I have tried searching for this and can't find anything.
I want users to have a true SSO experience. Meaning they login to their computer and when they hit a web app that we have set up trust with in ADFS they are taken straight to that website. Right now no matter what they are taken to the ADFS forms login page. We only want the forms login page to appear if the user is not already connected to the network. Otherwise, ADFS should recoginize that the user is on the network and use the windows authentication.
What do I have to change in ADFS to make this happen?
In ADFS web.config, what order do you have for:
<localAuthenticationTypes>
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
Is Forms on top?
Are these users on the internet or intranet?
Do you use an ADFS proxy?
One option is to add a handler for the RedirectingToIdentityProvider event by placing the code just below this paragraph in your global.asax. This gives you a chance to jump in before the browser is redirected to ADFS and modify what the request (query string) looks like. You can do this to specify authentication types, or home realms (if you have multiple federations and want to skip HRD), and probably a lot of other stuff I don't know about.
void Application_Init()
{
FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthentication_RedirectingToIdentityProvider);
}
Then you would add code to your handler that might look something like this:
void WSFederationAuthentication_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
{
WSFederationAuthenticationModule instance = FederatedAuthentication.WSFederationAuthenticationModule;
SignInRequestMessage request = instance.CreateSignInRequest(Guid.NewGuid().ToString(), instance.Realm, true);
request.AuthenticationType = "urn:federation:authentication:windows";
Response.Redirect(request.WriteQueryString());
}
When you set the request.AuthenticationType to that value, you're telling ADFS that you want to do windows (integrated) authentication. This was all that was required for me to get it to work. I didn't have to bother with switching the order of the authentication types in the web.config as nzpcmad suggested.
Also, for this to work, IIS and your web browser are working some magic outside of AD FS and your relying party, so in IE your users have to go to tools > Internet Options > Security and add the site to your Local Intranet sites. There's probably a way to push this out with group policies or something, but that's another question. Anyway, now that I think of it, this may be the only step you're missing.
Related
I am creating an app inside Sitecore and I only want it available to the users via a direct URL. I want the authentication to occur against LDAP. I tried going directly to the app and let it redirect to the auto login page and redirect me to the app but it didn't do it. Instead it took me to the Sitecore login page.
I'm wondering if it is possible for me to write some code to auto authenticate a LDAP user and redirect to the app page. I want the user to never see the login page or Sitecore desktop or any of the Sitecore screens other than that one app.
Thanks
We accomplished something similar by combining the AD module with some custom code in the Global.asax. Below are a few lines that might be helpful. You'll likely need a bunch of logic to check if the user is already logged in, and whether they are accessing a path you want to auto-login for.
NOTE: Make sure windows authentication is enabled in IIS.
protected void Session_Start(object sender, EventArgs e){
// The user from Windows Authentication in IIS
var user = Context.Request.ServerVariables["LOGON_USER"];
//Log the user in
bool success = Sitecore.Security.Authentication.AuthenticationManager.Provider.Login(user, false);
}
You'll note that the sample I provided goes directly to the provider. You can also call Login at the AuthenticationManager class, and this will also do some other work with cache. In my case, I was trying to bypass that.
UPDATE (2017-06-29):
In newer versions of Sitecore it is not recommended to make changes to the Global.asax. Unfortunately, there is no equivalent pipeline in Sitecore. You can attempt to use httpRequestBegin (where the UserResolver processor is) or httpRequestProcessed, but these will fire on every single request.
One alternative (credit to #Mark Cassidy on SlackChat) is to use the Initialize pipeline and in that processor register to the session start event.
It is possible yes, a quick Google search turned up these:
http://www.nehemiahj.com/2013/01/how-to-enable-single-sign-on-in-sitecore.html
based on the AD Module from Sitecore
http://sdn.sitecore.net/SDN5/Products/AD/AD11/Documentation.aspx
That should give you a good place to start from.
What is the best way to customize ADFS to use a specific, configurable home realm if one was not provided?
My current method is to perform an HTTP redirect from the ADFS WebForms aspx file, but that seems a bit hackish.
I don't want my Relying Parties to be concerned with the home realms.
I think that a good approach would be to add a few lines within the ADFS HomeRealmDiscovery page in order to read the "DefaultHomeRealm" setting from the ADFS web.config file.
Steps
Go to C:\inetpub\adfs\ls
Open the HomeRealmDiscovery.aspx.cs
In the Page_Init method, add something like:
if (ConfigurationManager.AppSettings["DefaultHomeRealm"] != null)
{
SelectHomeRealm(ConfigurationManager.AppSettings["DefaultHomeRealm"]);
}
Open the web.config file
On the appSettings section, add:
add key="DefaultHomeRealm" value="Default ADFS Federation Service Identifier"
Do not forget to replace the service URI that you want to be defaulted.
For more information you can check:
SelectHomeRealm method
ADFS pages customization
I have successfully used this approach.
I hope it helps :)
Seba
Have a look at:
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WHR Parameter to Bypass Home Realm Discovery (HRD).
