TFS API TF30063: You are not authorized to access http:// - c#

I have an asp.net site on IIS using windows authentication (pass through) and I am trying to connect to the TFS API programmatically.
When I run it on my dev machine all is fine but once the site is on IIS I keep getting {"TF30063: You are not authorized to access http://mytfsserver."}
I have debugged the live site and it seems like it always takes the user as "NT SYSTEM" instead of the actual logged in user.
If I put my account details for the application pool it works as expected.
Any idea on how I can bypass this?
Code where it fails:
Uri collectionUri = new Uri(rootWebConfig.AppSettings.Settings["TFS_TEST_URI"].Value); //TEST ENV
tpc = new TfsTeamProjectCollection(collectionUri, CredentialCache.DefaultNetworkCredentials);
tpc.Authenticate();
workItemStore = tpc.GetService<WorkItemStore>();

You are hitting a standard active directory double hop authentication issue.
You have two options:
Username & password - if you ask the user to physically enter their username and password you can authenticate as them.
Kerberos - if you enable and configure Kerberos you can enable passthrough authentication. You need properly configured SPN: http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
I would go with kerberos tokens. It's a pain to configure but works a treat. Your only other alternative is to run your web app on the TFS server and bypass double hop.

Related

Error C# Dynamics CRM: The authentication endpoint Username was not found on the configured Secure Token Service

We're facing an error while trying to deploy a WCF webservice in a server. While connecting to Dynamics (CRM on premise) we get this error: The authentication endpoint Username was not found on the configured Secure Token Service
If we test it locally, it's working but if the deploy the webservice in the server, this is the code which performs the login:
Uri serviceUri = new Uri(OrgServiceUri);
proxy = new OrganizationServiceProxy(serviceUri, null, authCredentials, null);
proxy.EnableProxyTypes();
_service = (IOrganizationService)proxy;
Guid userid = ((WhoAmIResponse)_service.Execute(new WhoAmIRequest())).UserId;
if (userid != Guid.Empty)
{
Console.WriteLine(userid);
return true;
}
else
{
return false;
}
Any guess?
Thank you!!
First, make sure the user you have set up as the service account has Read/Write access to CRM and has a security role assigned that enables it to log into CRM remotely.
Next, make sure the Username endpoint is configured in the ADFS deployment that this CRM org is using:
Log onto the ADFS server and open the ADFS management console. Go to ADFS > Service > Endpoints
You’ll see a list of endpoint URLs here. Find the one for /adfs/services/trust/13/username of type WS-Trust 1.3
Make sure that this endpoint has “Yes” set for both the Enabled and Proxy Enabled settings.
If you have to make a change to this endpoint, after making the change re-start the ADFS server and the CRM server, then try to register again.
Lastly, if the above looks okay, it could be a resolution or routing issue blocking the connection. Make sure that there are external DNS entries for the path to your ADFS server. Also, make sure that your firewall permits external access to the ADFS server. If you are able to, try to use a computer that is outside of your domain to navigate directly to the ADFS server to test its accessibility.
This is a problem with the same error as you, and it has been resolved, you can refer to: The authentication endpoint Username was not found on the configured Secure Token Service
Finally we found it was an issue with ADFS service per-se, networking related, since it wasnt able to connect SSO site. After fixing that, it started to work as a charm.
If you are running ADFS on-prem, the ADFS windows service might be stopped (Because of a power failure / unexpected server restart).
You just need to start it.

How to access SQL-DB as AppPool when running ASP.NET Impersonation OR How to get the NT-User when running AnonymousAuthentication

The tools
myWebApp: ASP.NET Core 1.1 MVC
myAuthApp with IdentityServer4
MS SQL Server 2012
IIS 8 on Win2012 Server
What we Want:
figure out what NTUser (intranet) is using the app to get userinfo from sqlserver-db (by searching the NTUserName) without any login dialog
What we have
one website (WinAuthApp) using asp.net impersonation (IIS Authentication) only to deliver NTUser-Name with return User.Identity.Name
and one website (our WebAPP) with Anonymous Authentication to get access to SQLServer with AppPool Identity. This WebApp redirects (when requesting without authentication token) to our AuthApp to check identity. AuthApp asks the WinAuthApp for the username and searchs the DB for permissionflags and builds an identity and a generates a token for it. with this authentication token it returns to WebApp and is now authenticaticated. External users give Name and Passwort and get a token to access WebApp.
Problems with this approach
when external users come to webApp and AuthApp asks WinAuthApp (with WindowsAuthentication configured) they get the NT-Login screen instead of WebApp's "Login Page for Externals". One contraint is: the intranetuser should NOT get a login dialog. (webApp has to answer to links and open the requested page immediately).
Summary
How can i configure my AuthApp (IdentityServer4) to have access to current NTUser (IF request comes from Intranet) but mainly working as AppPool-Identity (esp. for DB-Access)
I figured it out:
in Web.config set forwardWindowsAuthToken="true", and then set WindowsAuthentication true and asp.net impersonation false.
Then access to SQL-Server is done with appPool-Acount, and in the application context.User.Identity.Name gives user's NT-Account.
It wasn't too difficult but i always set WinAuth AND Impersonation synced. Don't know why.

