Some background:
We were accessing our RSA Archer application on IE 11 via SSO, and all has been well. But we are required to move on to Edge browser, and that's where we started having the Windows Security credential prompt coming out, whenever we tried to access the application on Edge browser.
The strange thing is, the application is able to load up on Edge properly, in the logged in state, and then the prompt will appear. We can just click on Cancel to close the prompt and we are able to use the application normally. All end users on their client PCs encountered the same problem.
We want to remove the credentials prompt. The RSA support team has confirmed it is not an issue of their product, since there's no problem over at IE. What we have done on our end on the servers:
Enabled SSL on our load balanced environment
Updated the web.config file of the application with the entry below:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
Configure IIS settings to allow Anonymous Authentication instead of Windows Authentication for the application pages.
Will greatly appreciate some assistance or suggestions on how to move forward. Thanks!
Addon after investigation:
After finally being able to investigate via the development tool for this, we discovered that apparently, the behavior of some components / javascripts were different on IE / Edge.
On IE, if the components / javascripts took too long to load, it will fail (status 304) and retry again until it succeeded (status 200).
On Edge, instead of failing, it will go into "Pending", and then the credentials prompts pops out, and usually there's more than one prompt. We suspect the number is based on the number of pending components / javascripts that are in "Pending". Clicking on Cancel on the prompt will caused the components to not load (status 304), and no retry will happen like in the case of IE.
Able to advise what's wrong? Is there a timeout in the Edge settings?
Open Edges developer tools and go to the Network tab and see which request (URL) is prompting you for credentials. Then you can see what IIS has configured for its security.
Related
OK so this is a tough one, because googling "set powershell Default Browser" only returns results for setting the system default browser in Powershell. What I want to do is change which browser Powershell uses to open an auth prompt when I attempt to use the Exchange Online Management module. I need to change it because I set "use always" when I chose Edge the first time it popped up, then received a message that Edge is blocked by your administrator. (Weirdly, Edge is not blocked normally, only in this context.) I'm running powershell as local PC admin. (Could this be an Azure/m365 policy blocking edge launch from powershell? Intune managed device. ) I need to change it to Chrome.
Using PS7 as 5 just told me "browser unsupported" (guessing it defaults to IE)
Thanks
Tried numerous google search varying wording, still getting same results about system default browser.
Checked properties of powershell, no browser settings apparent unless I'm blind.
Apologies in advance for somewhat vague information. I am new to Citrix XenApp/XenDesktop technology and am just looking for generic troubleshooting information.
At my place of employment we have kiosks that are configured to connect to a SaaS webapp. These kiosk have either the Citrix XenApp or XenDesktop installed.
One of the icons launches the IE browser that connects to the SaaS app using a preconfigured user account. Sometimes, however, instead of launching the browser, the system displays the "The session limit has been reached. Please contact your system administrator." error shown in below image.
The people administering these kiosks think that this message comes from the SaaS web application but that application does not enforce any limits on how many session are open for a given account under a given time.
Also considering how Citrix XenApp/XenDesktop works I would think (but maybe I am wrong) that if the SaaS app did reject a user login, we would be displayed an error message in Internet Explorer instead of this ICA prompt.
So I think that the issue here could be that the message is not about login sessions made to the background SaaS app but either about Citrix sessions or perhaps previous IE browsers somehow running in the background(?)
However our company's Citrix team looked at this and noticed that "Citrix was still active" when this prompt was displayed. The conclusion was then that Citrix is for that reason not the cause here.
So I wanted here to ask some questions on what things I could consider as causes and where I could look in the hopes of getting started on this issue.
This would be for XenApp / XenDesktop 7.18.
The questions I have:
Does XenApp / XenDesktop have log files that can be consulted for
debugging issues like this?
Is it possible to get XenApp / XenDesktop to run in debug mode (to
output more details to the log files)?
Does Citrix have configuration settings that could lead it to
have an issue like this?
A. First check the event logs and see when you facing this issue so does any event logs generated.
B. Also you can check the ICA configuration tool for session settings and checked if session settings are set to NEVER.
C. The ICA listener configuration tool is located at Start > All Programs > Citrix > Administration Tools > ICA Listener Configuration.
You are on the right track with the SaaS application itself reporting the error. If this Citrix session was already active when the icon was clicked again and the preconfigured user was already logged into the SaaS application, that would account for this error. To investigate, logout the Citrix session and try clicking the icon again, or check SaaS application to see if that preconfigured users is already connected.
Is the same user used for all these kiosks or is each kiosk supposed to have a unique user? Can this preconfigured user log in multiple times?
I have terrible issue with Webtop 6.7 SP1 P12 (I have tried also testing P26) with SSO (kerberos) login into Webtop application.
On the user enviroment Web browser is in version IE 8.0.7601.17514 and operation system is Windows 7.
When I login into application (SSO authentication is succesful) result screen is missing some frame:
Sometimes frames are not behaving like this:
in this case URL is also strangely modified (part of it was deleted).
Java (1.6.0.27) is installed correctly. I also checked security setttings on JAVA and IE, but I don't see any incorrect parameters here.
When I use web browser Firefox 3.5.19 to login into the Webtop (SSO is active too) GUI is loaded correctly with frames..
My another test was under operation system Windows XP, IE 8.0.6001.18702. The Webtop GUI workiing correctly.
When I tried logging into Webtop instead of the hostname by use IP address application server, GUI working correctly. In this case SSO is off.
I tried change verzion JAVA vs IE but nothing helps.
Wireshark network protocol analyze capture this HTTP issue:
this problem occurs on 6 users of total 100.
