How to solve authentication failure with CNAME in url - kerberos

We have a web application written using Liferay 6.2 and deployed on tomcat server. Application is accessed using Integrated Windows Authentication. Everything works fine if hostname is directly used to in url to access.
To hide the actual hostname, a CNAME record was created. When that is used to access, users get repeated prompts for credentials and authentication is rejected despite entering correct credentials.
We tried creating SPN for CNAME using the command setspn -a "HTTP/<<friendly name>>". Since connection is made on standard port 443 using HTTPS, no port number was specified when creating SPN. However, repeated authentication prompts still continue to appear. The application runs using a service account. Including the service account when creating SPN could be an option. Please share if there are any suggestions on what else could be tried.

What does "everything works fine" mean? Are you getting prompted and when you enter creds it works correctly, or it does SSO and logs you in without a prompt?
The fact that you're getting prompted is because a) the new cname isn't considered to be in the intranet/trusted internet zone. See Internet Options > Security > Local Intranet/Trusted Sites > Sites. Or b) the requested ticket sent to the server failed.
Also usually you don't register the cname as an SPN. You register the A record the cname is pointing to as the SPN. My guess is this is causing the failure. The SPN is getting registered to the wrong service account so the KDC is using the wrong service account key.

Related

How can I authenticate with the machine account during SPNego authentication?

My goal is to create a HTTPS REST service that (in concept) allows a machine account to authenticate using the less- than documented machine$ account.
I have a REST endpoint for an AD connected intranet application. Right now IIS simply echoes the thread CurrentPrincipal when I navigate using Internet Explorer.
Now I'm using the HTTPClient , using default authentication, running a my username, and that also works.
My new goal is to send the AD Connected machineAccount (that ends in the dollar sign $) so that IIS responds with the kerberos name Domain\TestServer$
I attempted creating a Windows Desktop service, running as NetworkService or LocalSystem, and I'm not clear if HttpClientHandler.UseDefaultCredentials is sufficient for running in this (unusual) context or if a different approach is needed to authenticate using the machine account.
Is a PInvoke needed? Is there anything in logonuser32 that needs to be done?

Plesk and domain hosted externally

I have two hosting accounts (Personal one and a work one). I am doing some testing and would like to create a subdomain of a work domain (manage.domain.com) and host it on my personal account. Currently, my personal host is through 1and1 and is dedicated while the work one is shared with GoDaddy.
Work
I have gone into go daddy and created the subdomain. I have also added DNS records such as A, AAAA AND NS (i did not record a CNAME). I have noticed that if is type manage.domain.com it is redirecting to my personal server. However, it is directing to the blank admin page of the root of the server (which is maintained using Plesk).
Personal
Using Plesk I added the website (domain.com) and created the subdomain (manage.domain.com). I have also updated the websites hosting access using Plesk and assigned it the default values of my personal account. Using Plesk I also set the subdomain to the particular location of the files I want to test. However, I cannot get my server to recognize the address and redirect it to the proper location.
Any help is greatly appreciated!
J
You can just create:
in personal account domain(not subdomain) manage.domain.com
on domain.com add DNS record of type A, name "manage" and IP address of personal hosting:
After that "manage.domain.com" will resolving to hosting of your personal account and can be accessed because such domain exists.
I figured it out
What i did above was correct expect do not change the name servers on the work DNS(godaddy).
Add the website to plesk - it will give you an error about not being able to control the DNS settings which you have already adjusted on the original server (godaddy)
Add a subdomain of the website.
*** Ensure the subdomain is pointed to the correct folder within your server
Done

OAuth access_denied on login from all providers after server IP change

We recently changed the IP-address on a server hosting one of our services based on .NET Web API 2.
The service is using OAuth2, providing external logins via Facebook/Google.
We're still using the same server and the same host name for our services, only the IP-address has changed. Now I'm getting back my login URL with "&error=access_denied" whenever I try to login using Facebook/Google.
I have checked every setting in both Facebook's and Google's developer consoles but nothing seems to apply. If I remove the OAuth redirect URI, I get an error that the URL is blocked, so the settings seems to take effect.
What have I missed?
Funny how asking a question makes you think even more outside of the box. The culprit was that wrong DNS-server was set on the web host.
I'll see myself out...

