Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Fatal exception thrown - Using OAuth2 Client to implement SSO w/ Azure Active Directory

February 4, 2019, 9:46 pm
$
0
0

Any help would be most appreciated - I'll really try to explain the problem and its context. Hopefully others can learn from my troubles!!! :)

My objective: Create a company wiki hosted on the cloud where employees can use their logins registered in the Azure Active Directory to access wiki resources.


The Basic Set-up: - Cloud-hosted Azure VM w/ this image:

> 
https://bitnami.com/stack/mediawiki/virtual-machine
> Basically contains an apache2 web server, and an image of mediawiki

- In addition to the base image, the extension OAuth2 Client has been installed following these instructions:

> https://www.mediawiki.org/wiki/Extension:OAuth2_Client> OAuth2 Client is built off this open-source project:     > https://github.com/thephpleague/oauth2-client

- Azure Active Directory (AD) with a registered Web app / API


The Encountered Problem: After providing the Azure Active Directory's user credentials (email and password), a `Fatal exception of type "GuzzleHttp\Exception\ConnectException"` is thrown.

Attempted in-depth problem analysis: So after attempting a login, the reply url is as such:

(note: I've randomly changed some values)

http://mywikidomain/Special:OAuth2Client/callback?code=AQABAAIAAACEfexXxjamQb3OeGQ4Gugv1Q04EA_ey_K-rj0okPNekuIB-BakV6Gq_pFBR8lfoaNJSWfK3uie9f88BM4C8vgULYulQtX9wh6LY2U0hACqr8cOz41OqbB9SQm0yqSv1Rhw7Pgri1DDwwS_DY1M1b49WR4qV2siDc_5_YmqG5MB-5xfASoTPjYHhWkN5nJ5FfIcK8KhkKGcOUeDNiTBeWZBcKIEBFVsk_pZjwQ-PFpbDRsbOrJvJGX8nuh2lJJpc00z1wrwFqMu-jVlhC7NTE1D3PZxPQEycvzi4_D7TcewyskXDTMiswr1AdYdCDTf68l8jMKpResRlu6qqWjeOIqsJNryGbPBXkA682AEyy8IiTw9KG1vB45uvh8SMLaPZEuHGsw-knUlt-gNAzMv6upc4-f3BtUe49ezFudsaMoLecKA33qvVFj2f9p9HbzbgK3KNDIJ8hcgipMpIR5__fjFe0XvABbRcVbaE4-HkIqWagfsw_GnNxIl7oxhF9H7-AVBRNAeg19gyPfwzTZmpXLH4LGQ_iZcroxdqcmfvZK3hawx1X2w5RbEo078TXYweBJ4mGMGt6RkMp5iSTv8SpGHXIuYKYfKNX__eG0X9kZN-a6QpN8ctmsvqZ_GA46d0LEF43lcw3RmKIeOc3_CL9QWiTs_hhCscxf4O2aQGugpNyAA&state=79c92d94bd9651231fw9dc06269eb1&session_state=96054b69-edab-4f5e-a583-75e83a440379

So, it is sending back an authorization token, but for some reason, mediawiki failing to proceed to the next step and request an access token, and refresh token with the newly acquired authorization token.

I've tried to check the logs in the Apache2 server, but nothing is added.

Is there a way to change that and get more error info??


Configurations/Changes made:

1. As per the OAuth2 Client instructions, I modified LocalSettings.php. Here, I'll briefly describe what information from the Azure AD I put where (<> contains a pseudo variable):

LocalSettings.php _______________________________________

wfLoadExtension( 'MW-OAuth2Client ')

$wgOAuth2Client['client']['id'] = <Application ID>;

$wgOAuth2Client['client']['id'] = <Key created in AD app registration - basically a hash value>


$wgOAuth2Client['configuration']['authorize_endpoint'] = <Azure AD OAUTH 2.0 AUTHORIZATION ENDPOINT>

$wgOAuth2Client['configuration']['access_token_endpoint'] = <Azure AD OAUTH 2.0 TOKEN ENDPOINT>

$wgOAuth2Client['configuration']['api_endpoint'] = <Azure App registered - App ID URI>


// As per the OAuth2 Client instructions...