Please, do you have any ideas for me?
Thank you so much.
Lukas
Investigating further we found that non-working users were part of 100+ AD groups resulting in a large kerberos token size.
I changed tomcat config file "server.xml" to increase http header limit to "maxHttpHeaderSize="16384"".
<Connector port="8080" maxHttpHeaderSize="16384" protocol="HTTP/1.1" ... />
Here is the link to fix:
http://blogs.adobe.com/livecycle/2012/08/avoiding-livecycle-kerberos-based-sso-problems-for-active-directory-users-with-large-group-memberships.html
Having a tough time with this issue. Not sure how but my ApplicationPoolIdentity is broken.
Currently I'm running IIS 8 on Windows 8 with Visual Studio 2012. When trying to debug an application from Visual Studio, or just navigating to the site in a browser I get the following error logged and a 503 error.
Application pool 'DefaultAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
If I check out the Application error logs, I find the following error from the User Profile Service.
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - The system cannot find the path specified.
Upon looking into the details I find that the User Profile Service is trying to load up a profile with the Id
S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Now I opened up the registry to try and find the profile with that UserId. However there's nothing in the Profile list that helps.
So digging around a little more I've found that this issue can be resolved by either
A) Set the Load User Profile of the Application Pool to false.
B) Use a different account for the application pool.
C) Fix the account.
Seeing how this is the built in account, I'd prefer to fix the issue rather than fix the sympton.
What I have tried
aspnet_regiis -i
Removing IIS from windows and reinstalling.
Attempted to follow the guide here but I don't know the account password :P
My hunch
Somehow the ApplicationPoolIdentity got messed up. Is there any physical folders for the built-in accounts? I know that the Network and Local service profiles physical directories exist at C:\Windows\ServiceProfiles\. It is possible to recreate the ApplicationPoolIdentity profile? Or am I way off on what the real issue is?
C) Here is what i did to fix the account
Go in regedit at key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There is a setting called "Default". You have to make sure that the data value point to an existing directory on the drive.
By default it contains "%SystemDrive%\Users\Default". In my company the default is changed to a custom profile. Somehow, someone deleted that user profile. So when the defaultAppPool user tryed to create an accound for himself, it was unable to do so because windows cannot provide him with a default user profile.
You can also diagnose this error when looking at the Event Viewer under the Application folder. You will get a message of that type:
Windows cannot find the local profile and is logging you on with a
temporary profile. changes you make to this profile will be lost when
you log off.
Hi I am currently writing a Test script for an ecommerce site using Seleneium IDE, this is in a testing environment in HTTP. The issue I am having is the test payment gateway 3D Secure is in HTTPS so when using FireFox the browser displays the security warning message when I am returning from the payment gateway 3D Secure HTTPS to the site testing environment.
'Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?'
I have tried the various commands in the IDE for waitForAlert* and asertAlert* but this javascript alert just seems to over ride any of the commands I use and essentially halts the script until manual intervention is used.
I am unable to turn this particular alert off in FF from what I can assertain from various forums as it is too important to be switched off, I have tried in FF about:config
I can obviusly switch the 3D secure off to allow thee script to run, but I would prefer a complete user scenario to be tested as opposed to a test adapted to suit automation.
Many thanks in advance for your time and assistance.
I had exactly the same problem :
I use Selenium web driver to test against my local http server which sends redirects to https service (3DS as well btw ;). The problem is not with certs, but with this hardcoded warning of switching between https/http.
Based on the link from MacGyver's answer and this answer Key press in (Ctrl+A) Selenium WebDriver, I tested this and I can confirm it closes "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party" dialog:
Alert alert = driver.switchTo().alert();
alert.accept();
The other solution, seems to work fine but you'll get UnhandledAlertException with latest Selenium versions (e.g. 2.25.0) :
Actions a = new Actions(driver);
a.sendKeys(Keys.ENTER).perform();
Option #1:
The easiest way is to remove the option in security options for your profile:
http://forums.mozillazine.org/viewtopic.php?f=38&t=665552
Option #2:
Not sure if this applies to an untrusted certifiate or your security warning, but the forum thread seemed to fit. It requires that you use Selenium RC Server.
Profiles are stored here for Firefox: %APPDATA%\Mozilla\Firefox
Profiles can be edited: http://www.dennisplucinik.com/blog/2011/02/04/how-to-install-run-multiple-firefox-versions-in-windows-simultaneously/
Follow the snippet below from this link:
http://old.nabble.com/Security-Warning-on-final-page,-how-to-remove-td22907376.html
If using Firefox 3, see the following post https://developer.mozilla.org/En/Cert_override.txt
The solution I use to get past this security pop-up is only applicable to Firefox 3 browsers and might be more of an hack than a fix but it works.
Run the selenium test
Select "Accept this certificate permanently" when prompted by popup
Click on the OK button (it might be neccessary to have a pause after this because we need to open explorer to find a file now)
Open Windows Explorer and navigate to => "C:\Users\xxxxxxxx\AppData\Local\Temp\customProfileDirxxxx"
This is a temparary profile created by Firefox which contains a file called "cert_override.txt"
Copy "cert_override.txt" to your temp directory
Stop your selenium server.
Open your "selenium-server.jar" file from "c:\selenium-remote-control-xxx\selenium-server-xxx" using WinRar
Drag "cert_override.txt" file into the "selenium-server.jar\customProfileDirCUSTFFCHROME" folder in WinRar (do not delete or edit anything in the .jar file!!!!!)
Close WinRar, start selenium and try it again :)