IIS on Windows Server 2012 setup with 2 projects:
example.com: ASP.NET Core MVC project with VueJS as javascript framework.
api.example.com: ASP.NET Core Web API project whichs feeds the UI project.
The example.com is setup using Windows Authentication, the api.example.com is setup with both Anonymous and Windows Authentication.
Both projects have a seperated Application Pool.
Everything is working fine except when I go to the example.com website, I get a prompt to input my AD credentials for example.com, after that I get another one for api.example.com.
So the user needs to enter his credentials twice. Is there a way to reduce this to one and send the credentials to both websites?
I am using Google Chrome as browser to use the website.
Ok reduced the login to zero. Disabled the Windows authentication on the example.com because all authentication is done on the API project so no need to apply it here. Then added the api.example.com under Internet Explorer > Settings > Security > Intranet sites and kow the client can work directly without applying credentials when working inside the domain.
Related
If I create an ASP.NET Core + Angular project and enable Windows Authentication (following these instructions link) and debug it using IIS Express, why does the Angular app load if I open the browser with a local user (runas /user:MY-PC\local-user Chrome.exe) which is not in AD? Shouldn't IIS Express ask me for credentials?
If I publish to Local IIS (with Windows Authentication enabled and Windows Hosting Bundle installed) using Web Deploy I get the same result, Angular app loads and Local IIS does not ask for credentials. I tried splitting the project with ASP.NET Core API + Angular, but I got the same result. I had to implement an endpoint with some logic to return 401 (not network user), 403 (network user but not in my AD Group) and a Guard in Angular to avoid loading the Component and 401 and 403 pages.
However, when I did publish to IIS on the server (manually, I created the website and copied the files, and installed Windows Hosting Bundle), I realized the behavior is different, the Angular app is not loaded and IIS always asks for credentials. If I put wrong credentials or click on Cancel, IIS shows 401. With the correct credentials I can access and browser will remember them, but if I close and open the browser again, I need to re-enter my credentials, which is a bit annoying.
IIS Express and Local IIS never ask me for credentials when I open a normal browser (using my AD account).
Why does 'IIS on the server' behave differently than 'Local IIS' and 'IIS Express'?
I've inherited an old asp.net application which runs on IIS v10, but I've run into a problem trying to remove the authentication. The application runs under the Default Web Site. It was originally set to Windows Authentication and worked, but now I need to remove the login that occurs on load of the website.
The Default Web Site (app parent) authentication is set to Anonymous. When I disable all authentication at the application level, I get a 401 - Unauthorized User error in the browser. When I enable Anonymous authentication, the site loads very slow, but only the HTML with none of the CSS styling. I'm not sure why this is.
How should the authentication be configured to remove a login?
You need to choose the application which under the Default Web Site and click the Authentication module.
In addition to disabling windows authentication, also enable anonymous authentication.
If you want to disable windows authentication for a file in the application, first select the content view to view the files inside the application, then select the file and right-click the switch to features view.
I have an Azure Mobile App service that I use with my (Cordova and Xamarin) mobile apps. The URL for the Mobile App service is https://gonzo.azurewebsites.net/ (not the real URL). I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
My next step was to create the website and use a different URL https://kermit.azurewebsites.net/. I use social authentication for my app mobile service. When I debug it locally against localhost, everything works perfectly. The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
I thought this can be fixed by allowing the kermit origin in my Azure Mobile App service in CORS. I even tried setting CORS to allow all hosts (*) but that didn’t make a difference. Any idea how to make this work?
I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
Based on your requirement, I assumed that you could deploy your NET Core 2.0 Web App along with your mobile app, at this point your two applications could share the authentication. For Detailed tutorial, you could follow Deploying multiple virtual directories to a single Azure Website.
The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
According to your description, you are using the App Service Authentication / Authorization. I would recommend you directly access https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name> via the browser to make sure you have successfully set up the authentication for your mobile app.
If I understand you correctly that you want to create another Azure Web App to hosting your NET Core 2.0 Website, and your website wants to connect with your mobile app. Here are some approaches, you could refer to them:
For accessing mobile app in the front-end of your .Net Core web app
You could leverage the JavaScript SDK for Azure Mobile Apps in your .Net Core web app to access your mobile app. Details you could follow here. Additionally, if your website would also enable the app service authentication, you could just send GET https://<your-netcore-webapp-name>.azurewebsites.net/.auth/me to retrieve the access_token, then use the Client-managed authentication for logging with your mobile app in the front-end of your netcore website.
