I have an application which uses LDAP authentication against AD, which works fine. However the UserDN and password for accessing LDAP are in clear text in the config files, and I would like to avoid clear text passwords.
In Softerra LDAP browser you have the option to authenticate with "Currently logged in user", does anyone know if this type of Windows Authentication is possible with Spring LDAP? Or is there perhaps another way to avoid credentials in config files (like using the credentials of the user trying to authenticate)?
With Microsoft SQL server, it is possible to do Windows Authentication via JDBC, since Microsoft provides some native code, has anyone heard about a similar functionality when using LDAP against AD?
"Currently logged in user"
this may mean that Kerberos based SASL authentication is used
You may check
https://docs.spring.io/spring-security-kerberos/docs/current/reference/htmlsingle/#ssk-kerberosldap
and
https://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.1.RELEASE/api/org/springframework/security/kerberos/client/ldap/KerberosLdapContextSource.html
The latter shows how the Kerberos ticket cache can be used.
Related
So I can successfully run commands to manage our Microsoft 365/AzureAd/Exchange Online - this involves assigning and removing license, converting user to a shared mailbox, delegating access to a mailbox, etc. I followed the guide here for authentication. But that's me actually logging in with my credentials + MFA (Multi-factor authentication) for authentication.
I want to have a script that does these type of actions triggered by a schedule. I believe I can include the credentials but how to do MFA? Tried to follow this but getting error clientid is not a guid I have registered an app in https://portal.azure.com/ and able to do Graph API calls using that. No luck in PowerShell authentication though. Any thoughts? Thanks!
Maybe try this? It should allow you to connect to all Microsoft online services and includes support for MFA. If it does not work, the website has many other scripts you can try
This is not possible. A potential solution is to set some rules where in specific case, MFA will not be required.
We've got an install of Azure Devops server that currently authenticates against our active directory server and authentication works, but it appears to do so by means of browser basic authentication (the browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such that users that have never logged in, actually get a login page... not just the basic authentication prompt in the browser.
I appreciate any input, I've used and administered azure devops in the cloud for a LONG time, but the devops server stuff I'm new to.
NOTE: I've played with IIS settings for authentication (enabling and disabling basic authentication and forms auth etc, but nothing really seemed to help there)
it appears to do so by means of browser basic authentication (the
browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such
that users that have never logged in, actually get a login page... not
just the basic authentication prompt in the browser.
What's the login page do you mean?
1.If you mean the login page to connect to TFS web portal, as I know using basic prompt with username+password is the only appraoch.
Web Portal:
Only logic page:
2.But if you mean something used for authentication when accessing the code. I think you must be familiar with PAT which is widely used in Azure Devops Service. IIS Basic Authentication is not recommended. You can check Enabling IIS Basic Authentication invalidates using Personal Access Tokens and Use the TFS Cross Platform Command Line with TFS using basic authentication or personal access tokens (PATs).
Hope it helps to resolve your puzzle :)
So after lots of research, I found that in the differences between azure devops server and azure devops services documentation. In this documentation it states that it uses windows authentication, and you will never be presented with any login experience.
I'd vote that this should be something that be configured to show a login screen, as sometimes we want to log in as users other than the users we logged into the machine as.
I am trying to write an WPF client which uses ADAL to authenticate against ADFS on a Windows Server 2012 R2. I have successfully implemented this using "Forms Authentication" where the user is prompted for the domain username and password. However, I want to take advantage of SSO and use the currently logged on domain user to authenticate against the ADFS.
Unfortunately, I'm only getting an error message saying:
This method overload is not supported by '< ADFS servername>'
I have done a lot of searching, but find some of the information contradictive:
This SO post about a Windows Store App (any differences to WPF?) where Vittorio Bertocci links to a blog on how to achieve it:
ADAL for Windows Store SSO
This SO post where Vittorio Bertocci claims that silent authentication is only possible with Windows Server 2016:
Authenticate with ADFS inside Console App silently
Is it a fact that Windows Server 2016 is required to perform SSO in conjunction with ADAL?
Is there any other way to do it?
EDIT:
After upgrading to the latest alpha of ADAL (3.9.302111717-alpha) I'm getting the more detailed error message
MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.
The code I'm executing is this:
string authority = "https://myServer.com/adfs";
string resourceURI = "http://myApp/";
string clientId = "XXXX-XXX-XXXX-XXXX-XXXXX";
string clientReturnUri = "http://anarbitraryreturnuri/";
var ac = new AuthenticationContext(authority, false);
var token = await ac.AcquireTokenAsync(resourceURI, clientId,new UserCredential());
I was able to implement a working solution using WS-Trust, so I am confident that the machine I'm running on has the privacy settings to enable the app to find the currently logged on user.
The Oauth2 endpoint looks as follows:
Also, my global authentication policy is set up like this:
Windows Server 2016 is only required for the password grant - in which you provide raw username and password. Your question seems to suggest you want to sign on with the currently signed in user, which would leverage Kerberos instead.
Kerberos based authentication should work with ADFS "3" and ADFS 2016 indifferently - as long as your client is connected to the domain network, the local machine does not have privacy settings that prevent your app from finding out the domain user currently logged in and the correct endpoints are enabled on the ADFS instance.
I have an ADFS single sign on application. Can we also have form authentication using login credential from a database on the same application? In other words, I need single-sign-on for people who have windows account and form authentication for people who do not have windows account. I did some research on this topic but I have no lead. Is there any suggestion?
Out of the box ADFS can only authenticate against Active Directory (The latest version of ADFS (vNext) do supports LDAP v3-compliant directories).
You need to build your own Custom Authentication Provider for ADFS if you would like to plugin your custom code.
Some pointers for further reading:
Understanding WIF 4.5
Create a Custom Authentication Provider for Active Directory Federation Services
Is it possible to have a Java process running on linux access EWS using kerberos only without the need of a pre-defined username/password combination?
My current system architecture consists of a Java process that accesses EWS using a stored username/password combination. Requirement is to ensure that the credentials under which the Java process runs are authenticated on Exchange using Kerberos.
Is it possible to have this setup?
yes, it should be possible to authenticate to EWS using Kerberos. You can Java GSSAPI to get the Kerberos tickets (from the ticket cache or prompt the user). There is a Java GSS Sample program at http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/BasicClientServer.html
Your question seems to be more on what Java can do versus what Exchange/IIS can do. I don't know Java well at all, however I do know EWS and IIS topics well.
Here is something to keep in mind - IIS does the authentication and not EWS. You could do an HTTP GET on a file in a virtual folder on an IIS server to verify that your API works. If you can authenticate to IIS, then EWS should work. Now having said that you also need do consifer access issues - ie impersonation and delegateion - you will need to be sure you have the needed content in the EWS XML and have the correct Exchange settings for Impersonation and correct folder permissions set for delegation.
Yes, it is possible. It is already implemented in "JWebServices for Exchange", Java API for EWS
You ticket a TGT in the ticket cache or a keytab for that account.