Mono Support Active Directory Authentication Integration 

Viewed 71726 time(s), 14 post(s), 8/15/2013 5:08:48 PM - by erin0201
8/15/2013 5:08:49 PM
453 Reputation 61 Total posts

Hello,

I have followed the steps to integrate monox with the active directory via LDAP.
I have a working monox installation on one server that is joined to our domain.  The LDAP authentication works correctly.
I just installed monox on a different server that is NOT joined to our domain.  It uses DNS provided by our ISP to limit the traffic that goes from the external webserver into the rest of our network.  

I manually entered DNS information about our domain controller into the external webserver's host file and edited the web.config file the same as I have it on the internal webserver that is domain joined.

In using an LDAP administrator program on the external webserver, I can connect to the schema of the domain with the same credentials I am trying to connect monox with via the web.config file.

I have cleared the cache/history, restarted the browser, and am still having the same errors.
[PrincipalOperationException: Information about the domain could not be retrieved (1355).]
[ProviderException: Unable to query Active Directory.]


I did read the post Denis pointed me to that referenced having your domain controller be the primary DNS in your webserver, but we can't do that here since our webserver doesn't use internal DNS servers at all.  I did manually enter the domain controller's name and IP address into the webserver's host file and that didn't seem to help.  Is there anyway to get monox to look at the host file for DNS and not at the primary DNS on the webserver itself?  Any other ideas?  Are there any permissions issues I might need to check with Monox trying to connect to the active directory?

Thanks!
Erin0201

1
8/16/2013 10:20:07 AM
7207 Reputation 956 Total posts

Hi Erin,
The scenario you have - accessing the AD server from another server that is not joined to your domain (or is not joined to any domain) - is not supported. Establishing trust between two domains could help, but it seems that your web server is running in a standalone mode, and is not a part of any domain. The only alternative I see would involve writing customized membership and role providers that would revert to an older API that should handle such cases: http://blogs.msdn.com/b/martijnh/archive/2010/01/06/active-directory-adding-a-user-to-a-group-from-a-non-domain-joined-computer-throws-principalexception.aspx 

2
8/19/2013 4:10:52 PM
453 Reputation 61 Total posts

Hi Denis,

After working with our firewall security team we have decided to add the computer to the domain.  It is no longer operating in standalone mode.  The LDAP Administrator connects to the schema just fine.  I have the settings set up the same as it is on the other webserver and it is still erroring out when trying to retrieve the groups.

I'm getting these two errors (the first one is different now):
[PrincipalOperationException: While trying to retrieve the authorization groups, an error (110) occurred.]
[ProviderException: Unable to query Active Directory.]

Any ideas??
Thanks!
Erin


3
8/19/2013 4:25:05 PM
453 Reputation 61 Total posts

For anyone else that might have this problem.  I had to go into IIS 7.5, click on Application Pools, and change the app pool that the monox website was running as to use the "NetworkService" identity rather than the "ApplicationPoolIdentity".  Once I changed that, the authentication with the active directory is now working.

Thanks!
Erin

4
8/19/2013 4:34:40 PM
453 Reputation 61 Total posts

Ok, I have this working except I just tried testing logging in with a user that is NOT allowed to login to this website.  I have the monox web.config file locked down to only allow certain groups to login.

However, upon clicking Submit, I get a Security Exception server error in asp.net rather than a page that just says that the user is not allowed to login.

Any idea how to make it go to a page that just says that the user doesn't have the authentication to be able to do that?
Once you click Log In, it dumps you into that unhandled security exception page rather than keeping you on the login page where it says you are not authorized to view the content.  If you press the back button it tells you that you're logged in, but not authorized to view the page.

Is there anyway to make it not throw that security error and to land you on the login page where unauthorized equals true?  Which config file is this referencing and what permissions does the application need?

Here is the security error page I'm getting thrown at:

Security Exception
 
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
 
Exception Details: System.Security.SecurityException: Security error.
 
Source Error:
 
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
 
Stack Trace:
 
 
[SecurityException: Security error.]
   MonoSoftware.MonoX.BasePage.OnInit(EventArgs e) +306
   System.Web.UI.Control.InitRecursive(Control namingContainer) +491
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5604
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +742
   System.Web.UI.Page.ProcessRequest() +269
   System.Web.UI.Page.ProcessRequest(HttpContext context) +142
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +609
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +256

Thanks!
Erin

5
8/19/2013 4:44:21 PM
7207 Reputation 956 Total posts

It appears that your MonoX instance is not running under full trust - can you check that (http://msdn.microsoft.com/en-us/library/wyts434y.aspx)?
The "nice" error screen should be shown if your web.config setup is correct. See the customErrors setting, it should be set to either On or RemoteOnly (this will show the full stack trace only to users accessing the application from the server directly).

6
8/19/2013 4:51:32 PM
453 Reputation 61 Total posts

Ok, I got the customErrors turned on.

This is what I have for the securitypolicy.
 <securityPolicy>
      <trustLevel name="MediumMonoX" policyFile="web_mediumtrust.monox.config" />
    </securityPolicy>

Now since changing the customErrors I am getting the "nice" error page, but still getting at security error:

Security error.
at MonoSoftware.MonoX.BasePage.OnInit(EventArgs e) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
It is now giving an error that says you are not authorized to view this page.  However this page has a link that says "To continue working with the application, please click here" which does nothing since the user is not authorized.  There is no logout button like there is if you press back and go to the login page where it says you are not authorized.

Is there a way to either throw the user back to the previous login page so that they can logout and back in as a different user, or at least a way to add a "log out" link so that the user can try to login as a user with permissions to login to the extranet?

Thanks for all of your help!
Erin

7
8/19/2013 5:28:50 PM
7207 Reputation 956 Total posts

You can set the trust level to full, however please be aware that this setting can be overridden by the global machine configuration. I am still not 100% sure that you have set it up properly on the server, based on the previous error. It sounds like it is complaining about the application trust level, and not about user credentials.
Log in and log out operations do not make too much sense in the AD integration scenario. The link at the error screen should just return you to the home page of the site. Does it at least performs a post back? What URL does you see inside the page HTML for that link?

8
8/19/2013 6:13:11 PM
453 Reputation 61 Total posts

Ok, I'm still looking for the global machine config to make sure the trust level is set there.

Well for the extranet we only have 2 or 3 pages right now and we don't want any of them to be able to be accessed except the login page.  Basically we would want the login page to be the first page anyone sees.

As it is working right now, it sits on the "You are not authorized to view this page" error page with the security error and doesn't take you back to the login page.  Which means the user has to close the browser or re-open it to try to get back to the login page to try to re-enter the website.

What I'm wondering is if we could add a link to that page that would send the user back to the login page rather than caching the old credentials and sitting on the error page.  It seems like it's cached the credentials and won't let you back to the login page until you close and reopen.  If you manually go to the /login.aspx page it will say you're logged in as "whatever" and you can click logout and then it will take you back to the login prompt. 

If a user is not authorized to login to the extranet, I would like it to tell them that as well as log them out so that they can try to login as a different user at that time.  Is there a way to do that?  Right now it's caching that login since it did successfully login via active directory.  It's just not allowed to view the pages so its like the user is just stuck in limbo.

Thanks!
Erin

9
8/19/2013 8:56:48 PM
453 Reputation 61 Total posts

Ok, I created a default page and made the other page a landing page to go to after they login.
Is there any way to change the page the login page directs to after logging in?

We are just using the free version without the source code so I know I can't use a cs file, but is there a place in the config somewhere to put the info?

Thanks!
Erin

10
1 2
This is a demo site for MonoX. Please visit Mono Software for more info.