Windows Authentication does not work in IE
I am new to Geocortex, but have followed the instructions for setting up security on our Geocortex Essentials 4.0 instance. It works great in Chrome, but IE will not allow the user to log in. Any ideas?
-
Hi Causey, which version of IE are your users running? What error message they get when trying to login using IE?
-Alejandro
0 -
I am running IE 9. I don't get any 'error messages'. It just keeps asking for my credentials over and over.
0 -
Alejandro,
I believe I'm running into the same situation as Causey.
Chrome works with IWA.
IE 10 displays a login prompt. After entering credentials I get a message saying: "The redirect URL is not allowed. Add the URL to the appropriate audience."
Also tried Firefox and received the same message that IE displayed after the login credentials were entered.
I expected a prompt from Firefox as it's a default install, but I didn't expect a login prompt from IE. I noticed the Geocortex endpoint also requires me to click the Login link rather than use my already logged in Windows credentials.
Steve
0 -
Hi all, @Causey, can you take a fiddler capture of the viewer loading? Please make sure you clear you browser cache before (see this KB article for more information on how to use fiddler https://support.geocortex.com/use-fiddler-to-capture-web-traffic-between-a-web-browser-and-a-web-site) @Steven, I think you might have a configuration issue. Please, make sure that "Essentials Callback URL" and "Allowable Redirect URLs" are configured as mentioned in the Geocortex Essentials Administrator guide, section 39.3. -Alejandro 0 -
If Kerberos authentication does not work properly you will not be able to authenticate with IE. IE is using Kerberos by default and will not fall back to NTLM like Chrome and Firefox.
As a workaround, in IIS, change the order of challenge providers to use NTLM first. You must force NTLM authentication in IIS by following these steps: 1. Select your site. 2. Double click authentication. 3. Select "Windows Authentication" (ensuring that it is enabled). 4. Click "Providers..." in the right hand column. 5. Select NTLM and click "Move Up".
0 -
I had a chance to install a new instance of version 4. I bascially ended up with the same results.
One of the odd things I noticed from the install is the checkbox mentioned in section 39.4.2 to allow Windows Authentication was already checked and greyed out on the install screen.
So at this point I changed the provider order as dmedved suggested. That at least allows the login prompt to work, but I still don't have single sign on.
0 -
Hi Steve, by default IE won't single sign-on on pages that considers to be in the "Internet" zone. If you go to Internet Options -> Security make sure that the viewer URL is in the "Intranet" zone. Another option is to select the "Internet" zone -> Click on "Custom Level" and check how the "Logon" property is configured. If you change it to "Automatic logon with current name and password" SSO should work in that zone.
-Alejandro
0 -
Thanks for the response Alejandro. I knew I'd encountered this before and your reply gave my memory the nudge it needed...
I set up a 3.x site quite a while ago for one of our internal departments where SSO was desired. IE is the only officially supported browser for our internal users. When I gave them the link I used the "short" URL (i.e. http://server/SilverlightViewer/index.html rather than "http://server.domain.local/SilverlightViewer/index.html") so IIS would recognize the site as an intranet site.
That's the behavior I'm trying to duplicate now. At the moment, my version 4 site is still displaying the "The redirect URL is not allowed. Add the URL to the appropriate audience." error when I try to use the short URL.
The admin guide indicates I don't have to enter anything for the redirect (everything is on the same server) but I tried adding a redirect URL anyway. Still getting the error with the redirect URL. It seems like this should be fairly simple. What should I be using for a redirect URL? The path to the viewer? Something else?
Thanks,
Steve
0 -
I figured out part of the question regarding the redirect URL. At some point I messed up the configuration of the Identity Server so I uninstalled/reinstalled it. After that I added the URL in the form of http://server/SilverlightViewer/index.html and now that URL working without generating the redirect error.
The address I'm using was in Trusted Sites zone in IE but I added it the Local Intranet zone anyway. I'm still getting a login prompt. Looking at Fiddler I see the fully qualified name is still popping up, so I suspect that's why I'm still getting a login prompt at this point. Once I get this sorted out I'll send a follow up in case anyone is interested.
