Adaxes

Windows authentication problem

0 votes

Hello,

I've got a problem with Windows Authentication in web interface.
When I am in Form Authentication, there is no problem.
If I change for Windows Authentication, I am correctly identified and logged but after that, I don't have any permission on AD, even to read.
Screenshots will be better than my english...

Thanks for your help
Yoann HAMON

Windows authentication :
(Windows authentication)
Form authentication :
(Form authentication)

by (180 points)

1 Answer

0 votes
by (216k points)

Hello

It looks like your Adaxes Web Interface and Adaxes Service are installed on different computers. If it is so please follow the steps below to fix the issue:

  • On the computer where Adaxes Web Interface is installed open the file C:\Users\All Users\Softerra\Adaxes 3\Softerra.Adaxes.Adsi.dll.config
  • Find the element <channel ref="tcp" priority="2" secure="true">
  • Add the following attribute to this element: <channel ref="tcp" priority="2" secure="true" servicePrincipalName="username@domain.com">, where username@domain.com is the username of the Adaxes Service Default Administrator (the user that was specified during the Adaxes Service installation).
  • Save the file.
  • Restart the IIS.
0

Hello,

Adaxes Web Interface and Adaxes Service are both installed on the same computer.
I simply configure IIS to use HTTPS, and I changed the name of web interfaces.
Anyway, your solution solved the problem, everything works fine now.

Thanks a lot

by (180 points)
0

everything works fine now.

Not really in fact...

Now, the web interface ignores security roles, even in access deny, which I defined in the Administration Console
I'm well logged with my username account but I think that everything is done with the Adaxes Service Default Administrator.

by (180 points)
0

Hello,

Please, make sure that your user account is not in the list of the Adaxes service administrators. Service administrators have unrestricted access privileges, and Security Roles are not applied to them.

To view the list of service administrators, do the following:

  1. Launch the Adaxes Administration Console.
  2. Right-click the service, for which you want to see a list of administrators.
  3. Click Properties in the context menu.
  4. Click Administrators tab.
by (216k points)
0

Hi,

No, there is only one account in Adaxes service administrators, this is the account with which the service "Softerra Adaxes Service" is started and that I inserted in Softerra.Adaxes.Adsi.dll.config file

by (180 points)
0

Hello,

Please make sure that the option ASP.NET Impersonation is enabled for the corresponding Web Application. To do this follow the steps below:

  • Launch Internet Information Services (IIS) Manager from Control Panel -> Administrative Tools.
  • In the Console Tree, expand the server that hosts the Adaxes Web Interface, and then expand Sites.
  • Expand the web site for the Adaxes Web Interface.
  • Click the virtual directory for the Adaxes Web Interface type you need.
  • In the center window frame, double-click Authentication.
  • Select the option ASP.NET Impersonation, and then click Enable. See the screenshot for details

Please note that you don't need to specify the servicePrincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file if both Adaxes Web Interface and Adaxes Service are installed on the same computer.

by (216k points)
0

So, to resume :
1. If I don't specify the servicePrincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file WITHOUT ASP .NET Impersonation enabled, I go back to the first problem.
2. If I don't specify the servicePrincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file WITH ASP .NET Impersonation enabled, I have this :

IE ask for authentication 3 times and then display error 401
Config IIS :

3. If I make this IIS configuration with the Adaxes administrator account :

logging OK on the web interface, but the security roles are not applied. Same case that if I specify the service PRincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file.

by (180 points)
0

Hello,

The correct IIS authentication options for Adaxes Web Interface are as follows:

  • Anonymous Authentication: Disabled
  • ASP.NET Impersonation: Enabled
  • Basic Authentication: Disabled
  • Forms Authentication: Enabled
  • Windows Authentication: Enabled
    See this screenshot for details:

    It is important that ASP.NET Impersonation is set up to impersonate as the Authenticated user:

Make sure that the servicePrincipalName attribute is not specified in the Softerra.Adaxes.Adsi.dll.config file. If it is still there, remove it.

Restart IIS, restart your browser and try again.

Is the problem still there?

by (216k points)
0

In this case, I have a refused access on first try (when I've just open my browser).

If I insert my username et password in forms, it's OK.

by (180 points)
0

Try to configure Your Web Browser for the Kerberos Authentication.

For Internet Explorer:
Enable Integrated Windows Authentication

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Advanced tab.
  3. In the Security group, select the Enable Integrated Windows Authentication check box.
  4. Click OK and restart Internet Explorer for changes to take effect.

Add the Adaxes Web Interface to the list of local intranet sites

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Sites.
  3. Click Advanced and type the address of the Adaxes Web Interface.
  4. Click Add
  5. Click Close, and then click OK two times.

Adjust Web Browser Logon Settings

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Custom Level.
  3. In the User Authentication group, select Automatic logon with current username and password.
  4. Click OK two times.
by (0 points)
0

Hello,

In this case, I have a refused access on first try (when I've just open my browser).

It happens because Integrated Windows Authentication fails to use the Kerberos protocol and switches to the NTLM protocol. This Microsoft KB article describes your issue https://support.microsoft.com/en-us/hel ... ion-issues

To troubleshoot this issue first of all ensure that the account of the computer where Adaxes Web Interface is installed is trusted for delegation, for details please see the following link: http://adaxes.com/help/UsingWebInterfac ... #id1110516

Next question, are you connecting to the Adaxes Web Interface using the actual NetBIOS name of the server or an alias name?

by (216k points)
0

Your last question helped me! Indeed, I use a DNS alias and I had to register it as additional SPNs on the server.

I used this Microsoft guide : http://blogs.msdn.com/b/webtopics/archi ... s-7-0.aspx.
This time, everything seems to work.

However, I think you should add that ASP.NET Impersonation must be activated in the process of implementing integrated authentication. And perhaps talk about this SPN when using a DNS alias.

Anyway, thank you for your help!

by (180 points)

Related questions

0 votes
0 answers
The password self service at windows login works on windows 10 but not windows 11.

We have followed your instructions to set up the password self service and we got it to work on windows 10 but the link does not show up on windows 11. is there something we can do to get the link to show up?

asked May 1, 2024 by rechevarria (40 points)
0 votes
1 answer
Install admin console on windows 10 azure joined computer

Hi, I'd like to install the admin console on my Windows 10 22H2 Azure Joined computer. Product Version = 3.16.21515.0 2023.2 I get the following error when I run ... install Softerra Adaxes 2023.2, this computer must be a member of an Active Direcoty Domain. I

asked Jul 13, 2023 by KevC (60 points)
0 votes
1 answer
Password Self Service - Windows 10 Credential Provider

Hello! We're using Duo for MFA on Windows 10 logins and understand this creates a new credential provider in Windows along side Adaxes' Password Self Service (PSS) credential ... 2FA with a Auth app or SMS code along with questions/answers. Thank you, Kyle

asked Feb 8, 2022 by KyleCascade (20 points)
0 votes
1 answer
Local password self service reset for Windows breaks access to private keys of user certificates

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer
Does Adaxes support Windows Server 2022?

We're looking to migrate our Adaxes console to a new VM/Server, and we'd like to use Server 2022, and we want to verify that it will work before we stand the server up. Our current one is Windows Server 2016.

asked Oct 7, 2021 by JButler (50 points)
3,638 questions
3,326 answers
8,413 comments
548,846 users