0 votes

Hello,

I have enabled the auto logon option and provided I use http://localhost/AdaxesAdmin things are fine, but if I use the FQDN of the server or 127.0.0.1 then I get a kerberos prompt and then Access is Denied and the SignIn.aspx screen. I can then login with if I put in username and password.

I have checked the web.config and computer delegation settings, but in IIS I noticed the error "Challenge-based and login redirect-based authentication cannot be used simultaneously". If I disable the Forms Authentication this error goes away, but it still doesn't work.

Thank you in advance for any help.

by (390 points)

1 Answer

0 votes
by (215k points)

Hello,

I have checked the web.config and computer delegation settings, but in IIS I noticed the error "Challenge-based and login redirect-based authentication cannot be used simultaneously". If I disable the Forms Authentication this error goes away, but it still doesn't work.

Please ignore the error and enable the Forms Authentication.

The reason for your issue is that your browser is not configured for Single Sign-On. For information on how to configure your browser, see Single Sign-On Browser Configuration.

0

I know that, but why doesn't it work with the browser login box?

Ultimately I am accessing Adaxes via a reverse-proxy that does the authentication for me and then passes the credentials on via Kerberos/NTLM, but that isn't working yet.

If I access the web site from a browser without the configuration I get a popup for username/password, but then get the Access Denied and the forms. I suspect if that was working by proxy would work also.

0

The fact that the browser dialog box appears means that the browser is not using Kerberos, and the NTLM authentication mechanism is used instead. NTLM authentication is not supported. If you configure your browser for Single Sign-On per the instructions above, you will actually enable it to use Kerberos for Adaxes Web interface instead of NTLM.

So, if your reverse proxy supports passing credentials using Kerberos, we don't see any issues, this should work.

0

Ok, thanks. The proxy is using Kerberos Constrained Delegation and I can see in the IIS logs the username in the requests, however I am still redirected to the SignIn form. Perhaps what I am attempting is not going to work....

0

We didn't test Adaxes Web Interface with web proxies, however the Web Interface uses the standard built-in IIS mechanism for Windows Authentication. Any documentation that you will find for enabling and configuring IIS Windows Authentication with your reverse proxy will be applicable to Adaxes Web interface.

0

Further confusion based on your reply....

If I add the FQDN of the web interface server into Trusted Sites Zone, but leave the Logon option set to "Automatic Logon only in Intranet Zone", then I get the browser popup for username/password and can log in as any user which is what I want.

If I set the Logon option to "Automatic logon with current user name and password" it logs me on as the user I am logged into Windows as (as you would expect).

If I remove the FQDN from Trusted Sites Zone, the popup username/password appears, but I then get the "Access is denied" and the Sign In page....

Thanks

0

It looks like the computer where Adaxes Web interface is installed is not treated by your browser as the intranet zone. In this case, Kerberos cannot be used, and the browser tries to authenticate using NTLM.

When you add the computer to the Trusted Sites Zone, a request to perform Kerberos handshake is received from the Web Interface, and your browser prompts for credentials to be used for Kerberos authentication.

When you enable the Automatic logon with current user name and password option, the browser tries to login via Kerberos with the current Windows session credentials.

Related questions

0 votes
1 answer

Hello! I have a problem with the single sign on with the adaxes software! I attach a picture above our server structure and the windows iss settings of the adaxes selfservice site. ... " and has to log in manually. Du you have a solution? Wishes, Markus S.

asked Sep 27, 2013 by markus.s99 (40 points)
0 votes
1 answer

It appears under the selfservice website that users can not search past the domain they are in. We have items in different domains. How can I open up search to allow the other domains? I've looked at the config for the web interface and I'm not sure.

asked Aug 20, 2020 by ComputerHabit (790 points)
0 votes
1 answer

I'm trying to schedule a report to look in a few specific OUs. Currently "Look in" location only allows for single instance or multiple drop downs. How do I schedule multiple OU locations without creating multiple reports?

asked Jul 2, 2020 by Al (20 points)
0 votes
1 answer

I have a script that i am trying to run against all users in an OU, but the script will only run against 1 user then not run again for any other users in the OU. Any thoughts on why this would happen?

asked Mar 1, 2018 by kevball2 (100 points)
0 votes
1 answer

I've created a custom web form for our help desk to use to create users and everything is working great but a number of our users belong to quite a long list ... form besides using the Member Of section field. Thanks in advance. Absolutely love this product!

asked Feb 7, 2013 by bemho (520 points)
2,554 questions
2,297 answers
6,126 comments
662,055 users