Steve
0 -
If anyone is interested, I had a chance to dissect this a little further. I now have a SSO configuration that works like my 3.x configuration.
The entry that was causing the last problem I mentioned was the <add key="EssentialsUrl" value="http:// server.domain.local /geocortex/essentials/ instanceName /REST/sites" /> entry in the Manager web.config file. Changing that URL from fully qualified domain name to server name was the key. For example: <add key="EssentialsUrl" value="http:// server /geocortex/essentials/ instanceName /REST/sites" />
Removing any references to the fully qualified domain name also removed the need to add the redirect URL. This configuration also allows IE to recognize the site as an intranet site, so there is no need to modify the security zones in IE.
The other change, which is the same as has to be done in 3.x, was change the application pool identity to (http://support.geocortex.com/SupportForums/Thread.aspx?pageid=0&mid=2&ItemID=2&thread=45842) Network Service in IIS manager.
Steve
0 -
Hi All, i'm having a similar issue.
I just upgraded to the newest release (Essentials 4.0, Silverlight & HTML5 2.0), and only 1 of my 3 sites that have security configured is having an issue.... even though they are all setup the exact same way.
For security we just use IIS, and enable Windows Authentication and disable Anonymous.
This worked fine until the upgrade, now i'm getting the following error:
The redirect URL is not allowed. Add the URL to the appropriate audience.
I didnt touch the new security settings in Essentials Manager, then I tried setting the same permissions with no luck.
I have 2 other sites I upgraded, with the same security settings, and ran into no problems. It's only for 1 of my sites.
For clarification: When using IE I get prompted for my login credentials, but it just keeps poping up and wont let me login. When I use Chrome it gives me the error I stated above immediately.
When I get that error message it re-directs me to our server's INTERNAL URL - which is something we don't want the public to ever see - with the following after "......Geocortex/Essentials/REST/security/callback?wctx=urn:gcx:wi:SignInCallback&wresult=xOIfzF2OsU66Dgas0lXAigAAWCdmos28hE2FSFXg5jRAtAAA3PZjojoqSoieSj1MxPm6XmXZ9Sf4Eb_I"
Does anyone have any idea/suggestions on what might be going on?
Thanks, Laura
0 -
Update : I went into Essentials Manager --> My Site --> Permissions and select "Clear All"
This fixed the problem I was having. Not sure why Geocortex pre-configured some security for this specific site, but i'm happy it was an easy fix.
-Laura-
0 -
Alejandro (or anyone) -
This has cropped up for us, so I'm reviving the question. Our setup - Viewer 2.10.1, Manager 4.9.1.37, Internet Explorer 11.950.17134.0. Permissions on the site are set to deny "Anonymous Access - Guest" and allow "Windows Integrated - All Users". This works great in Chrome, and been working in IE for several weeks.
Apropos of seemingly nothing (i.e. no config changes), users in IE are being prompted for credentials. If no credentials are entered (if they click Cancel), there is a json status of 401, which makes sense. But, if credentials are entered, the load still fails, with a json status of 0. IE definitely has the user identity (verified by other internal sites that also require access through IWA) and the site is in the Intranet zone.Based on this thread, I've tried:
- prioritizing NTLM in IIS - no impact, still fails to load in IE
- verifying Intranet Zone - yep, the site is in the Intranet and still won't load in IE
- I don't have permissions to put the site into the Internet zone and change the logon parameters
- Changed the app pool identity to Network Service - no impact, still fails to load in IE
- Inspecting the web.config files - I don't really know what I'm doing in these, but I tried the modification mentioned by Steve - no change, site still won't load in IE
- Clearing and resetting the site permissions - nope, no change, still fails to load in IE. Interestingly, even if I explicitly allow anonymous access, I am still prompted for credentials and still get a fail with json status 0.
To thicken the plot even more, in IE InPrivate browsing, it works just fine, doesn't ask for credentials, and successfully loads.
Thoughts? Help?
Thanks,
Jena0
Please sign in to leave a comment.
Comments
13 comments