IIS Arr not passing windows credentials on the same server

I have a self-hosted owin web api service on a test environment, and to give it a better name I use a domain alias, and ARR.
My web api runs on port 8888, and uses Windows Authentication. I have configured my arr to run under testserver:80 with anonymous authentication. I want to deploy a service on the box that will pool the webapi for data. When I try to visit testserver from my web browser on my desktop it works fine. However, when I remote into that box and try to hit testserver it prompts me for credentials. Even if I type them correctly it still will issue me a 401. If I go to localhost:8888 the site will work.
Since, I'd prefer to use the pretty name for the server in my service how do I correct this issue. How do I get it to pass credentials on the same box through ARR?
You might have have an issue with LSA loopback checking.
You get the 401 because ARR forwards your Windows Authentication to localhost, which is not allowed (default setting).
Try to disable LSA loopback checking (restart most probably required). If that works you can limit the disabling of loopback checking to specific websites (to prevent security holes).
See You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version for more information on the LSA loopback check and how to disable it completely or only for specific hostnames.

Can't Authenticate with Local .NET back-end

I've followed the guide:
Getting Started with Authentication with Mobile Services .NET for Windows Store
I'm able to run the service locally as long as I don't need to authenticate the user. I can also authenticate the user if I publish the service to Azure. But I want to be able to test and authenticate the user locally. How can this be done?
I'm using Live ID and I have the correct ClientID and ClientSecret set in the Web.config. When I attempt to call LoginAsync from the client the call fails with The request could not be completed. (Method Not Allowed)
** Update 2014-03-20 **
Based on the comments of Carlos and Henrik, I've updated my local service to look exactly like my server instance. I followed Scot Hanselmans excellent guide and now I have my service running locally on port 80 and port 443 with a completely valid SSL certificate. It's even running on the exact same https://xxxx.azure-mabile.net hostname.
With these changes, there is now no configuration difference whatsoever between running the app against my local machine or running it against Azure. I can go to https://xxxx.azure-mabile.net in the browser, get redirected to Live login, sign in, and get redirected back to the service successfully. In the browser it all works. However it still doesn't work in the app.
I attached the debugger, set CLR errors to "break when thrown" and I managed to trap the exception in the service. Here's what I see in the immediate window:
The Response property is not helpful. It does not provide any additional information about the problem.
The only thing that stands out to me is that the app is trying to do a POST to /login/microsoftaccount while the browser would normally be doing a GET at this address (then getting redirected).
** Update #2 2014-03-20 **
After following Henriks guide for remote debugging I was able to load symbols and get a tiny bit more information:
"An existing connection was forcibly closed by the remote host"
The error code is 10054 (WSAECONNRESET) Connection reset by peer.
It appears the Live Authentication server may be forcibly terminating the connection, but only when I'm authenticating with the app. Again, authentication within the browser is fine. This, combined with the fact that /login/microsoftaccount is a POST from the app seems to suggest there is a problem with the authentication token I'm getting back from LiveClient.LoginAsync. I'll do some more digging...
At the moment, it is set up so that you don't need authentication when running locally and access the service from localhost. In this case, anonymous access is let through (this is of course disabled while running in the cloud).
We don't really have a way for your to authenticate locally as redirect URIs won't work (they can't point to localhost as there is not way that Facebook, say, can resolve "localhost").
One option is that we somehow can mock the authentication locally and give you a token without connecting with the various identity providers. I am not sure exactly what that would look like but it is something we can consider.
Henrik
Did you perhaps set Mobile client app: Yes in your Live Connect project? I think that setting is meant to be used with the Live Connect SDK (client) flow, not the browser-based (server) flow. The client flow isn't supported yet with a .NET backend.
You also want to make sure you are using LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount) on the client to trigger the server flow.