Adaxes

Single Sign On Issue

0 votes

Hello,

I have enabled the auto logon option and provided I use http://localhost/AdaxesAdmin things are fine, but if I use the FQDN of the server or 127.0.0.1 then I get a kerberos prompt and then Access is Denied and the SignIn.aspx screen. I can then login with if I put in username and password.

I have checked the web.config and computer delegation settings, but in IIS I noticed the error "Challenge-based and login redirect-based authentication cannot be used simultaneously". If I disable the Forms Authentication this error goes away, but it still doesn't work.

Thank you in advance for any help.

by (390 points)

1 Answer

0 votes
by (216k points)

Hello,

I have checked the web.config and computer delegation settings, but in IIS I noticed the error "Challenge-based and login redirect-based authentication cannot be used simultaneously". If I disable the Forms Authentication this error goes away, but it still doesn't work.

Please ignore the error and enable the Forms Authentication.

The reason for your issue is that your browser is not configured for Single Sign-On. For information on how to configure your browser, see Single Sign-On Browser Configuration.

0

I know that, but why doesn't it work with the browser login box?

Ultimately I am accessing Adaxes via a reverse-proxy that does the authentication for me and then passes the credentials on via Kerberos/NTLM, but that isn't working yet.

If I access the web site from a browser without the configuration I get a popup for username/password, but then get the Access Denied and the forms. I suspect if that was working by proxy would work also.

by (390 points)
0

The fact that the browser dialog box appears means that the browser is not using Kerberos, and the NTLM authentication mechanism is used instead. NTLM authentication is not supported. If you configure your browser for Single Sign-On per the instructions above, you will actually enable it to use Kerberos for Adaxes Web interface instead of NTLM.

So, if your reverse proxy supports passing credentials using Kerberos, we don't see any issues, this should work.

by (216k points)
0

Ok, thanks. The proxy is using Kerberos Constrained Delegation and I can see in the IIS logs the username in the requests, however I am still redirected to the SignIn form. Perhaps what I am attempting is not going to work....

by (390 points)
0

We didn't test Adaxes Web Interface with web proxies, however the Web Interface uses the standard built-in IIS mechanism for Windows Authentication. Any documentation that you will find for enabling and configuring IIS Windows Authentication with your reverse proxy will be applicable to Adaxes Web interface.

by (216k points)
0

Further confusion based on your reply....

If I add the FQDN of the web interface server into Trusted Sites Zone, but leave the Logon option set to "Automatic Logon only in Intranet Zone", then I get the browser popup for username/password and can log in as any user which is what I want.

If I set the Logon option to "Automatic logon with current user name and password" it logs me on as the user I am logged into Windows as (as you would expect).

If I remove the FQDN from Trusted Sites Zone, the popup username/password appears, but I then get the "Access is denied" and the Sign In page....

Thanks

by (390 points)
0

It looks like the computer where Adaxes Web interface is installed is not treated by your browser as the intranet zone. In this case, Kerberos cannot be used, and the browser tries to authenticate using NTLM.

When you add the computer to the Trusted Sites Zone, a request to perform Kerberos handshake is received from the Web Interface, and your browser prompts for credentials to be used for Kerberos authentication.

When you enable the Automatic logon with current user name and password option, the browser tries to login via Kerberos with the current Windows session credentials.

by (216k points)

Related questions

0 votes
1 answer
Single Sign On issue

Hello! I have a problem with the single sign on with the adaxes software! I attach a picture above our server structure and the windows iss settings of the adaxes selfservice site. ... " and has to log in manually. Du you have a solution? Wishes, Markus S.

asked Sep 27, 2013 by markus.s99 (40 points)
0 votes
1 answer
Exclude a single user from Password Never Expires report

I'd like the Password Never Expires to exclude certain users. Since it is script based is the only way to do so in the script? I have checked where I am aware and I do not see the possibility of doing this as it is currently configured. Thank you

asked Nov 15 by msheppard (470 points)
0 votes
1 answer
Limit Self Service Password Reset to a Single Managed Domain

We have two on-prem domains; Domain A and Domain B. Domain A is our primary domain and syncs with Azure AD. Domain B contains accounts created for external ... user attempts to authenticate, they are only authenticating against the Domain B on-prem domain?

asked Apr 10 by awooten (80 points)
0 votes
1 answer
Add-AdmGroupMember with -Member property passed array of members processed as single action

In most situations in Adaxes when multiple members are added or removed from a group the members are processed individually allowing business rules to run for each of them. ... a business rule to get information about the other members added with the cmdlet?

asked Mar 8 by Carl Bruinsma (120 points)
0 votes
1 answer
Assign user to a single security group among ones contained in a OU

Hello, We would like to implement a form / extend one where a user (eventually created before) is made member of a security group defining his/her role, and ... guarantee the membership to a single role? Apologize if the question seems convoluted. Thanks!

asked Jun 6, 2023 by IT Division (20 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users