Adaxes

Single Sign On issue

0 votes

Hello!

I have a problem with the single sign on with the adaxes software!
I attach a picture above our server structure and the windows iss settings of the adaxes selfservice site.

We have 2 domains.
in the domain 1 is a server with the adaxes software. (Adaxes managed both domains)
In the domain 2 are the clients.
Between the Domains we have a Two-Way Trust.
Auto Logon is enabled.
When a user opens the website http://<fqdnofserver>/adaxesselfservice the user should be automatically logged in. When the user connects to the site, she gets "access is denied" and has to log in manually.

(server structure)

(ISS Settings)

Du you have a solution?

Wishes,
Markus S.

by (40 points)

1 Answer

0 votes
by (216k points)

Hello Markus,

The IIS authentication options look OK.

Automatic logon will work only if the computer where Adaxes Web Interface is installed is trusted for delegation. Make sure that the computer is trusted for delegation. For information on on how to trust the computer for delegation, see the Enable Trust Delegation on the Computer where the Adaxes Web Interface is Installed section in the following help article: http://www.adaxes.com/help/?HowDoI.Conf ... #id1554561.

Also, make sure that users access the computer by its Fully Qualified Domain Name (FQDN). That is, make sure that the <fqdnofserver> part of the URL is not a certain DNS alias.

0

Hello

All of the settings are ok, but i doesn't work.
The automatic logon works, if the client computer in the same domain as the adaxes server but not when he is in the other.

Thanks,
Markus

by (40 points)
0

Hello Markus,

Adaxes uses the Kerberos authentication mechanism for Automatic Logon. If you authenticate a user from another domain, Kerberos will work only in two cases:

  • if both the domains belong to the same forest,
  • if the domains belong to different forests, but there exists a forest trust relationship between the two forests.

If neither of the above two conditions are met, Kerberos authentication cannot be used, and Automatic Logon will not work in Adaxes Web interface.

Do both your domains belong to the same forest? If not, is there a trust relationship between the forests?

by (216k points)
0

Hello,

The domains belong to different forests!
We have already a trust relationship between the forests established, but it still doesn't work.

Trust configuration:


Thanks,
Markus

by (40 points)
0

Markus,

The trust type between the domains is External, however it should be a Forest Trust for Kerberos to work.

by (216k points)
0

super thank you! stupid error by me!

Thanks!!
Markus

by (40 points)

Related questions

0 votes
1 answer
Single Sign On Issue

Hello, I have enabled the auto logon option and provided I use http://localhost/AdaxesAdmin things are fine, but if I use the FQDN of the server or 127.0.0.1 then I get a ... this error goes away, but it still doesn't work. Thank you in advance for any help.

asked Apr 29, 2014 by dazbo (390 points)
0 votes
1 answer
Exclude a single user from Password Never Expires report

I'd like the Password Never Expires to exclude certain users. Since it is script based is the only way to do so in the script? I have checked where I am aware and I do not see the possibility of doing this as it is currently configured. Thank you

asked Nov 15 by msheppard (470 points)
0 votes
1 answer
Limit Self Service Password Reset to a Single Managed Domain

We have two on-prem domains; Domain A and Domain B. Domain A is our primary domain and syncs with Azure AD. Domain B contains accounts created for external ... user attempts to authenticate, they are only authenticating against the Domain B on-prem domain?

asked Apr 10 by awooten (80 points)
0 votes
1 answer
Add-AdmGroupMember with -Member property passed array of members processed as single action

In most situations in Adaxes when multiple members are added or removed from a group the members are processed individually allowing business rules to run for each of them. ... a business rule to get information about the other members added with the cmdlet?

asked Mar 8 by Carl Bruinsma (120 points)
0 votes
1 answer
Assign user to a single security group among ones contained in a OU

Hello, We would like to implement a form / extend one where a user (eventually created before) is made member of a security group defining his/her role, and ... guarantee the membership to a single role? Apologize if the question seems convoluted. Thanks!

asked Jun 6, 2023 by IT Division (20 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users