I have an azure web app with nothing but .HTML and .CSS files - there is no code of any kind.
Azure AD authentication is enabled.
I am able to visit the site URL, get redirected for authentication and I get in just fine.
Everyone else gets sent to this page after login:
https://myurl.com/.auth/login/aad/callback
and they get a 401 error on the browser:
You do not have permission to view this directory or page.
Why is it working for me, and not everyone else who authenticates?
Is there somewhere I need to tell Azure Web Apps that I want all the files to be available to any authenticated user?
This issue may caused by that the AD application for your Web App has not been configured correctly. I did a test in my lab and found this solution:
Solution:
Go to Azure Portal > Your Web Application > Authentication/Authorization > Azure Active Directory > Manage Application > Required permissions >
Delete other permissions except Windows Azure Active Directory > Ensure the DELEGRATED PERMISSIONS Sign in and read user profile has been enabled and the REQUIRES ADMIN is NO:
Also, Ensure the App ID URI and the Home page URL are all the URL of the Web app
Additional, if your configuration still cannot work, you can delete the Azure AD application and follow this steps to recreate a new one. It will work perfectly.
Please let me know if it helps!
Found the answer to this, posting here to help others.
When you setup "App Service Authentication" with Azure using the "Express" option, an "App Registration" is created in Azure Active Directory.
When this happens a Client secret is automagically created on the Azure AD Object and then inserted into the Azure App service
It seems that something happened along the way in my website, where this was set correctly initially, but then changed - I'm sure it was my own doing.
The symptoms of this are a bit interesting.
Any account that worked prior to the change of the App Registration continued to work.
Any account that hadn't yet signed in, failed.
This is why one of my accounts worked and the rest did not.
The solution was fairly simple, I clicked on the app service in azure, the on the Azure AD line, then in the "Azure Active Directory Settings" blade, set the "management mode" to "off" hit ok,
and saved in the blade to the left, then refreshed the browser.
Next I went into Azure AD and deleted the app registration for that app, (I did this so I could re-use the app registration name)
Here is a screenshot of that screen, it's under the active directory category, and not part of your web apps settings. find your app registration, click it and then delete.
Next I went back to the Azure App service (web app) and Re-configured Azure AD Auth using the "express" settings.
Hope this helps someone!
Related
I am able to login GitHub account on Web login. But in Windows desktop app,
I am able to publish, fork and clone repository but at the time of initial commit, it is always saying authentication issue.
I have tried all the points given in popup-box as by signing-out and signing-in again, by creating GitHub PAT (Personal access token) token also.
I have checked my account settings, In settings, the main branch is the default branch and SSH is also enabled in app and the repository type is public. Even I am able to see changes and created repositories on web login also.
Usually it'll be a credential problem, but it is not. What should I do?
I have a simple question that I can't solve with the resources about moodle and LTI.
I want my users to login into their App with moodle credentials (as often done with e.g. "login via facebook") - is my app the consumer or the provider?
I first thought the app is the provider but some points make me question that:
No, I do not want to start the app from within moodle.
No, I also do not want to embedd my app content in moodle.
I just want the users registered in moodle login to an app with their moodle username and password
All content I found on LTI provider assumed the opposite of point 1 and 2.
However, I also found that moodle can be a provider itself. It has been shown to be embedded in an external application. But in my understanding, the consumer is responsible for authenticating the login (which is opposite to point 3).
Am I missing something, that makes it so hard to see the soution here?
I found Atomic Jolt's try_oauth repo will do exact what you want. It also has an excellent code along video which explains the workflow really well.
You navigate to the app and it opens up a Canvas authentication page and grabs the users credentials.
https://github.com/atomicjolt/try_oauth
Hope that help.s
There is a plugin for moodle which makes it a oauth2 provider. You could use that to allow authentication in your app with moodle credentials.
https://github.com/projectestac/moodle-local_oauth
Is it possible to achieve Azure Active Directory authentication without going to browser window? I will have username and password via the mobile app login interface.
I need to achieve below scenario:
Use open mobile application (ios/android)
Enter Azure AD username and password to app login screen - e.g. user#tenant.onmicrosoft.com & password
I pass those information to .net web service - which need to call some Azure AD api to validate user credential before proceed to perform other business logic/make database calls
Any recommendation? I DON'T want user to redirect to any login window/page as this will not be good user experience.
I have already checked few different articles but not satisfactory response yet.
Thank you for your time.
I believe below link is helpful.
http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/
I am trying to have Azure federation in one of my MVC application, but ending up having this error
Sorry, but we're having trouble signing you in.
Account 'soandso#microsoft.com' is not configured to sign-in to this application.
Sign-out and sign-in with another account.
Additional technical information:
Trace ID: b94e380f-8234-4221-a59d-6efb5e644c83
Timestamp: 2014-06-25 08:35:00Z
ACS50001: ACS50001: Relying party with identifier 'http://testsmb.azurewebsites.net/testsmb' was not found
Not sure where I am doing wrong. Any help would be highly appreciated. I tried doing googling but nothing helps.
Vinod
Did you try running the browser in in-private mode? It looks like you are signing in automatically to the microsoft.com directory, whereas you want to use a test directory for your development.
Azure AD does not issue a token to an application if the application hasn't been installed in the directory. The installation of the application can happen in two modes: Administrator consent and User only consent. With administrator consent, the application can sign-in any user in the organization, however with user only consent, the application can sign-in only that specific user. This help topic (msdn.microsoft.com/en-us/library/azure/dn151789.aspx) explains how to get consent in the 'Add Sign-Up Capabilities to the Application' section.
I have a apps script that uses bigquery service to fetch data from my bigquery account and builds visualizations/tables etc. I publish the app with following options
Execute App as: User accessing web app
Who has access to this app: Anyone
When I open the link (one ending in exec not dev) in chrome incognito, I expect it to show the web app but it asks for google credentials.
When I entering credentials of my other (different from the one hosting the project) account, I get a permissions error.
I added this other account from my primary one under permissions option of google console - even that wasn't enough.
I had to create a dummy project as this other user to accept the invitation from my primary account. After that the app showed up on this other account.
My question is, how do I publish my app for the consumers (even public) of this info without them having to create dummy project/accept my invite etc?
Thanks
You have two errors:
1) Publish to run as you not the user, and2) make it anonymous access. *
People might consume your daily/per second quotas thou.
(*) anonymous access option might not be present if the google apps administrator disabled anonymous sharing in the console.