I have with trying to integrate the web application that I am working on with SharePoint 2010.
The web application is a wiki style tool that allows users to log in via forms authentication or WIA against Active Directory and create content for themselves and others.
What we would like to do is to allow a user have a page with the content they have created in our web application mixed in with content that they have living on the SharePoint server. For example, they may want to see a list of documents that they have on the SharePoint server mixed in with some of their content.
To accomplish this, we would like to take the credentials the user has logged into our web application with (for example MYDOMAIN\jsmith) and be able to query SharePoint for the documents of that same user (MYDOMAIN\jsmith) WITHOUT the user being prompted to re-enter their credentials to access the SharePoint server (we are trying to avoid the double-hop problem)
We have come up with some options for how we want to do this, but we are unsure of what the best approach is.
For example, we could
- Have a global user, shared by all users to get information we need from SharePoint. The downside is that we cannot filter SharePoint content to a particular user
- We could store the users credentials when they log in, but that would only work for users authenticating via forms auth and would be a security issue that some users/clients would not like
- Writing a SharePoint extension using WCF to allow us to access the information we need, however we'd still have the issue of figuring out how to impersonate the user we want.
Neither of these options are ideal and in our investigation we came across the Claims Authentication/STS option which seems like it is trying to solve the problem we are having.
So my question is, based on what I have written, is Claims/STS the best approach for us? We have not been able to find much direction on how to use this method to call into SharePoint from a Web Application and pass along the existing credentials.
Does anyone have any experience with any of these issues?
It sounds like you may be overcomplicating the problem. The reason that the user gets asked for credentials twice is that the two parts of the system are on different servers. The easiest solution is probably to implement your custom web app as custom pages/web parts within SharePoint.
If that isn't an option, a smaller amount of code on the SharePoint server (maybe a custom web service) should give you a few more options for impersonating a particular user.