Ad hoc Apple App distribution IIS7 Windows Authentication IOS 5? - authentication

We have a Add hoc distribution for enterprice apps by a secure website. Since version 5 we have a problem with authentication in combination with IIS7. The user logs in with a windows username and password and clicks download. Then a "itms-services://?action=download-manifest&url=domain" action is been started.
Before IOS 5:
The user goes to url, types the username and password. The user press download and again the user need to type the username and password. The application is been installed.
After installing IOS 5:
The user goes to url, types the username and password. The user press download and get a domain "...." not found. There is no popup again, with the credentials, like before version of IOS 5..
This solution was working for a half year, but since IOS5 it doesnt work anymore...
IIS Log
When going to the website and clicking on the action=download that contains the Plist file the IIS shows 401 errors (not authenticated). But when I access the .plist or ipa file directly by url in safari I do get a POPUP to authenticate.
It look like there is a bug in IOS 5 "itms-services://?action=download-manifest&url=domain" actions does not support to authenticate....

Check your plist file if it points to an existing ipa file. If you're using .htaccess to authenticate with a ldap directory you'll need to authenticate once for the plist access and once for the ipa access.

This sounds like a variation of the double-hop problem in which the originally supplied credentials are not being appropriately passed to the second step in your download routine (or web service call, etc.). http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx
The fact that you previously had to enter the user name and password twice would seem to support this suggestion. The error that you're receiving that domain '...' does not exist could indicate that the credential being passed to step two is a local machine account that IIS is running under.
If you can get some logging on this process I would want to determine what the authentication/credentials are that get passed at each step. It's possible that something in IOS 5 changed the way that impersonation is handled but I think that's likely just a symptom of how either IIS is set up or the final request is being passed.

Related

Rally customized app - can't authenticate

I'm trying to develop a rally app using the app builder. When I load App-debug.html in my browser, I am prompted to enter my user credentials in the form provided. I enter them, but the form re-appears over and over again.
I did notice that the login attempts to authenticate via https://rally1.rallydev.com:443. If I go to this in another window and enter my account details I am able to get in. However, when I do log in, there is a corporate redirect that takes place (for SSO) and I ultimately end up on us1.rallydev.com.
How would I get my app to authenticate through us1.rallydev.com. Changing urls in App.js and config.json only causes errors when trying to load javascript for APIs.
The app should always just piggyback on your existing session. Changing the serverin config.json and re-running rab build should cause all traffic to go to that server- if that's not happening then that's a bug.
You won't be able to authenticate from scratch using SSO from an app, but it should have no problem re-using an existing session.
Another option is to use an API Key to develop: https://help.rallydev.com/apps/2.0/doc/#!/guide/embedding_apps

OneDrive Authentication & Shared URL access

Couple of questions:
I implemented the authentication process with OneDrive. My desktop application is designed for end-users. Every time the application is launched the little browser window pops up asking the user to confirm access...and if more than 1 hour passed user needs to provide username and password. Is there any way that end-user with SOME SORT of saved credentials (or user Code +user Secret, or API code + API secret) will be able to invoke the application and not be prompted by browser form (that currently requires login - if access token expired - or confirmation)?
The goal of my application is file sharing - that is, one end user may send URL (to the file that he uploaded to OneDrive) to another user and the latter should be able to download the file by clicking on the link (without any prompts, exactly like in manual process of sharing link to the file in OneDrive). Is it possible? If yes, how to achieve that? That is, how do I get that URL? Redandent to say that I am looking for a programmatic way to obtain a URL that will achieve the above described)
The OneDrive authentication process uses Microsoft account, which supports OAuth 2.0. You should be able to point the user to:
https://login.live.com/oauth20_authorize.srf?client_id=CLIENT_ID&scope=SCOPE&response_type=code&redirect_uri=REDIRECT_URI
Once the user authenticated and authorizes your app, the user will be taken to REDIRECT_URI/?code=CODE, where your app can exchange that code for an access token at:
https://login.live.com/oauth20_token.srf?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI.
There are more details at http://onedrive.github.io/auth/msa_oauth.htm.

