ADFS web authentication loop in IE - asp.net-mvc-4

I have a mvc4 web app that sits behind ADFS 2.0 authentication, it's configured using the web.config file. The application can be visited by going directly to a URL or as an iframe inside of CRM 2013.
The application works in all (tested) browsers when visiting the URL directly, both redirection to login form and handing the user back to the web app with the proper information in the ClaimsIdentity.
However, when visiting the app as an iframe inside CRM2013, internet explorer goes into a continous login loop. You are asked to provide the credentials (which are the same as for logging in to CRM) and when you click ok you get redirected back to the same login page again, to my knowledge the app never receives the hand off.
In Safari, Chrome, Firefox, and Opera the users are able to log into the application inside of CRM as well as outside without any problems (I'd even go as far as saying that it works better than expected for these browsers).
Does anyone have any idea of what I can try or what the problem could be for IE?
EDIT 1
I'm thinking it has to do with some security setting and am playing around with the settings in IE. Unchecking this box stops the login form from showing in IE at all and I get an empty page instead.

Is the iFrame on the same (sub)domain as the site inside? You can use Fiddler to view your redirect flow, are the cookies added as expected?
I've seen cookies that are overridden by the iFrame host, in that case you lose the auth cookie. Browsers react differently on same domain cookies.
Another problem might be X-Frame-Options, do you see any warning in the F12 console of IE?

Related

Universal Login in Office Add-in (Excel), exchange not happening - Auth 0

I trying to use Auth0 in a office add-in (React SPA), specifically Excel.
I am using the popup to login instead of the redirect because the redirect doesn’t load in the iframe.
(The error for the iframe is "Refused to frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’” ").
The issue I’m having is once I login successfully, the pop just goes white and gets stuck on the login/callback.
I’ve checked the logs, it says a successful log but it doesn’t say anything about an exchange (success or failure).
I’ve tested the pop up on a different application (react web app) and it works perfectly fine.
The login we are using is the Universal Login (the new one, not the classic)
I’m interested in any and all approaches for using the Universal Login in this context.
Thanks

Authentication Popup Happening Inside network

I am working on some browser tests in selenium on Chrome. I have a script which ran on my personal machine can connect to a site and has no issues. However when the script is ran on a machine inside our network, it pops an authentication pop up. When I click cancel on the authentication box, it continues to a user login page which allows regular authentication. I have disabled IWA for the browser but it is still popping up.
I tried passing username#password:url but that did not work. Our test account is not connected to the domain and this website will try to use your Windows account but outside the network it defaults to the login page where we do have regular userid/pw for certain people (like our test account they created for us). We do not control the server so I cannot change that behavior.
I would normally close the alert in this case however selenium is not recognizing the authentication popup as an alert so the script just hangs. So step 2 would be the userid/password sent in the URL but that doesn't work either. I would prefer not to go the route of installing any other tools (like AutoIt) and try to solve this with settings.
Is there a way to skip the authentication popup in chrome? In the header the response is its using "Negotiate" for auth. I do not get that when testing on my local machine outside the network.

Login to Windows Authentication automatically

We have a program that runs in IIS with Windows authentication, and which is available to the outside world.
Right now, we provide to every interested party a link to the program, along with guest credentials they then have to type.
Is there a possibility to do away with the credentials? Our internal people should be able to login as usual, but we want to provide a link to get into the guest account without typing any login credentials.
I have tried to add the credentials into the clickable url, but Internet Explorer and Edge browser do not support this, and Mobile Safari throws phishing warnings.
Can this be done universally, that the authentication is done invisibly in the background in all browsers, using some kind of redirect or XHR call with arguments or something like that?

google oauth not redirect properly

I am working on site where I have used google OAuth 2.0. when I click on login link on my index page, it takes me to the login page of the google ( all required credentials with clien_id, key, redirect url has been passed with the link) and after entering credentials, it ask for granting access to the app. when I click on grant access instead of redirecting to my redirect page it shows me following error.
You've reached this page because we have detected that Javascript is disabled in your browser. The page you attempted to load cannot display properly if scripts are disabled.
Please enable scripts and retry the operation or go back in your browser.
but in my all browsers javascript is enabled and working fine. what should I do now ?
I can probably help you figure it out. If the "granting access" page loads and doesn't give you the JS error, but you get it after submitting the form on the page, then there is something strange with your browser and it's not submitting the form correctly.
Can you tell me what browser you can reproduce this on? And if possible can you give the headers and post body of your request after you submit the form?
Getting that error when the gstatic.com domain isn't enabled in the noscript addon for firefox.

Google Chrome 16 issues with ASP.NET forms authentication cookie

I have a problem with Google Chrome 16 on one of the sites I'm supporting that I can't fix couple a days now.
The site is using forms authentication. There is a hyperlink that when clicked is calling a web handler, that is supposed to go fetch a PDF file. Everything is working great in all browsers except in Google Chrome.
When I click that link in Chrome it gives me 401 - Unauthorized: Access is denied due to invalid credentials.. I've checked the request headers and the only difference I can see is that the authentication cookie is not present in the request made by Chrome 16. The strange thing is that everything is working great on the local machine, but once uploaded to the production server chrome is not sending that cookie.
I've implemented IReadOnlySessionState interface in the web handler, as suggested here and there in forums, but this didn't solve the issue.
Does any of you have an idea why chrome is acting like that?
To check your cookie acceptance:
Click the wrench icon (Top Right)
Click "Options"
Click "Under the Hood"
Click "Content Settings"
Make sure that "Block third-party cookies from being set" isn't
checked.
That was what fixed the issue on the site I was on. You can also see a special icon in the address bar on the right when it blocks a cookie.
For more precision there is a "Manage Exceptions" button under cookies in the Content Settings. You can use that to specifically allow the site in question.