$wgOAuth2Client['configuration']['redirect_uri'] = <http://mywikidomain/Special:OAuth2Client/callback>


//scopes not mentioned in OAuth2 Client install instructions

//Was throwing an index error if not set.

//https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

//According to the above link, when requesting an authorization code, scope is ignored and hence shouldn't matter what it is.

//Got the idea of 'user_impersonation' from the above microsoft docs link - use authorization code... -> successful response -> resource

$wgOAuth2Client['configuration']['scopes'] = 'user_impersonation';


// Defaults from OAuth2 Client NOT sure if needed to be changed

$wgOAuth2Client['configuration']['username'] = 'username';

$wgOAuth2Client['configuration']['email'] = 'email';

LocalSettings.php _______________________________________


2. As the above wasn't working, I tried to look through the source code of oauth2-client made by the phpleague to understand what was going on.

> https://github.com/thephpleague/oauth2-client

I noticed that the version that OAuth2 installs is version 1.4 as my code was different, and oauth2-client is up to 2.4.1, so I checkout into master and pulled the new version. No success.


3. I noticed that the oauth2-client has packages developed for specific providers, including the Azure AD.

> https://github.com/thenetworg/oauth2-azure

Hence, I installed as instructed but no change. I think I have to modify some things, but I have no idea what.


Please let me know if there is any more information you need!!!


Search

UnsupportedAuthorityValidation | Error when configuring the sample code to use my own Azure AD B2C tenant

February 5, 2019, 1:01 am
$
0
0
I am referring to the link https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-javascript-msal-singlepageapp/ It works fine for me for the sample tenant but when I am trying to use my own tenant, it throws UnsupportedAuthorityValidation error. All my details i.e. Client ID, Authority, B2C Scopes and webApi are correct and verified. Any help would be much appreciated.

Azure Portal: access denied while registered as Application Owner

February 5, 2019, 2:50 am
$
0
0

Hi,

I'm unable to login on the Azure Portal, I get an Access Denied error. I'm not a global admin, but I am registered as an Application Owner for one of the Azure AD applications. I'm assuming this should entitle me to access this application in the portal. Why am I denied access?


Azure AD Connect / Synch: Remove local domain remainings

February 5, 2019, 3:03 am
$
0
0

Hello,

i am a bit unsure, how to explain our problem properly, plz. excuse some lack of clarity.

we have been early adopters of Azure AD Connect / Sync. In our case we had a non-routable local domain synchronized to Azure AD. All our Azure AD users have been created by the synch-service, besides the initial Azure AD Admin.

In the beginning with Azure AD Synch it was no requirement to create locally an alternative UPN suffix in case of a non-routable local domain; we could assign the verified domain to the user login afterwards in Azure AD. We also had a proxy smtp adress for each user defined in our local AD, which mapped the verified domain in Azure AD, but i think, this is non-relevant.

Now, we are in the process of migrating all our local resources to azure services, for this we have disabled and uninstalled Azure AD Connect DirSync. At the moment we are joinig our local computers to Azure AD. This gives us the possibility to logon on our computers with our Azure AD user accounts. This is working fine, but after a sucessfull login, the user is still logged on as <localdomain\user.name>.

I get to this conclusion, because:

1. the newly created profile folder in windows after the first login via Azure AD is named as <user.name.localdomain>
2. the cmd command whoami  returns <localdomain\user.name>
3. as example, in sql server management studio, in case of a connection to a server with windows credentials, the prefilled user credentials are also specified as <localdomain\user.name>

But, i am not able to find any of this local domain remainings in the Azure AD Portal or with the MS Graph explorer. There, the user UPN is correctly named with <user.name@verifiedazureaddomain.com> and i havent found any other remainings of our local domain.

Does someone has more information regarding this problem? We would like to get completly rid of all our old domain remainings in Azure AD.

Thank you in advance,
F.Brem

Azure Active Directory name and Account status after ADDS Integration.

February 5, 2019, 5:52 am
$
0
0

Hello World,

Newbie to Azure here. We run an on prem ADDS that is Server 2008 native in a 2012 Windows server.

We want to use AAD with Enable seamless sign on with PTA using password hash sync (not ADFS). Eventually we want to use this for Office 365 and other cloud services.