The WS-Federation passive WHR parameter is used to bypass home realm discovery (HRD)
I am using ADFS to do federated logins with a number of different RPs, including our own custom web app, Office 365 and some other third-party services. I have run into a problem where logins silently fail when the wfresh=0 is specified in the URL. It just keeps asking for my password over and over again. When I click the "Login" button, it doesn't log you in and redirect you to back to the RP, nor does it fail and give you an error message. Instead, it redirects you back to the STS login page, so it looks to the user like it's silently failing.
I found this question: wfresh not working with WS-Federation via ADFS, which seems to be on the right track. However, while I am definitely seeing issues with integrated logins, I am getting similar issues with Forms logins as well. The outward symptoms are different, but the behavior seems to be the same: If you specify wfresh=0, it sends you directly to /adfs/ls.
Is there any way to configure ADFS to treat wfresh correctly, or at least to ignore it?
Update: Cross-posted to MSDN Geneva Forums: http://social.msdn.microsoft.com/Forums/vstudio/en-US/7acbbd11-cd69-466b-8faa-f129f24fe1fe/wfresh-parameter-causing-adfs-login-to-fail
Update: Microsoft today released their hotfix for this: http://support.microsoft.com/kb/2896713. It is not a public hotfix, so you will need to contact Microsoft support to get the update.
Previous: I spoke with an Escalation Engineer in Global Escalation Services for Microsoft. The EE said they are aware of this issue, tracking impacted customers, and working on a solution. Anyone who is experiencing this same problem should contact Microsoft support and open a support case so they are notified when the solution is available. Microsoft support is tracking this issue internally under solution id number 2879919.
I am seeing the same thing as of lately. We have connections with some RPs and also use Office 365. If I leave my machine logged into portal.microsoftonline.com it will eventually show "page cannot be displayed" with the URL showing the long string and "wfresh=0" at the end.
Externally, if i leave my browser logged into the portal it will take me back to the form but never accept my new credentials. If I change the value of "wfresh=0" to "1" it allows me back in external and internal. I'm trying to review event logs to see anything but have not found any clues. still looking.
Would it be a good or bad solution (if possible) to use MS IIS URL rewrite to replace or remove wfresh=0 from the URL when hitting the IIS?
Best would of course be if the default installation of ADFS worked with wfresh=0 in the first place :-)
IIS URL Rewrite1
Update:
My problem was that only internal clients experienced the error while external clients (using the ADFS proxy servers) did not.
With URL rewrite on the internal ADFS 2.1 servers and the following URL rewrite rule in /adfs/ls/web.config works:
<rule name="wfresh0to1" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{QUERY_STRING}" pattern="(.*)wfresh=0(.*)" />
</conditions>
<action type="Rewrite" url="{R:0}?{C:1}wfresh=1{C:2}" appendQueryString="false" />
</rule>
Is it possible to Impersonate a user when using Forms Authentication?
The thing is that I want an external login for users and an internal site that just uses integrated windows security and the users need to be impersonated.
I've looked around and found that John's answer here is really good, but I don't quite get how I can mix it up with my Forms authentication.
Suggestions?
Edit
I want to have an <asp:Login /> control and this control will authenticate against an Active Directory which has the same set of users as the Windows Machine that I want to use impersonation on.
My problem is that I don't get how I can impersoante with the same username and pasword that is provided to the <asp:Login /> control.
In order for that solution to work, you'll need access to the user's id and password. I don't believe that you can get this using the Login user control; you'll need to create your own login form and handle the login actions yourself. Keep the user's id and password, preferably in a secure string, in the session once you've authenticated and when you need to access the internal site on their behalf, use the Impersonator class from the referenced example to impersonate them using the credentials.
using (var context = Impersonator.LogOn( username, password ))
{
try
{
....
}
finally
{
context.Undo();
}
}
I'm developing an intranet web app and I'm learning how to hook VB into the Active Directory. We're going to be doing some location specific permissions, and my boss wants (if possible) me to hook into the Active Directory to get the users location.
I think that all I need to do is get the user name, but I'm not sure what is the best way to do that. We're a Microsoft only shop, so IE and IIS are the order of the day. To access the intranet you have to log on to the computer using our domain, so that's one level of security, but then I need to authenticate and make sure that user has permissions to make the changes. I'm thinking we'll either have a modifier (if there's not one already) in the AD info, or keep a permissions table in a database, but the former is probably preferred.
I know that IIS has a feature that allows/requires authentication but I'm not exactly sure how that's supposed to work.
So what's the best/easiest/somewhat(most?) secure way to get the users credentials? I could always do a login page but it would be much nicer if I could just get their AD credentials in the background.
Thanks!
you need to disable anonymous auth for your IIS site and enable windows-auth instead.
now go to your web.config and change the following
<authentication mode="Windows">
...
</authentication>
see http://msdn.microsoft.com/en-au/library/532aee0e(v=VS.80).aspx
&
if neccesary
<identity impersonate="true" />
see http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx
now you should be able to get the current user with
HttpContext.Current.User.Identity.Name
to check if the user is in a specific group you can use
HttpContext.Current.User.IsInRole("YourActiveDirectoryGroup")
IIS can be configured to use Integrated Authentication which will give you access to the samaccountname (pre-Windows 2000 logon) of the user. With that you can do an LDAP query against AD and check group membership. If the user is a member of the CanModifyStuffGroup (that you have created within AD and added users to) then let them make changes, otherwise give them the read-only version - or whatever.