0 votes

Hello,

I've got a problem with Windows Authentication in web interface.
When I am in Form Authentication, there is no problem.
If I change for Windows Authentication, I am correctly identified and logged but after that, I don't have any permission on AD, even to read.
Screenshots will be better than my english...

Thanks for your help
Yoann HAMON

Windows authentication :
(Windows authentication)
Form authentication :
(Form authentication)

by (180 points)

1 Answer

0 votes
by (215k points)

Hello

It looks like your Adaxes Web Interface and Adaxes Service are installed on different computers. If it is so please follow the steps below to fix the issue:

  • On the computer where Adaxes Web Interface is installed open the file C:\Users\All Users\Softerra\Adaxes 3\Softerra.Adaxes.Adsi.dll.config
  • Find the element <channel ref="tcp" priority="2" secure="true">
  • Add the following attribute to this element: <channel ref="tcp" priority="2" secure="true" servicePrincipalName="username@domain.com">, where username@domain.com is the username of the Adaxes Service Default Administrator (the user that was specified during the Adaxes Service installation).
  • Save the file.
  • Restart the IIS.
0

Hello,

The correct IIS authentication options for Adaxes Web Interface are as follows:

  • Anonymous Authentication: Disabled
  • ASP.NET Impersonation: Enabled
  • Basic Authentication: Disabled
  • Forms Authentication: Enabled
  • Windows Authentication: Enabled
    See this screenshot for details:

    It is important that ASP.NET Impersonation is set up to impersonate as the Authenticated user:

Make sure that the servicePrincipalName attribute is not specified in the Softerra.Adaxes.Adsi.dll.config file. If it is still there, remove it.

Restart IIS, restart your browser and try again.

Is the problem still there?

0

In this case, I have a refused access on first try (when I've just open my browser).

If I insert my username et password in forms, it's OK.

0

Try to configure Your Web Browser for the Kerberos Authentication.

For Internet Explorer:
Enable Integrated Windows Authentication

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Advanced tab.
  3. In the Security group, select the Enable Integrated Windows Authentication check box.
  4. Click OK and restart Internet Explorer for changes to take effect.

Add the Adaxes Web Interface to the list of local intranet sites

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Sites.
  3. Click Advanced and type the address of the Adaxes Web Interface.
  4. Click Add
  5. Click Close, and then click OK two times.

Adjust Web Browser Logon Settings

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Custom Level.
  3. In the User Authentication group, select Automatic logon with current username and password.
  4. Click OK two times.
0

Hello,

In this case, I have a refused access on first try (when I've just open my browser).

It happens because Integrated Windows Authentication fails to use the Kerberos protocol and switches to the NTLM protocol. This Microsoft KB article describes your issue https://support.microsoft.com/en-us/hel ... ion-issues

To troubleshoot this issue first of all ensure that the account of the computer where Adaxes Web Interface is installed is trusted for delegation, for details please see the following link: http://adaxes.com/help/UsingWebInterfac ... #id1110516

Next question, are you connecting to the Adaxes Web Interface using the actual NetBIOS name of the server or an alias name?

0

Your last question helped me! Indeed, I use a DNS alias and I had to register it as additional SPNs on the server.

I used this Microsoft guide : http://blogs.msdn.com/b/webtopics/archi ... s-7-0.aspx.
This time, everything seems to work.

However, I think you should add that ASP.NET Impersonation must be activated in the process of implementing integrated authentication. And perhaps talk about this SPN when using a DNS alias.

Anyway, thank you for your help!

Related questions

0 votes
1 answer

Hello! We're using Duo for MFA on Windows 10 logins and understand this creates a new credential provider in Windows along side Adaxes' Password Self Service (PSS) credential ... 2FA with a Auth app or SMS code along with questions/answers. Thank you, Kyle

asked Feb 8 by KyleCascade (20 points)
0 votes
1 answer

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer

We're looking to migrate our Adaxes console to a new VM/Server, and we'd like to use Server 2022, and we want to verify that it will work before we stand the server up. Our current one is Windows Server 2016.

asked Oct 7, 2021 by JButler (50 points)
0 votes
1 answer

Hello, We are currently allowing users to submit requests for new user accounts within the domain. By default, the logon name is being formatted as %firstname%.%lastname% However this ... pre-Windows-2000 user logon name. Is there a way to work around this?

asked Dec 11, 2020 by sirslimjim (430 points)
0 votes
1 answer

We are testing Windows Autopilot and would still like to use the adaxes client to allow for SSPR. Is it possible to configure the Windows Integration settings on a machine that is not domain joined but is joined through Azure AD?

asked Sep 3, 2020 by scoutcor (100 points)
2,807 questions
2,541 answers
6,613 comments
64,593 users