Our current on prem AD domain is called cok.xxxx.ca and our main website is xxxxx.ca. I was reading an article on AAD prerequisites and they recommend adding a custom domain name using the Azure Active Directory portal https://docs.microsoft.com/en-ca/azure/active-directory/fundamentals/add-custom-domain

If I have to register then, what should I name the AAD domain (recommended) to enable the seamless sign on with PTA? (I want users to login using their corporate email address and password for Office 365 and other cloud services) 


Also, MS helped us set up our current subscription in Azure that is probably liked to our support agreement.  I use my first.lastname@xxxx.ca address to login. However when i login i select it as my personal email address. The system will not allow me to login if i select that this is my work email address.

If I get AAD connect and the sync functionality working successfully, then when I sync the on prem AD with AAD then how will the system handle the email address conflict (as my AD password is separate from the current Azure password but the email address/username is the same.)


Azure AD PIM - disable/remove

February 5, 2019, 10:23 am
$
0
0

I'm struggling to find any documentation on this.

Is there a correct procedure for back-out/removal/de-activation of PIM (ie decide not to use after activation, trial license expires etc).

B2C MFA options

February 5, 2019, 11:12 am
$
0
0
I've seen that Azure AD B2C only supported MFA via SMS back in 2017. The docs say it integrates with Azure MFA. So does this mean it's now possible to use SMS, phone, and Authenticator app as MFA methods for B2C?

How do I use the G-Suit provisioning in Azure AD. User accounts are in G-Suit

February 3, 2019, 11:42 am
$
0
0

Hi,

I want to link other organization users to my Azure AD. Other organizations accounts are in G-suit. How can I make use of the g-suit provisioning in Azure AD. Do I have to export the federation metadata from g-guit to Azure AD? I do not find an option in azure to do this. Any help , greatly appreciated. 

Search

Bitlocker key mismatch

January 31, 2019, 4:24 am
$
0
0

Hi

I have a drive encrypted with Bitlocker, and I have needed to go through Startup Repair. The first time I used the Bitlocker Key, and it worked. I ran system restore, which crashed out and said the restore point had become corrupted, so I booted back into Startup Repair, tried the same Bitlocker key, which now does not work. The recovery window shows me the Bitlocker ID, which is different, when looking in Azure AD against the user next to Devices, I can see that this code is the computer ID.

The Bitlocker KeyID and recovery ID at the bottom of this page are the ones I have been trying.

I dont understand why the identifier ID would have changed. Any advise will be greatly appreciated. 

Sign In Logs not coming to Storage account despite having P2 Trial

January 29, 2019, 10:43 am
$
0
0

Hi,

I am having trouble with receiving the SignIn Logs of Azure Active Directory to a storage account through Azure Active Directory Diagnostics Settings. I enabled the P2 trial license and then configured the storage account to get sign in logs as well but they are not coming. I have tried disabling and then enabling again as well after some time but nope. Could you please check?

Directory ID -- 2dfc6a32-d03c-4504-8d69-f08da326f294

Any idea what is happening?

Thanks,

Pranav

azure ad connect installation

February 4, 2019, 8:47 am
$
0
0
 I am unable to complete the  installation of Azure AD connect, It keeps failing during the installation of  microsoft sql server express localdb.. please do assist 

how can i get app name with appid with c#?

January 12, 2019, 9:29 pm
$
0
0

I have Web api which is used by may applications. Now for some analytics purpose  need the app name which is calling my web api.

All applications which are calling my web api are registered in AAD. All clients call my web api with a application generated token. I can get the app id from claims.

I had a solution but i dont want to maintain appid-appname in my config file as these will be changed from environment to environment and its hard to maintain for growing number of clients.

how to get token using Microsoft oAuth2 authentication using Java

February 5, 2019, 3:23 pm
$
0
0

we are using Java and rest assured to test a API. Our API are using Microsoft Integrated login with oAuth2 authentication.

In order to test the API's we need to get token and use the token in the automation suite.


we are using below code with Rest-Assured libraries to get the token but receiving 302 status code.


How do I get token using oAuth2 from Rest-Assured/Java or only from Java ? 

