Unable to access secure site when using custom security provider (active directory) for 3.8 (3.9)
I am unable to implement successfully a secured site via custom security provider (active directory) or any security provider (other than windows authentication) for that matter. The provider seems to work fine but there seems to be issues w.r.t. the user authentication as unable to log into site (just keeps returning to log in prompt).
Firebug is showing the following:
On the POST request:
{"error":{"code":500,"message":"The service encountered an internal error. Please contact the system administrator for assistance.","details":[]}}
On the GET request:
{"error":{"code":401,"message":"Access to this resource requires authorization.","details":[],"tokenService":"/Geocortex/Essentials/REST/sites/TT_property/authenticate"}}
The custom membership provider appears to work fine as i can query user & roles successfully against the active directory.
This makes me start to ask the question on token config for geocortex but this is by & large an unknown topic re forums.
I also attempted to implement security using the OOTB Global Geocortex Security Provider - similar failings, the login i just not authenticating the users creditials.
My site running at 3.5 had nil issues however having upgraded to 3.8 or 3.9 (i have tried both), i am unable to successfully implement the custom security provider (or any security provider other than Windows Authentication.
I will be logging a support call on this issue due to the need in getting an answer ASAP but thought i would put this one out there to see if anyone has had any other similar issues with anything above 3.5 (changes were made in 3.6) on the above or similar security model.
Its woth noting i run my sites as a new named instance since i need to retain our ADF application as well.
Brad
-
RESOLVED
So, the issue was that the reverse proxy setup was not updated for the new named instance that i had created (the installer @ 3.9 does a great job on the configuration front re using custom app pool (network service) & folder permissions, as well as migrating sites; unfortunately this isn't one that it updated & I overlooked this fact until a review of the config).
It does raise some questions in the back of my mind however about WHAT the reccomend app pool setup re using custom provider for AD support. The response by Malcolm (http://support.geocortex.com/Forums/Thread.aspx?pageid=0&mid=2&ItemID=2&thread=45647&postid=131922) vs that of Jonathans response (http://support.geocortex.com/Forums/Thread.aspx?pageid=0&mid=2&ItemID=2&thread=45842&postid=133508) seem to contradict each other w.r.t. which user is the recommended approach for supporting active directory. As i understand it, network service is the best solution. I did opt for Malcoms suggestion on my live site while i resolved the above issue, but this apporach seemed to fail on the role permissions (made site invalid).
Any clarity on the topic by @Latitude & ideally system admin guide updated to reflect the recommended approach.
Brad0 -
Hi Brad,
With Server 2008 and the new Application Pool configuration (use EssentialsAppPool4 or set 'Integrated Mode' to true on the legacy app pools) there should be no need to use Network Service anymore. Since an app pool running in Integrated Mode uses kernel mode authentication it does not use the app pool user to do this anymore.
If you are using an older version of Windows that does not support this, then the previous advice will still apply, but otherwise it should work with the out of the box settings.
0 -
Thanks for the info Jonathan - yet to dig deep in IIS 7 (I live a sheltered life) so good to know about this for near future when we will be upgrading (no doubt i will be hitting you up as i'm sure i will have some queries! ; ).
It would be good if the admin guide could be extended to include IIS configuration as it would remove any ambiguity on the setup requirements.
Brad
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
3 Kommentare