I have an Azure Web App that uses Python & Flask to run various reports. The directory is structured as follows:
https://my-site.azurewebsites.net/
https://my-site.azurewebsites.net/report-1
https://my-site.azurewebsites.net/report-2
I would like the permissions to work as follows:
https://my-site.azurewebsites.net/ - anyone with Microsoft Authentication in my domain can access (this is done)
https://my-site.azurewebsites.net/report-1 - specific people with Microsoft Authentication in my domain can access
https://my-site.azurewebsites.net/report-2 - other specific people with Microsoft Authentication in my domain can access
If someone without access to https://my-site.azurewebsites.net/report-1 tries to access that URL, it should redirect to an error page (/permissions-error or something) with a link to the primary domain.
What is the best way to configure the Authentication/Authorization/Permissions?
So far, I have been able to set up the authentication for the primary domain but can't figure out how to do the configuration for the report pages.
Related
Follow-up question to this.
I am currently trying to set up a Web Application to display reports on an intranet site, using the intranet login to authenticate users, passing the authorization process to icCube. I'm trying to get it to work with a local install of xampp apache using basic auth and a local install of icCube. My scripts are based on icCube's live demo.
When I start my Web App with an empty Cache & Cookies, the App is unable to load, throwing me a lot of errors similar to these:
WebApp errors
The reason for these errors is the fact that the GET-requests for the resources are answered with code 401, which is a text/html. This means that my WebApp is not authorized to fetch the .css and similar resources from the icCube-server.
Logging into my icCube interface solves the errors, as that authorizes my browser session to get data from my icCube server.
Is there any workaround for this problem? As far as I know, the resource URIs are generated from the ic3root and ic3rootLocal passed to the ic3Start-function on the html-page, which means that I can not just pack all the .css-files into my apache folder and link them.
Is it possible to authorize my WebApp to get these resources based on the same authorization process used to get my report selection (proxy configuration)?
It looks like because Apache does not " secure " the icCube URLs with its Basic Auth. configuration and let non-authenticated requests reaching the icCube server.
Note 1: You can access " public " HTML resources (i.e., with no authentication required). For that you can use the icCube.xml property (see doc. in the file).
Note 2: You can deploy the icCube Web Reporting application with you Web App HTML files in " Apache " and configure the Web Reporting for accessing icCube server elsewhere (worth a different question).
I have two domains pointing to same server, what i am trying to do is when i log in into the application using domainOne.com the session is maintained for that domain , if i try to access the application from other domain domainTwo.com the session is not there.
I want the same session values in both the domains,
I have PHP application [Yii Framework Application], and the requirement is, one third party application wants part of my application content that needs to be authenticated. I authenticate the content using SSO(Single Sign On[JWT]) and pointed their domain to my content(which needs to be shared) using this way, i am able to login using their's(Third party's) domain but when i access the same section using my original domain the session is not there (No Session when using My domain).
What i want is, when i log in using their domain and access the content from my domain it should show me as logged in user
Conditions -
domainTwo.com/someContent - Logged in using this
domainOne.com/someContent - Session is not here
and vice versa
P.S someContent is in my server only.
Please can anyone help?
Thanks in advance..!
edit - Requirement is the client dont want iframes, please suggest methods which dont use iframes.
I am getting the error below while getting the Search Crawlers to work:-
The start address sts4://mysites/contentdbid={3d198865-7f27-4633-bd71-902795032d78} cannot be crawled.
*Context: Application 'Search_index_file_on_the_search_server', Catalog 'Search'*
Details:
Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled. (0x80041205)
I have checked all permissions and they appear to be in order.
While investigating this problem I discovered that when I RDP to the SharePoint server and connect to the sites whilst on the server (locally to the server) I get access denied.
The Central Administration works just fine, but all the other Web Applications (intranet & mysites) will not allow me to login. I get prompted to enter username and password (like I do when connecting to CA) but it never accepts the login. These sites work without any problems when accessed from client workstations.
When I check the site log file it is reporting a http 401 Unauthorised error.
Note: The sites are not using Claims Authentication
Any ideas on how to fix this?
Thanks,
Andrew
You're probably having the loopback issue problem. Follow instructions in this KB article: http://support.microsoft.com/kb/896861
I have an asp.net web application in an internal windows domain which calls a wcf-service. In the wcf-service I use the SecurityContext.Identity.Name, so it needs impersonation.
Our task is that the web application can be accessed from anywhere.
The first step was that the administrators published the web application throught ISA server 2006. The main problem with this solutions is that the browser doesn't save the user's loginname and password in the ISA authentication form. In addition the users want to access the webapp from Nokia Mobile with Opera Mini.
What can I do in a simple way that the browser saves the loginname/password in order to the user can use the application without reentering the login data in every 30/60 minutes?????
Any best practise?
The standard is to store the username/password in a cookie and have the login page pull the login info from the cookie to auto-login. You can have this cookie expire in a month if you want to.
Here are some examples using different languages to add a "remember me" type functionality to save username and password in a cookie.
Cookies
php example
asp.net example
asp example
Response to creator's comments:
In order to modify the ISA login page, look at this article. You should be able to add the code top handle cookies by editing the login page file located in the directory C:\Program Files\Microsoft ISA Server\CookieAuthTemplates\ISA\HTML (assuming you installed ISA to that location).
I do not think there is an out of the box configuration that allows you to set this up, but I did see some configuration for setting trust level (#18 from the article) that you might want to play with.
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.