For accessing mobile app in the back-end of your .Net Core web app
I assume that your .Net Core web app would also need to enable social authentication via using the App Service Authentication / Authorization, and in the backend of your website you could retrieve the access_token for the current logged user, then you could use Client-managed authentication for logging with your mobile app. The logging request would look like this:
POST https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name>
Payload: {"access_token":"<the-access-token-for-the-specific-social-provider>"}
Moreover, for retrieving the user logged infos (including the access_token,etc.) from App Service Authentication / Authorization (EasyAuth), you could follow this issue.
I am getting window authentication window popup on some of my views in mvc4. It works fine when I host it on local server. But when I upload my code to my hosting server, all the views works fine except some views.
I am using form authentication in my application. And the views which given me such popups their controller class define with [Authorize] attribute. Is it an issue with IIS on hosted server or something else?
This is the popup message:
I suspect that you have Integrated Windows Authentication or Basic Authentication configured in IIS for your website or application (depending on how you are hosting it). Make sure you disable it and enable anonymous access to the website if you want to use Forms Authentication.
Open IIS Manager and navigate to your website or application.
In Features View, double-click Authentication.
On the Authentication page, disable Windows authentication and enable Anonymous authentication.
I have a SharePoint 2010 web site configured for Claims only as the Replying Party to ADFS. I also have an ASP.NET application configured for Claims using WIF + Extension for SAML 2.0 CTP as the Replying Party to the same ADFS server.
If I navigate to SharePoint, I get redirected to the ADFS server (https://.../adfs/ls?...) and presented with a Windows Login prompt. If I then navigate in the same browser instance to my ASP.NET application, the redirect occurs quickly to the same ADFS server, automatically authenticates, and redirects back to the ASP.NET application without a security prompt. As in How to share authentication context between a SharePoint 2010 Site and ASP.NET applications.
The issue occurs when I embed the ASP.NET application within an IFrame in a SharePoint web part. When starting a new browser instance and navigating to SharePoint, I get prompted the windows login prompt. As the page loads up to the IFrame I then get a second Windows Prompt for the same server for the embed ASP.NET application. If I cancel the prompt I get a 401 Unauthorized in the IFrame. If I navigate to the ASP.NET application, I am not prompted and it logs in automatically. Navigating back to the SharePoint application, the page will load including the IFrame content without prompts.
The SharePoint Endpoint is using the WS-Federation Passive Endpoint to https://sharepoint:port/_trust/ with binding POST.
The ASP.NET application Endpoint is using SAML Assertion Consumer Endpoints https://aspnetapp/ with binding POST and Artifact.
The Claims passed from both contain all required for each application.
Does anyone know how to prevent the second login prompt when using an IFrame in SharePoint?
It now works as expected with single sign-on after updating to System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0 from the now built in WIF classes. I'm assuming there was a compatibility issue with the Microsoft.IdentityModel.Web.Saml2AuthenticationModule SAML 2.0 CTP extension that was never finished.
Just a shot in the dark but assuming the custom ASP .NET application and SharePoint are on two separate machines, then there may be some subtleties regarding kerberos given that the ASP .NET page is in an IFRAME - it could be that a kerberos ticket needs to be passed between SharePoint to ASP .NET.
HTH.
This is only a guess but I believe that this is because both sites, the Sharepoint site and the embedded asp.net site from the iframe, start to load in the same time.
As both are not authenticated, they both go to the Adfs. But because you are not authenticated, the Adfs starts the 401 challenge, asking for the authentication. However your web browser does not present both login prompts in the same time. Rather, you get the first login prompt and when you sucesfully login, from the very moment the Adfs will retain the authentication so that any other site coming for claims will get them for free. But the inner site, the asp.net one, has already started the login process! Your browser does not know this and forces you to continue login.
As a conclusion, my idea would be to have a sharepoint page which requires authentication and which then redirects to ANOTHER page which has the asp.net site in an iframe so that your browser will not try to start the login sequence for both sites at the same time.