RestAssured.given().relaxedHTTPSValidation().redirects().follow(false).param("Auth URL", AUTHORITY1).param("Access Token URL", ACCESSURL).param("Client ID", CLIENT_ID).param("Client Secret", CS).param("Scope","read").param("Grant Type","Client Credentials").auth().preemptive().basic(UN, PSSWD).when().redirects().follow(false).get(URL).statusCode());

ATDD automation developer

Username not email address using Resource Owner Password Credentials in Azure AD B2C

February 5, 2019, 3:56 pm
$
0
0

I wonder if it is possible to use username like `john.smith` instead of `john.smith@myfirm.com` in Resource Owner Password Credentials in Azure AD B2C.

https://docs.microsoft.com/en-gb/azure/active-directory-b2c/configure-ropc

For example like below:

https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_ROPC_Auth    
Content-Type: application/x-www-form-urlencoded    
username=john.smit&password=mypassword&grant_type=password&scope=openid myappId offline_access&client_id=myappId&response_type=token+id_token
All users are my firm's employees. We will import user data into azure AD before using B2C.


Ideally, we don't want to append @myfirm.com before sending it to B2C.

Any idea?

    

Exchange Online Legacy Authentication - Caching

February 3, 2019, 9:00 pm
$
0
0

Hi, this is an update to #6293 and https://blogs.technet.microsoft.com/exchangeteamjp/2017/10/27/authentication-cache-for-exchange-online-and-outlook-2/

Can you please provide additional information about how Basic Auth is cached between Exchange, Azure AD and the STS (ID provider)?

How does Exchange know when to use the cache? Does Exchange hash the password (eg same hash = allow)? Does Exchange restrict the use of the cached value to the same IP address? Or is the IP address not used (which would bypass any IP address rules on the STS)?

-Michael

Search

Create Azure ative directory, database schema and populate user data

February 5, 2019, 3:58 pm
$
0
0

I have a on-premises database, and I need to use Azure AD B2C. AD B2C needs to use data from the on-premises database.

So one way to implement it is to create a new Azure AD from the on-premises database. 

The question is that how should I go about creating a new Azure AD and import database schema into the new Azure AD, and populate user data?

Is my thinking above correct?


When setup, we migrate data first, then after migration, we need a sync job to sync the data maybe once every few hours (not sure the interval yet). 

Azure Service Principal Roles Assigned To is returning empty

February 3, 2019, 10:05 pm
$
0
0

I have an Azure Web App registered in Azure AD and I defined a few roles in the App Registration manifest. Then I assigned some AD Groups and Users to those Roles.

Now I'm trying to get the list of objects and users assigned to each App role. I'm trying both, programatically (.Net C#) and powerShell. In both cases, the RolesAssignedTo returns Empty.

Any ideas?

In PowerShell I'm using Get-AzureADServiceAppRoleAssignedTo

In C# I'm using AAD Graph API and I'm able to get the Service Principal object where I see the Roles definitions but the AssignedTo is empty.

Anyone has tried something like this?

Thanks!



How do I create service Accounts in Azure?

February 5, 2019, 8:09 pm
$
0
0
I'm coming from Google Cloud Platform, and have been used to creating service agents, essentially user accounts to grant permissions/access that I specify to non human actors, so they can view/modify resources/attributes. I have been exploring Azure all evening and can't quite find something similar to that. Can anyone suggest Azure services or keywords I should do some reading on so I figure out how to implement similar identity and access in Azure?

Removing Azure AD registration from AAD and the PC?

February 5, 2019, 10:43 pm
$
0
0

I've noticed that when using the AAD portal to remove AD-registered Win10 PCs that it only removes it from AAD and doesn't touch the PC. That is, if you look at the PC later, even rebooted, you'll still see it as "Connected to an Azure AD."  It really isn't though, so you have to disconnect it using the Win10 UI (Settings, Accounts, Access work or school).

Is there a better way?  Perhaps a Powershell command or something?  Once in a while, you'll be on a build of Win10 where, because of a bug, attempting to remove it from the UI doesn't even work, so it's doubly annoying then.

Azure Devops Permissions and Acces

February 3, 2019, 9:08 am
$
0
0
Hi , 

  I gave a user a Basic access and Project Reader permission , as he is a project reader , he should be able to view or only read. But  he is able to create Boards , workitems , user stories ? I wonder how can this be possible if he is Project Reader ?

Samanthula Prithivraj

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>