How to pass default credentials in Windows Authentication

I'm developing UWP application using C#.net and it has WCF service with Windows Authentication enabled. I struggling to pass default NetworkCredential after consume a service call using Add service reference option.
Please find below my examinations.
When I pass correct windows authentication credentials, it is working as expected.
var service = new ServiceReference.Service1Client();
service.ClientCredentials.Windows.ClientCredential =new NetworkCredential("pradeep","****");
var test = await service.GetDataAsync(1);
but, I wanted pass default network credentials while using my service methis
var service = new ServiceReference.Service1Client();
service.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
var test = await service.GetDataAsync(1);
I also tried below option.
service.ClientCredentials.Windows.ClientCredential = (NetworkCredential)CredentialCache.DefaultCredentials;
When I pass default credentials. I'm getting below exception.
The HTTP request is unauthorized with client authentication scheme
'Negotiate'. The authentication header received from the server was
'Negotiate, NTLM'.
I tested same service call with default NetworkCredential in WPF application which is working as expected.
In order to pass the default credentials for the WCF Windows Authentication in UWP by using the System.Net.CredentialCache.DefaultNetworkCredentials, first please make sure that you have added the Enterprise Authentication and Private Networks(Client & Server) capabilities as following:
For the Enterprise Authentication capability, it is because that Windows domain credentials enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. The enterprise Authentication special capability is typically used in line-of-business apps that connect to servers within an enterprise.
For the Private Networks(Client & Server) capability, it is because that currently in Windows Runtime we can only pass the default credential in the Intranet. For the Internet we have to use the Username and Password as credential.
For more information about the Capabilities, please check:
https://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx .
After that please try to use your Computer name or Fully Qualified Computer name instead of the IP address for your WCF Services like this: http://YourComputerName:YourPortNumber/Service1.svc.
At last please use another computer as client to test the WCF Windows Authentication in UWP with the System.Net.CredentialCache.DefaultNetworkCredentials, then it should work fine.
Thanks.

Using Azure Active Directory - one application to login locally and when published

I'm building an MVC application with Azure Active Directory authentication. When I develop locally I would like to be able to sign-in for testing/development purposes. And the app url is like http://localhost:43400. This is also encoded in the AD application in Sign-On Url and Reply Url.
When I deploy the same app to the server, the app url is changed - becomes something like myappname.azurewebsites.net and I can't login using the same AD application. The best I could manage is to get through login process, but then AD redirects me back to localhost:43400 which is wrong.
There is PostLogoutRedirectUri property in Startup.Auth.cs that I give to the app, but it makes no difference at all.
Any way to have local application and deployed application using the same Azure AD?
I can do 2 AD Applicaitons with different urls and keys and rewrite the values in web.config on deploy. But that does not sound like the best solution. Anything else I can do?
UPD
Here is the bit I'm referring to in Startup.Auth.cs:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri, // <-- this is coming from web.config, different in dev and prod
Notifications = new OpenIdConnectAuthenticationNotifications()
{
.....
}
});
See full code listing here.
And in Azure AD application I tried both addresses as a Reply URL at the same time:
But the AD used only one of the addresses to redirect, even though the client specified the redirection that matches one of the records.
You can add multiple redirect uri to your app, that's why the property is implemented as a list! You just need to make sure that you specify which URI to use at runtime. You can do that in many ways - you can specify the return URI at middleware init time, or you can add dynamic code that will inject a redirect URI in the sign in message. For an example of the latter approach, please see RedirectToIdentityProvider in https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs

FileNet Api access rights for asp.net

I have some sort of trouble, but i can't figure out where it can be. I have a search method. It uses filenet api and connects to server using admin credentials.
ClientContext.SetProcessCredentials(new UsernameCredentials(login, password));
var connection = Factory.Connection.GetConnection(storeUri);
var domain = Factory.Domain.GetInstance(connection, null);
var store = Factory.ObjectStore.FetchInstance(domain, storeName, null);
return store;
At target system it works fine, when i run console application. But when i run it at asp.net web site i got
"The requester has insufficient access rights to perform the requested operation." error. Who is requester at this point?
When you're running the application through a console, the user you are logged in as is used i.e. this is you and you probably have admin rights on the machine.
When you run it through IIS, this will depend on which version of IIS you are using. Look at this question for more information. You'll either need to change which user the web site is running under or grant further permissions to the user (or group) that is currently configured.

Categories