External access stops with querystring
Closed this issue · 3 comments
Hi @MohammadYounes. Before explaining the issue, let me briefly explain my use of OWIN-MixedAuth, noting that I don't want the challenge popup to show for those off the network:
- If the user is internal (on the network, using IP address):
- Automatically register them and log them in (this is done via the 4 steps you provided) plus a little magic in
ExternalLoginCallback
- Automatically register them and log them in (this is done via the 4 steps you provided) plus a little magic in
- Else if the user is outside of the network (using IP address):
- Redirect to the
~/Account/Loginpage to let them log on using Forms Authentication - Let users with AD credentials hit
~/Account/WindowsLogin, which would pop up the challenge box for username and credentials. The [Windows] button is not being shown on~/Account/Login. - Those outside of the network should not see an AD challenge popup when just hitting the app.
- Redirect to the
The above scenario doesn't seem possible. Testing on my phone and a laptop that are not currently connected to the AD, I get odd behavior. Chrome/Safari on my phone bring up the challenge popup when trying to connect to the site root: https://myserver.com/MyApp/. I can get in after providing my credentials.
If we want outside user to logon using challenge popup from ~/Account/WindowsLogin, the above won't work because they will keep getting redirected to ~/Account/Login. Also, adding the button for [Windows] auth won't work, as that also gets redirected to ~/Account/Login.
In Chrome/Safari on my phone, I can go directly to ~/Account/Login without getting prompted by a challenge popup. On a laptop that has been connected to the network but is now connecting via a SIM wireless card, Chrome goes right in -- recognizing my Windows credentials. IE gives me the below URL and dies; does the same thing when I try to go to ~/Account/Login:
https://myserver.com/MyApp/MixedAuth?state=0gLo8jGqbH4IovB3qRVggg4uaccnsDQrtrLWXsZhbhlvWmFOHbAMWbvl3IqO51h1kNUN-XczNoPJeuz-scq_T5l_LH02pYN7jI0oOp9gaIe9pkThvtPaPeeKkKOZlQfO1P5SfyW5ILliTXNH5KDU7yGx21lBTMaWwDeaxILWsXljG-LiKIarjj9p6S2nysM4
Pulling my hair out right now! Your help is very much appreciated, as I'm lost. I'm using the custom method to redirect on IP address and not calling the built-in RegisterMixedAuth in global.asax.cs constructor. Something is amiss here and I don't know what :) Threw the pertinent code on here: https://gist.github.com/arc95/add45ab413e8f5bd52f11ac9ed906143. Once it's working I'll share the code here.
And sorry for all the questions :)
Found a partial solution: added back the [Windows] authentication button to /Account/Login and removed all the items that allowed automatic Windows logon. Now the users are all redirected to the /Account/Login, where they can log on using either Forms or Windows. Clicking the Windows button works on all browsers except IE, where it throws an error:
HTTP401: Denied - The requested resource requires user authentication.
GET - https://myserver.com/MyApp/MixedAuth?state=..........
Thinking this might be an issue with the laptop. Will check when I get home and try another IE.
@arc95 It's hard to figure out what's wrong with the provided info, you need to debug it and see what's wrong and why IE dies on that action.
Thanks, @MohammadYounes Got it working in IE when I logged on the laptop with a different account. Now trying to figure out why the IP redirect + auto Windows logon didn't work for users not on AD.