0 votes

Hello,

I've got a problem with Windows Authentication in web interface.
When I am in Form Authentication, there is no problem.
If I change for Windows Authentication, I am correctly identified and logged but after that, I don't have any permission on AD, even to read.
Screenshots will be better than my english...

Thanks for your help
Yoann HAMON

Windows authentication :
(Windows authentication)
Form authentication :
(Form authentication)

by (180 points)

1 Answer

0 votes
by (216k points)

Hello

It looks like your Adaxes Web Interface and Adaxes Service are installed on different computers. If it is so please follow the steps below to fix the issue:

  • On the computer where Adaxes Web Interface is installed open the file C:\Users\All Users\Softerra\Adaxes 3\Softerra.Adaxes.Adsi.dll.config
  • Find the element <channel ref="tcp" priority="2" secure="true">
  • Add the following attribute to this element: <channel ref="tcp" priority="2" secure="true" servicePrincipalName="username@domain.com">, where username@domain.com is the username of the Adaxes Service Default Administrator (the user that was specified during the Adaxes Service installation).
  • Save the file.
  • Restart the IIS.
0

Hello,

Adaxes Web Interface and Adaxes Service are both installed on the same computer.
I simply configure IIS to use HTTPS, and I changed the name of web interfaces.
Anyway, your solution solved the problem, everything works fine now.

Thanks a lot

0

everything works fine now.

Not really in fact...

Now, the web interface ignores security roles, even in access deny, which I defined in the Administration Console
I'm well logged with my username account but I think that everything is done with the Adaxes Service Default Administrator.

0

Hello,

Please, make sure that your user account is not in the list of the Adaxes service administrators. Service administrators have unrestricted access privileges, and Security Roles are not applied to them.

To view the list of service administrators, do the following:

  1. Launch the Adaxes Administration Console.
  2. Right-click the service, for which you want to see a list of administrators.
  3. Click Properties in the context menu.
  4. Click Administrators tab.
0

Hi,

No, there is only one account in Adaxes service administrators, this is the account with which the service "Softerra Adaxes Service" is started and that I inserted in Softerra.Adaxes.Adsi.dll.config file

0

Hello,

Please make sure that the option ASP.NET Impersonation is enabled for the corresponding Web Application. To do this follow the steps below:

  • Launch Internet Information Services (IIS) Manager from Control Panel -> Administrative Tools.
  • In the Console Tree, expand the server that hosts the Adaxes Web Interface, and then expand Sites.
  • Expand the web site for the Adaxes Web Interface.
  • Click the virtual directory for the Adaxes Web Interface type you need.
  • In the center window frame, double-click Authentication.
  • Select the option ASP.NET Impersonation, and then click Enable. See the screenshot for details

Please note that you don't need to specify the servicePrincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file if both Adaxes Web Interface and Adaxes Service are installed on the same computer.

0

So, to resume :
1. If I don't specify the servicePrincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file WITHOUT ASP .NET Impersonation enabled, I go back to the first problem.
2. If I don't specify the servicePrincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file WITH ASP .NET Impersonation enabled, I have this :

IE ask for authentication 3 times and then display error 401
Config IIS :

3. If I make this IIS configuration with the Adaxes administrator account :

logging OK on the web interface, but the security roles are not applied. Same case that if I specify the service PRincipalName attribute in the Softerra.Adaxes.Adsi.dll.config file.

0

Hello,

The correct IIS authentication options for Adaxes Web Interface are as follows:

  • Anonymous Authentication: Disabled
  • ASP.NET Impersonation: Enabled
  • Basic Authentication: Disabled
  • Forms Authentication: Enabled
  • Windows Authentication: Enabled
    See this screenshot for details:

    It is important that ASP.NET Impersonation is set up to impersonate as the Authenticated user:

Make sure that the servicePrincipalName attribute is not specified in the Softerra.Adaxes.Adsi.dll.config file. If it is still there, remove it.

Restart IIS, restart your browser and try again.

Is the problem still there?

0

In this case, I have a refused access on first try (when I've just open my browser).

If I insert my username et password in forms, it's OK.

0

Try to configure Your Web Browser for the Kerberos Authentication.

For Internet Explorer:
Enable Integrated Windows Authentication

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Advanced tab.
  3. In the Security group, select the Enable Integrated Windows Authentication check box.
  4. Click OK and restart Internet Explorer for changes to take effect.

Add the Adaxes Web Interface to the list of local intranet sites

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Sites.
  3. Click Advanced and type the address of the Adaxes Web Interface.
  4. Click Add
  5. Click Close, and then click OK two times.

Adjust Web Browser Logon Settings

  1. In Internet Explorer, on the Tools menu, click Internet Options.
  2. Click the Security tab, select Local Intranet, and click Custom Level.
  3. In the User Authentication group, select Automatic logon with current username and password.
  4. Click OK two times.
0

Hello,

In this case, I have a refused access on first try (when I've just open my browser).

It happens because Integrated Windows Authentication fails to use the Kerberos protocol and switches to the NTLM protocol. This Microsoft KB article describes your issue https://support.microsoft.com/en-us/hel ... ion-issues

To troubleshoot this issue first of all ensure that the account of the computer where Adaxes Web Interface is installed is trusted for delegation, for details please see the following link: http://adaxes.com/help/UsingWebInterfac ... #id1110516

Next question, are you connecting to the Adaxes Web Interface using the actual NetBIOS name of the server or an alias name?

0

Your last question helped me! Indeed, I use a DNS alias and I had to register it as additional SPNs on the server.

I used this Microsoft guide : http://blogs.msdn.com/b/webtopics/archi ... s-7-0.aspx.
This time, everything seems to work.

However, I think you should add that ASP.NET Impersonation must be activated in the process of implementing integrated authentication. And perhaps talk about this SPN when using a DNS alias.

Anyway, thank you for your help!

Related questions

0 votes
1 answer

Hi, I'd like to install the admin console on my Windows 10 22H2 Azure Joined computer. Product Version = 3.16.21515.0 2023.2 I get the following error when I run ... install Softerra Adaxes 2023.2, this computer must be a member of an Active Direcoty Domain. I

asked Jul 13, 2023 by KevC (60 points)
0 votes
1 answer

Hello! We're using Duo for MFA on Windows 10 logins and understand this creates a new credential provider in Windows along side Adaxes' Password Self Service (PSS) credential ... 2FA with a Auth app or SMS code along with questions/answers. Thank you, Kyle

asked Feb 8, 2022 by KyleCascade (20 points)
0 votes
1 answer

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer

We're looking to migrate our Adaxes console to a new VM/Server, and we'd like to use Server 2022, and we want to verify that it will work before we stand the server up. Our current one is Windows Server 2016.

asked Oct 7, 2021 by JButler (50 points)
0 votes
1 answer

Hello, We are currently allowing users to submit requests for new user accounts within the domain. By default, the logon name is being formatted as %firstname%.%lastname% However this ... pre-Windows-2000 user logon name. Is there a way to work around this?

asked Dec 11, 2020 by sirslimjim (480 points)
3,326 questions
3,026 answers
7,727 comments
544,682 users