We Keep Coding

Windows Authentication for Blazor Server app - login popup

I am building a Blazor Server app using .NET 6.0.11 and deploying using Http.Sys . The server and clients are all on the same Windows domain. I'd like to authorize users based on their domain login, instead of building a username/password database and infrastructure specific to this app.
The code in Program.cs to enable Windows Authentication, based on code from the official documentation:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
});
}
// ...
app.UseAuthentication();
app.UseAuthorization();
I view the authentication state using the first code sample from ASP.NET Core Blazor authentication and authorization.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
Note: I had to run a netsh http add urlacl url=.... one time only; the command was suggested by an exception message generated on first run after changing the launch URL.
Entering my domain login username and password is accepted, and the previous code sample does show my username successfully. I also noticed the following behaviour:
setting AllowAnonymous = true; means it will not prompt at all for the username/password; the page just proceeds with the user not authenticated.
If the username/password is not entered correctly (for a user on the domain) then HTTP error 401 is generated instantly, it never tries to execute the Blazor default error page for example.
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
I am presuming the above behaviour will be the same for other domain uses on different machines accessing this server, although have not tested that yet.
My questions:
is it possible to skip the username/password popup , and just get the domain user that is already logged in on the client machine and doing the access?
(If not) would deploying to IIS instead of Http.Sys change anything?
There seem to be Blazor-based solutions discussed on this SO thread , but I can't see how to use them because the popup always appears as soon as any page is attempted , before any page is rendered; and if login fails, HTTP 401 error is generated with none of the Blazor pages being executed.
Footnote: I was using HTTP.sys instead of Kestrel due to documentation indicating that Kestrel did not support Windows Authentication; however it is working using Kestrel for me now, along with the information from the Accepted answer -- not sure what the story is there.

This is a client-side issue.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
That's because the browser recognizes localhost as a (somewhat trustworthy) server within your intranet, but considers mycomputername.our.domain to be a (potentially hostile) Internet service. For security reasons, Chrome and Edge only use your Windows credentials with servers within your own intranet by default.
To determine which group an URL belongs to, Chrome, Internet Explorer and Edge use Windows's own "Intranet zone" settings. To add your URL,
search for "Internet options" in the Windows Start Menu, then
navigate to Security/Local intranet/Sites/Advanced.
If you want to test with a non-Chromium based browser, here's how to configure Firefox. Firefox manages its own list of URLs where Windows authentication is allowed:
How to configure Firefox for NTLM SSO (Single-Sign-On)?
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
If the client and the server agree to use Kerberos, sure: The client communicates with the domain controller to authenticate and to get a service ticket and then uses that ticket to access your service.
If they don't agree, they will use NTLM. In this case, authentication happens between the client and your server. However, NTLM won't send your password in plain text either, but rather uses it as part of a challenge-response mechanism.

is it possible to skip the username/password popup , and just get the
domain user that is already logged in on the client machine and doing
the access?
IMHO, this is not possible with "windows authentication", because the popup dialog that you see is a special browser feature to enable the windows authentication.This one created in order to support internal application with domain authentication. I don't know of any way to access that browser behavior.
(If not) would deploying to IIS instead of Http.Sys change anything?
Haven't done a deployment with Http.Sys, but according to the documentation it says that Http.Sys supports windows authentication. The deployment would be different since for Http.Sys you need to write the configuration in code, unlike the IIS.

Error: redirect_uri_mismatch In Google Login in MVC Application

I am trying to upload video to YouTube through MVC C# application. I am following this link
Whenever I am trying to run the application I am getting below error from the Google.
Error: redirect_uri_mismatch
The redirect URI in the request, http://localhost:52271/authorize/, does not match the ones authorised for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/CCC-XXX.apps.googleusercontent.com?project=XXXX to update the authorised redirect URIs.
Here is my Json file.
Here is my Google Console Application:
Error:
Is there anything wrong ?
Thank You.

The redirect URI you set in Google Developer console must exactly match where you are sending the request from. If you notice the Port number is changing. This is because visual studio has a habit of adding random port numbers when you are debugging via visual stuido.
To specify a port for a Web application project that uses IIS Express
In Solution Explorer, right-click on the project and then select Properties. Click the Web tab.
In the Servers section, under Use Local IIS Web server, in the Project URL box change the port number.
To the right of the Project URL box, click Create Virtual Directory, and then click OK.
In the File menu, click Save Selected Items.
To verify the change, press CTRL+F5 to run the project. The new port number appears in the address bar of the browser.
How to: Specify a Port for the ASP.NET Development Server

From Google doc located at https://developers.google.com/identity/protocols/OAuth2UserAgent?hl=en_US#example
The REDIRECT_URI should be the same URL where the page is being served.
I finally saw this, put the URL for the page where I call the Google authentication, and it worked like a charm.

You need to add localhost to your authorized domain names in the Google API Console.

