WIndows Authentication Error

asked on August 11, 2017

Hello,

I am wanting to see if anyone else in the Answers community has seen an error like the following occuring when users try and sign into Forms using the Windows Authentication button:

An Error Has Occurred

LicenseManagerWebSTS.Infrastructure.Exceptions.WebSTSException: An Error Has Occurred ---> System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
   at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Laserfiche.LicenseManager.LMO.LicenseManagerService.ILicenseManager.TestConnection()
   at Laserfiche.LicenseManager.LMO.Server.Connect()
   at Laserfiche.LicenseManager.LMO.Server.Connect(String fqdn, Boolean bUseSsl, Boolean bUseAltBindings)
   at Laserfiche.IdentityModel.LFDSIdentityService.GetBearerToken(Dictionary`2 loginParameters) in C:\CI_AWS\Ws\44069\Source\LFIdModel_SVN\Laserfiche.IdentityModel\Laserfiche.IdentityModel\LFDS\LFDSIdentityService.cs:line 71
   at LicenseManagerWebSTS.Services.Login.LFDSLoginManager.ProcessLogin(LoginData loginData) in C:\CI_AWS\Ws\47881\Source\LFDS\LicenseManager\LicenseManagerWebSTS\LicenseManagerWebSTS.LFDS\Services\Login\LFDSLoginManager.cs:line 127
   at LicenseManagerWebSTS.Controllers.LoginController.Login(LoginData data) in C:\CI_AWS\Ws\47881\Source\LFDS\LicenseManager\LicenseManagerWebSTS\Controllers\LoginController.cs:line 175
   at lambda_method(Closure , Object , Object[] )
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object[] methodParameters)
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__0.MoveNext()
   --- End of inner exception stack trace ---

If I simply type in the domain\username and windows password instead of clicking the Windows Authentication button, it logs me in just fine.

I had opened a ticket for this but it was deemed a client side issue so I am just wanting to see if any other users themselves have seen this before.

Thanks!

1 0

replied on February 12, 2018

It appears that this is not a client specific issue. I have multiple other customers with the same issue, and would love to see some response from anyone who has the Use Windows Authentication button working for a Single Sign On page in a DMZ.

1 0

View 1 previous reply

replied on February 12, 2018

Windows authentication in the DMZ is not expected to work without additional configuration. This is a general expectation, not specific to Laserfiche.

In order for Windows authentication to work, the user needs to be able to log into the domain. By definition, the DMZ is segregated from your domain for security purposes, so the domain controller is not accessible to log your user in. There are various ways to work around it (setting up partial trust, proxies, establishing a read-only domain controller in the DMZ). Their pros and cons are discussed in various articles.

As of 10.2, Directory Server supports Active Directory Federation Services as a way to allow users to log in while outside your domain.

0 0

replied on February 13, 2018

Miruna,

What additional configuration is needed? The DMZ server is still joined to the Domain, and NTLM authentication works. We need some direction in the Kerberos configuration, as all documentation is sparse to non-existent.

Thanks

0 0

replied on May 30, 2018

Since this conversation started, we've published a white paper on configuring Kerberos delegation.

If the DMZ server is on the same domain as the internal server, all three types of Kerberos delegation explained in the paper should work.

1 0

replied on May 30, 2018

To be clear, it's not good practice to have your DMZ share a domain with the internal server. For better security, you might want to look into using ADFS or using a reverse proxy to direct traffic to an authentication point within the internal network.

1 0

Question

Question

Replies

Sign in to reply to this post.