Azue ad authentication iis coldfusion

Explorer ,
Feb 19, 2020 Feb 19, 2020

Copy link to clipboard

Copied

Has anyone tried to use Azure AD, IIS with ColdFusion to authenticate users?

 

Our user is external to our network and remote in via a pulse secure portal pulse secure looks up the users in a security group which is an Azure AD, They are then given link(s) to our internal apps. currently, I have to add their accounts local to the servers for then to even get to the site. without that the server rejects the log in a 401 error. I have added the security group to the server and tried different things, I even contacted Microsoft to see if they had any thoughts, they only said that I should be doing the auth at the app level, but I don't think we even get to the site. it's not even making past IIS

 

so if anyone has some insight on how to set up an azure ad on a windows machine running ColdFusion and IIS, please drop a line.

 

oh, these are some legacy CF apps. I really don't want to alter the code to make this work if I don't have to.

 

TOPICS
Advanced techniques, Connector, Getting started, Security, Server administration

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Feb 21, 2020 Feb 21, 2020

Copy link to clipboard

Copied

I think you're going to have to make sure that your Windows server is in your AD domain, and make sure that your server can authenticate logins against that domain. Forget about IIS or CF for a minute. Set that up and test that. You should be able to log into your server via RDP using a domain account. Once you have that working, you should be able to set up IIS to require Windows authentication. This is an IIS-specific setting. You should be able to test this by itself, without using CF. Just set up a static HTML page in an IIS virtual server configured to require Windows authentication. Once you have all of this working, your CF application should have access to the appropriate CGI variables indicating a successful Windows authentication. I don't remember what they are, but I'm thinking CGI.AUTH_USER. If that has a value, your user is logged in. You can then use that in your app to decide what the user is allowed to do. If that's how your apps were set up to work before, you shouldn't have to worry about making code changes.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 27, 2020 Feb 27, 2020

Copy link to clipboard

Copied

the server is on the domain, and the server can auth on the domain, it just not working for users coming in via the pulse secure portal. and I did this test and it worked, if I RDP to the server and go to the web app, I am prompted for creds, I enter the creds for a user that is in the security group and bam I am in, but if I do the save from my personal computer it doesn't work and doesn't work for the users logging in via the pulse secure portal unless I add the user locally to the server.

I'm still waiting for an answer from Microsoft.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Feb 27, 2020 Feb 27, 2020

Copy link to clipboard

Copied

When you log in locally, are you specifying the domain as well as the user? (for example, domain\user or user@domain)

 

I don't know much about how your portal is set up. Maybe it can be used to specify the user's domain as part of the authentication.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 27, 2020 Feb 27, 2020

Copy link to clipboard

Copied

no, I don't have to specify the domain. I also can see in the Microsoft event logs where the user tries to connect and the domain is provided.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Feb 27, 2020 Feb 27, 2020

Copy link to clipboard

Copied

What do you see in the event logs for the remote users?

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 02, 2020 Mar 02, 2020

Copy link to clipboard

Copied

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/2/2020 7:24:18 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SRV-CF11INT02.mydomain.mdo
Description:
An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		11ZJSH1688
	Account Domain:		ajdfjahghg

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	Workstation
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2020-03-02T12:24:18.048012500Z" />
    <EventRecordID>27056664138</EventRecordID>
    <Correlation ActivityID="{9E281367-0E03-41E2-9F28-F60523568C60}" />
    <Execution ProcessID="1068" ThreadID="26908" />
    <Channel>Security</Channel>
    <Computer>SRV-CF11INT02.mydomain.mdo</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">11ZJSH1688</Data>
    <Data Name="TargetDomainName">ajdfjahghg</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">Workstation</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Mar 02, 2020 Mar 02, 2020

Copy link to clipboard

Copied

OK, this is pretty tough. I don't see an obvious reason why this would be failing. The one thing I can think of is that maybe your domain computers are configured to require Kerberos authentication instead of NTLM. You can test this by enabling audit logs for successful logins and seeing what happens, or just using standard Kerberos command-line testing tools from a successfully logged-in workstation on the network. Search for "kerberos command line windows" or try running kinit from a command prompt for more information about that. Honestly, if your environment only accepts Kerberos you won't be able to solve this for external workstations that aren't already part of the Kerberos realm - Kerberos don't play that way. But you could configure AD to accept both Kerberos and NTLM credentials, although this would arguably weaken the value of using Kerberos in the first place.

 

On a side note, I would strongly recommend that you obscure any defining information when you post log entries, in the future. This is a common way for malicious people to collect information about network internals. It's kind of a pain to have to remember that each time you post something, but the alternative can be worse.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 03, 2020 Mar 03, 2020

Copy link to clipboard

Copied

LATEST

will try your suggestions, and I thought I have removed all of the info that should not have been there , I edited the post. 🙂

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines