Closed TineHorvat closed 2 years ago
TineHorvat
commented
2 years ago Anyone have an idea where I should look for more details what's wrong and what permissions are missing, because I'm lost for days now. Is there any way to debug the access/permissions to the file on system level?
Really appreciate for any help or tips! Cheers
sawest
commented
2 years ago This almost certainly happens when IIS is trying to return a page that needs permissions, or access that the current user does not have. I would look again at your permissions for WindowsSignin.aspx.
If you are browsing to it from the server in which the site resides, you will need to make some tweaks. The tweaks are linked in the Wiki: "Microsoft has a security check for loopbacks. This happens when you browse to a site from the server in which the site resides using a host name other than the original host name. Fixing this is outside the scope of this module but you can find the workaround here. This affects a lot of users that may be testing/developing from their local machine. This problem should not be present if browsing to a site on a remote server."
I am not sure of the details of your tests. I would recommend only testing from a remote computer until you got the permissions right and the system working as you expect. After that, I would work on the above for testing directly from the server. I am betting you have two different issues that look very similar.
Hope this helps some.
Because this is happening at the IIS level, you would need to look at IIS logs. They are usually located in /inetpub/logs. Keep in mind, you may have to enable some logging before you will see much.
TineHorvat
commented
2 years ago Hey Steven, thanks for suggestion and ideas! Will check the loopbacks and try to test only from remote computer. Will also try to enable all IIS logs available, to check how is the process going with the permission checking.
Will report back my progress.
Cheers
TineHorvat
commented
2 years ago Hey, just an update to my case. I have finally solved it. After weeks of debugging and loads and loads of logging on all possible points (IIS, asp.net trace, file watchers for access, Wireshark, ...) the light went up! 😄 I hope this will help others too, that were struggling with the same issue as me. The annoying popup for login. The Wiki and settings are all correct and everything. It's always that one little checkbox or single line of setting in the end 😛
The only thing that I had missed or didn't know that I needed to setup or is this just the case in my IT environment, was to set the intranet site URL as a Intranet site under Internet options and enable the automatic logon.
What I am talking about can be seen here Configuring browsers for NTLM identification, there are two types of setup for Firefox and other browsers (Chrome, Edge, Brave, Vivaldi, IE). After adding the intranet site URL (can use http or https and wildcards) to "allowed" Intranet sites as seen above and setting the automatic logon for intranet sites everything started to work and is still working great.
Hope this will help anyone in the future!
Thanks again @sawest for assistance, really appreciate your time and work! Cheers
Please summarize your question in one sentence
If "Enable Auto Login" is enabled, the user gets browser popup with Windows security. If a valid AD combination is entered, user get auto-logged in and everything works until you close the browser and access the website for the next time (or clean cookies for entire website).
Give a more extended description
Using DNN.ActiveDirectory plugin version 7.2.0 and DNN 9.10.0, I set all the settings in the Wiki for IIS 7.0+, run the "unlock" commands. Also looking in the issue #72 also tried to set the permissions to the file, nothing worked so far. The server is a Windows 10 Pro, with IIS 10.0. I have installed Windows Auth module in IIS
The module otherwise works ok, mixed login works as expected. If I disable AutoLogin option and on the login if you switch to Windows login, you can login normally with your AD credentials, so it must be something with the permissions to the WindowsSignin.aspx file. Not sure what else I am missing or doing wrong. I am accessing the login from the server and also from computers on the local network within the same AD network and get popup in both cases. I've also played around with the IP filters and with no luck. I've also tried to set permissions for the file to Everyone with full access with no luck. I also tried to set permissions for my current AD user and also set it to AD\All users group, still no luck. What else I am still missing?
I also enabled Debug mode, but I'm not sure where any logs are stored for AD module. I've set the Log4Net level to ALL but still no useful info about the login process.
Steps to reproduce (if needed)
If I set Auto login to true and the user opens http://site.local, he is redirected to http://site.local/DesktopModules/AuthenticationServices/ActiveDirectory/WindowsSignin.aspx?portalid=0 and an popup opens:
if I enter my AD credentials, the user gets logged in normally and everything works form there. But if i switch browser from Chrome to Edge, the process is the same.
Other comments or remarks
What else can I check or where to look, why I'm getting the first popup prompt? Thanks for any ideas or advice!