Credential provider in win8

I want to login to my user account automatically using code.
I am using Windows 8.
I tried to use Credential Provider sample. I compiled the sample in the SDK and add the dll to the registry as described in the readme.
when I lock my computer I can see the regular user account tile.
only when I press on Esc I see the 2 new tiles that were added in the sample.
then if I press on one of them, and try any kind of password, I just get back to the previous page where I had only the regular tile. and cannot login.
Is this the expected behavior?
No, this is not the expected behavior.
If, when you type your password, you are immediately redirected to the tile selection without an error message, then your credential provider crashed.
I suggest remote debugging in order to find the source of your problem. If that's not an option for you, you can always write logs.
In case you don't know, you can start windows in safe mode to be able to login even when your credential provider crashes.

Apache Tomcat - Two factor authentication

I am trying to integrate a two factor authentication solution with a mail server that is hosted on Apache Tomcat. Right now the app is using form based authentication and the user enters his user name and password and is authenticated against openLDAP as back end.
What we want is the following -
1). User enters his Un and PWD
2). The request is "intercepted" and put on "hold"
3). A one time pwd (OTP) is generated and sent as SMS to the user.
4). The user sees a new page with a box to enter that OTP.
5). The user enters his/her OTP sent as SMS
6). The OTP is verified and if true the "held" request in step "2" is forwarded for further authentication
The trouble is that I have no access to source code of the mail server app.
I can achieve something very similar in IIS(Microsoft) using an ISAPI filter, but need to know how to achieve this in Apache?
I am looking on the lines of Valve/Filter and SAML, but have no clue how and where to progress.
I contacted the logintc guys for their 2-factor credential and resolved my 2-factor using their apps. Check them out.
https://cloud.logintc.com
The LoginTC platform services are free for under 1,000 users. So that's great.
I followed the instructions from this URL: https://cloud.logintc.com/help/developers
Basically, I created an admin account for my domain in the logintc cloud control panel. Then I used the Server-Side Authentication instructions to enable my Apache website with the logintc button, and added the code snippet in my authentication page.
My users download the logintc app from Appstore, Android or Blackberry marketplaces, I issue them a Confirmation Code and they create their credential token in the app with a PIN (same as ATM cards)
The whole thing takes less than 1 hour to configure. My users get an out-of-band notification to unlock their credential with the PIN, and bingo, they achieve 2FA.
You must check them out
I would suggest using OpenAM former OpenSSO from Sun
It has a filter/agent that can be deployed on apache And it has very good support for multi-factor authentication including SMS authentication module.

Mac - Launch desktop application from browser passing parameters

I have written a click-once deployed application in .Net that runs on windows machines. I had a requirement to launch the application from a browser so that I can pass information to the application based on the current browser session (the HTTPHeadercontains a single-sign-on id that needs to be passed to the application so it can call secured web services).
So the click-once application is provided as a link on a jsp, and the required id is passed as a querystring parameter in the link, which the click once application can read).
Now I need to make similar functionality available for Mac users. Is there any way to do this that doesn't require Java? I would like to write in Objective C, but then the question of how to trigger the launch of the application from the browser, passing the necessarily information remains.
The flow is:
User hits link to our site
User is routed to single sign-on authentication form
User submits form and is redirected to our site (with id embedded in HTTPHeader)
Server builds page with a link to Click Once application with id appended as a querystring parameter
User clicks link, click once deployed app is downloaded and executed with full trust on the users computer (the app is signed with a code signing cert).
Application runs locally on users computer and calls RESTful web services on server passing the single-sign-on ID as a cookie along with the web request which allows the request to make it through.
I would appreciate any ideas that point me down the right path, as I am primarily a windows developer.
Thanks!
I just saw your request to my original post on this topic.
The need for this was put on the back burner for a time, but the solution that we will probably pursue is to have a server-side process that modifies the delivered Zip or DMG file on-the-fly. The additional information would be inserted into the application's Info.plist file. This will not invalidate the cryptographic signature, and does not require anything additional to be downloaded.