0 votes

Hello,

I've got a problem with Windows Authentication in web interface.
When I am in Form Authentication, there is no problem.
If I change for Windows Authentication, I am correctly identified and logged but after that, I don't have any permission on AD, even to read.
Screenshots will be better than my english...

Thanks for your help
Yoann HAMON

Windows authentication :
(Windows authentication)
Form authentication :
(Form authentication)

by (1.9k points)

1 Answer

0 votes
by (215k points)

Hello

It looks like your Adaxes Web Interface and Adaxes Service are installed on different computers. If it is so please follow the steps below to fix the issue:

  • On the computer where Adaxes Web Interface is installed open the file C:\Users\All Users\Softerra\Adaxes 3\Softerra.Adaxes.Adsi.dll.config
  • Find the element <channel ref="tcp" priority="2" secure="true">
  • Add the following attribute to this element: <channel ref="tcp" priority="2" secure="true" servicePrincipalName="username@domain.com">, where username@domain.com is the username of the Adaxes Service Default Administrator (the user that was specified during the Adaxes Service installation).
  • Save the file.
  • Restart the IIS.
0

Hello,

The correct IIS authentication options for Adaxes Web Interface are as follows:

  • Anonymous Authentication: Disabled
  • ASP.NET Impersonation: Enabled
  • Basic Authentication: Disabled
  • Forms Authentication: Enabled
  • Windows Authentication: Enabled
    See this screenshot for details:

    It is important that ASP.NET Impersonation is set up to impersonate as the Authenticated user:

Make sure that the servicePrincipalName attribute is not specified in the Softerra.Adaxes.Adsi.dll.config file. If it is still there, remove it.

Restart IIS, restart your browser and try again.

Is the problem still there?

0

In this case, I have a refused access on first try (when I've just open my browser).

If I insert my username et password in forms, it's OK.

0

Try to configure Your Web Browser for the Kerberos Authentication.

For Internet Explorer:
Enable Integrated Windows Authentication

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Advanced tab.
  3. In the Security group, select the Enable Integrated Windows Authentication check box.
  4. Click OK and restart Internet Explorer for changes to take effect.

Add the Adaxes Web Interface to the list of local intranet sites

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Sites.
  3. Click Advanced and type the address of the Adaxes Web Interface.
  4. Click Add
  5. Click Close, and then click OK two times.

Adjust Web Browser Logon Settings

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Custom Level.
  3. In the User Authentication group, select Automatic logon with current username and password.
  4. Click OK two times.
0

Hello,

In this case, I have a refused access on first try (when I've just open my browser).

It happens because Integrated Windows Authentication fails to use the Kerberos protocol and switches to the NTLM protocol. This Microsoft KB article describes your issue https://support.microsoft.com/en-us/hel ... ion-issues

To troubleshoot this issue first of all ensure that the account of the computer where Adaxes Web Interface is installed is trusted for delegation, for details please see the following link: http://adaxes.com/help/UsingWebInterfac ... #id1110516

Next question, are you connecting to the Adaxes Web Interface using the actual NetBIOS name of the server or an alias name?

0

Your last question helped me! Indeed, I use a DNS alias and I had to register it as additional SPNs on the server.

I used this Microsoft guide : http://blogs.msdn.com/b/webtopics/archi ... s-7-0.aspx.
This time, everything seems to work.

However, I think you should add that ASP.NET Impersonation must be activated in the process of implementing integrated authentication. And perhaps talk about this SPN when using a DNS alias.

Anyway, thank you for your help!

Related questions

0 votes
1 answer

We have a fleet of Macbooks that use NoMAD to handle AD Authentiction and syncronization. How can we use Adaxes to handle the Password reset utility with these users. If they ... resync will be needed. Anybody else doing this or have a solution to the above?

asked May 13 by jcalvert (650 points)
0 votes
1 answer

HI support, We mostly use the Console. Are you think about to enable Two Factor Authentication for the Adaxes Console as well? That would increase the security level enormously. Sincerely yours, Chris

asked Feb 10 by Napoleon (4.9k points)
0 votes
1 answer

Hello, we have an internal PKI-setup and are using SmartCards for many administrative tasks. Our IT-security department has asked us to implement Smartcard-Authentication on one of ... . Could you please advise what we could do? Thank you very much! HarryNew

asked Jan 25, 2019 by HarryNew (1.2k points)
0 votes
1 answer

Hi all, Since few days, we're facing regularly connection issue between our O365 tenant and Adaxes. A simple restart of the Adaxes service solve the issue, for some days. ... End of inner exception stack trace --- Thanks in advance for your help Kind regards

asked Nov 6, 2014 by smasset (4.4k points)
0 votes
0 answers

Hi all, We had patches installed on our Adaxes 2018.2, 2008 R2 server the other night. As part of that, Windows Management Framework ... -44db-b83c-3a0696611ddd/could-not-load-file-or-assembly-systemmanagementautomation-version3000?forum=virtualmachinemanager

asked Sep 26, 2019 by AllianceIT (540 points)
2,245 questions
2,007 answers
5,494 comments
19,943 users