I have 2 servers (Windows 2008) each representing a different forest forest. On one of the servers I installed SharePoint 2010 server and I created a web application on the second server I set up ADFS 2.0. The objective is to ensure that users of my domain where adfs accesses the application thanks to SSO authentication. I followed this tutorial: http://social.technet.microsoft.com/wiki/contents/articles/10452.sharepoint-2010-how-to-install-and-configure-adfs-2-0-on-windows-server-2008-r2-for-sharepoint-2010.aspx.ADFS 2.0 in my identify is https:// heb/_trust infact my problem is that when I try to access my application I get an error message DNS_PROBE_FINISHED_NXDOMAIN.by cons when I change the URL of my application in https:// he I get to the login page but after authentication DNS_PROBE_FINISHED_NXDOMAIN it tells me when I arrive at the URL https://heb/ _trust . why I have a message "DNS_PROBE_FINISHED_NXDOMAIN when I use the URL https: // heb to access my application?
Related
I'm writing a small tool that accesses data in a SharePoint 2019.
That SharePoint 2019 is configured to use "Windows Claims Based Authentication"; this means that from Windows machines part of the correct domain, users simply open the SharePoint site from Edge and the simply have access, without being prompted for credentials.
QUESTION: how could I authenticate the HTTP request to the SharePoint REST API that my tool does ?
I tried going in "private browsing"; there I was prompted for credentials, but I could not see any authentication header in the HTTP requests, so I don't know exactly how does the process look (so that I can "reproduce" it in my tool...).
IIS on Windows Server 2012 setup with 2 projects:
example.com: ASP.NET Core MVC project with VueJS as javascript framework.
api.example.com: ASP.NET Core Web API project whichs feeds the UI project.
The example.com is setup using Windows Authentication, the api.example.com is setup with both Anonymous and Windows Authentication.
Both projects have a seperated Application Pool.
Everything is working fine except when I go to the example.com website, I get a prompt to input my AD credentials for example.com, after that I get another one for api.example.com.
So the user needs to enter his credentials twice. Is there a way to reduce this to one and send the credentials to both websites?
I am using Google Chrome as browser to use the website.
Ok reduced the login to zero. Disabled the Windows authentication on the example.com because all authentication is done on the API project so no need to apply it here. Then added the api.example.com under Internet Explorer > Settings > Security > Intranet sites and kow the client can work directly without applying credentials when working inside the domain.
We are trying to federate our application, so that our customers can gain to our application using their respective corporate identities (Ping Identity or their ADFS server).
The web application is non-claims aware and we are trying to find out a solution to federate it without changing the code.
I built an ADFS 3.0 environment with windows server 2012 R2 simulating a future scenario, following my lab environment:
Our side:
1 Active Directory server (domainB)
1 IIS8 web server with our non-claims aware applications (Windows Integrated Authentication supported by Kerberos mechanism) joined on domainB
1 ADFS 3.0 server (service provider) joined on domainB
1 WAP server joined on domainB
Customer side:
1 Active Directory (domainA)
1 ADFS 3.0 server (identity provider) joined on domainA
Application users:
domainB\user1
domainA\user2
I followed these steps to build my lab environment:
Installation and configuration of ADFS 3.0 on domainB
Installation and configuration of WAP server on domainB
Publish ADFS 3.0 on WAP server on domainB
Create a Non-claims aware Relying party Trust pointing the application on ADFS 3.0 on domainB
Publish the Non-claims aware to WAP on domainB
Installation and configuration of ADFS 3.0 on domainA
Trust ADFS 3.0 on domainB with ADFS 3.0 on domainB
Edit claim rules on each federate server
The “domainB\user1” has no problem to access to the application, in my WAP server there are the following events:
Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.
Web Application Proxy received an HTTP request with a valid edge token.
The “domainA\user2” cannot access and appears a server error on the screen and in the WAP Event Viewer there are the following errors:
Warning: EventID 13019
Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect.
(0x8007052e).
Error: EventID 12027
Web Application Proxy encountered an unexpected error while processing the request.
Error: The user name or password is incorrect.
(0x8007052e).
Seems to be an issue with the Kerberos authentication but the domainB\user1 has no problem to access to the application.
Need to understand:
Where is the issue?
Accessing to the non-claims aware applications are supported by only the users members of the same domain of the web application server
I’m spending many days to find out the cause.
Appreciate any direction here.
Thanks
Given that "non claims-aware" apps make WAP+ADFS use WIA, and WIA requires Kerberos, you need to issue a Kerberos token on WAP-B for "domainA\user2", this in turn requires setting domain/forest trusts between domainA and domainB (domainB should trust domainA, at least). I don't see domain-level trusts present, only ADFS-level, therefore Kerberos domain domainB says "unknown user domainA\user2". Check if enabling trusts between domainA and domainB would resolve the issue.
You need Kerberos shadow principals in domain B for users in domain A who will be accessing the application. It is a similar situation to azure B2B guest users accessing an application through azure application proxy. This is a walkthrough for setting that up with sync from Azure (https://learn.microsoft.com/en-us/azure/active-directory/b2b/hybrid-cloud-to-on-premises). It would be similar for your case, except you'd need to replicate the users from their directory.
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
My MVC 4 application (https://testapp.com) with WIF and windows authentication is on Domain A and my ADFS and users are on domain B.
Requirement: Users in Domain B will browse my application https://testapp.com which is hosted in Domain A and my application should use their local windows user creds and redirect to the ADFS in Domain B.
I believe I dont require a AD cross Domain trust between A and B and that is what ADFS and SAML authentication is meant for.
I dont see such much materials for reference in such scenarios also. Kindly help understand how to configure such an MVC application in Domain A.
You need to establish a trust between your MVC4 application and your ADFS. In ADFS lingo this is called "Relying Party". You will need to have an endpoint in your application that accepts a HTTP POST message and processes the payload generated by ADFS.
I had to recreate these a long time ago but you can spare the pain. There are more options available -
http://saml2.codeplex.com/ (open source)
http://www.componentspace.com/Products/SMLv20.aspx
Configuring ADFS can be tricky but there are lot of guides out there.