Cannot login to a local ASP.NET app after publishing it to Azure

I created an ASP.NET Core application with Visual Studio 2015 Update 3. The app, as generated by the Visual Studio wizard, was published by using the menu Build, option Publish. I entered the data requested by VS, and the app was published in my Azure account.
When creating the app, I chose the option "Work and school account" authentication, meaning that I can login with my Azure/Office 365 user account.
So far, it works great, and the app can be accessed by the URL provided by Azure.
However, now, when I try to run/debug the app in my local IIS Express, I do get an error when logging in. The error shows Microsoft's standard page. The error I get is the following:
Sorry, but we’re having trouble signing you in.
We received a bad request.
Additional technical information:
Correlation ID: 92884f38-bbfb-4dbb-8224-58ac95ff3cdc
Timestamp: 2016-12-06 06:17:02Z
AADSTS70001: Application with identifier '5c8c803c-XXXX-XXXX-XXXX-XXXXXXXXXXXX' was not found in the directory 7d3523a5-XXXX-XXXX-XXXX-XXXXXXXXXXXX
The 5c GUID refers to my application ClientID in Azure, and the 7d GUID refers to the Tenant ID. I checked my Azure tenant, and the Active Directory has my app registered. The only difference is that the URL points to myapp.azurewebsites.net, and when running from my local IIS, the URL is localhost.
Does this difference in URLs have something to do? What can I do to fix this?
How is this type of application usually debugged without having to publish the app any time I make a change?

You have to add localhost to Reply URLs of your application in Azure.
Take a look here:
and here:

IIS reverse proxy with windows authentication on same server getting access denied

I've viewed a few of the other IIS reverse proxy with windows authentication posts on here and they don't seem to be what I'm trying to do. Hopefully someone will be able to help or spot what I'm not doing or doing wrong.
I've got a server which has a website running on port 80 which I need to present a number of other web applications on. I cannot create new hostnames so I created a virtual directory in the site which pointed to my web apps, however the root site is using .net2.0 app pool which must stay as .net2.0 whereas my ASP.NET MVC apps all need 4.0 app pools. As per the web.config inheritance problem this is not working and I cannot change the web.config in the root to ignore propagation to child web.configs - with me so far? ;-)
To cut a long story short I've now got a virtual directory in my port 80 site which is acting as a reverse proxy to another site on port 81 and this is working fine for anonymous connections. I've tested it with a simple HTML page and I can access it and the url re-writing is working on links in the HTML page, all good so far.
Now I need to enable windows authentication on the port 81 site, so I followed the instructions similar to what is in these links on MSDN site to configure SPN's for the domain account I'm using (DOMAIN\testaccount) and other IIS config's:-
link 1
link 2
The problem is that all I get now is the good old error message:-
Access is denied. Description: An error occurred while accessing the
resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.34280
I've tried creating a test aspx page which just outputs the server variables to the response but even this is not working.
I can't find anything else to try, initially I thought I'd have to get Kerberos sorted to pass the details from virtual directory to site on port 81 but the MSDN posts say this is not needed, just the SPN's.
Anyone any ideas?

This turned out to be something very simple and me being dumb for not checking! :-)
I spent days trying to figure out why this wasn't working, not sure why I didn't try earlier but I changed the application pool it was running under to use .net2.0 and then my test aspx page worked!?!
Turns out in IIS manager if you click on the root server node itself that under 'ISAPI and CGI restrictions' feature settings that the .net4.0 DLL's were set to 'Not Allowed' but the .net2.0 DLL's were 'Allowed'! I just enabled the .net4.0 changed the application pool back and then voila it works.

The client application has requested access to resource 'https://outlook.office365.com'. This request has failed

I am trying to test the sample code from office365 API, I could login to my account but after that i would always get this exception
AuthenticationFailedException was caught
AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: 7a39b0bd-1738-418f-984a-feffae5b5d9b
Correlation ID: 16da7c7f-9f0c-468f-a560-a51b1ac9b3bf
Timestamp: 2014-07-09 07:36:34Z
This is the code that I have been testing this code is generated by the API.
Authenticator authenticator = new Authenticator();
var authInfo = await authenticator.AuthenticateAsync("https://outlook.office365.com");
please help me or point-out what I'm doing wrong, this is my first time developing in office365 please help and thank you.

I just came across your question having run into the same error, so since nobody ever answered I figured I would post the answer I found. This error is related to the permissions set to be requested on the app in the Azure dashboard at https://manage.windowsazure.com.
If you go into your app configuration page and scroll to the bottom, you just need to add the corresponding items under the delegated permissions dropdown.

I got the same error. This is what fixed it for me:
Go to https://manage.windowsazure.com
Go to the corresponding app configuration page.
Scroll to the bottom to "permissions to other applications".
Add "Windows Azure Active Directory" application if it is not already there.
Under delegated permissions check "Enabled Sign-on and read user's profiles"

The consent framework associated with requesting authorization requires that your client application is configured with a static set of permissions to the resources (APIs) that it will call. For example, if your app needs to read the signed in user's mail and read and write to their calendar, you need to select Office 365 Exchange Online as a resource and pick the Read mail and Read and write calendar permissions.
This app configuration can be done in a couple of ways - one way is through your dev environment - like Visual Studio. VS2013 and up have a connector that allows you to register a client app and configure its access to O365 cloud resources. Another way is through the Azure Management Portal (under the AD extension, find your application, click on the configure tab, and configure access through the "permissions to other applications" section.
I recommend that you look through https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks and the following sections which show how register apps through Azure Management Portal and through Visual Studio. Also which sample are you trying here? The sample should contain instructions, including the instructions to set the resource and permission scopes your application needs