Hello, im testing PU from some time. I created some dashboards (that are getting information form different systems and AD). And that I can say is working as expected (little slow sometimes but I will try to optimize it later)
Next thing that i wanted to test before switching to new platform is authentication, authorization and role based access.
Authentication is the thing that partially seems to work, I can log with my domain credential and my login name is populated to user.
Authorization and role based access and windows authentication is something that in my opinion is not working properly (or at least not fully).
Im using slightly modified authentication.ps1 script for that manner(principal membership was a little slower in my case):
And that doesnât seem to work . When I check role on the identities tab, my account doesnât show up.
On the other hand when manually add this account to created role - role based authorization is working (but not windows authentication).
Next thing - when i manually add my user account to administrator role, and then i can check claim information - role seems to be assigned. (there is role called with proper name)
So im starting suspect that something is wrong in my authentication process. User is authenticated, (user and password is checked to be valid in domain), but later process is somehow broken.
Could some one please guide me how to identify problem and properly set it up. I wont go any further by myself, and if wont be able to solve it, it wont be useful for me anymore
PS. when windows authentication is enabled following error appears in log:
System.TypeInitializationException: The type initializer for 'Microsoft.AspNetCore.Authentication.Negotiate.ReflectedNegotiateState' threw an exception.
---> System.InvalidOperationException: Sequence contains more than one element
Ok we have a little progress .I managed to make role based access actually working.
I have done that by changing role proprieties to:
Claim Type: Role
Claim Value : name of the AD group that im member of
Which is pretty obvious if you are looking at authentication.ps1 script:
New-PSUAuthorizationClaim -Type Role -Value $_
I thought type some kind of predefined value of type, but it turns out that its like string value of role made in PU.
And to be honest i still donât understand what should AD claim âhttp://schemas.microsoft.com/ws/2008/06/identity/claims/groupsidâ do in this case or im messing up it somewhere.
But most of this conflagration is straight from PU docs , so either i donât understand something or those docs are misleading in some part.
Anyway, next case . Windows authentication. Still not working.
I have one more thing to add to my case.
Iâm in multi domain environment. User is in main domain, groups. Pu server and pc computers are in child domain. I think this might be te case.
Does PU support multi domain environment when windows authentication is enabled ?
PS2.
I tried on my old single domain. Its the same. Roles defined by âhttp://schemas.microsoft.com/ws/2008/06/identity/claims/groupsidâ and sid value do not work. Windows authentication throws "
Sequence contains more than one element" error.
So obviously im missing something here âŚ
Iâm getting similar problems trying to get Windows Authentication working with the beta.
2023-05-31 12:49:39.082 -04:00 [VRB] All hosts are allowed.
2023-05-31 12:49:39.083 -04:00 [ERR] Connection id â0HMR1ULLSO5ERâ, Request id â0HMR1ULLSO5ER:00000002â: An unhandled exception was thrown by the application.
System.TypeInitializationException: The type initializer for âMicrosoft.AspNetCore.Authentication.Negotiate.ReflectedNegotiateStateâ threw an exception.
â> System.InvalidOperationException: Sequence contains more than one element
at System.Linq.ThrowHelper.ThrowMoreThanOneElementException()
at System.Linq.Enumerable.TryGetSingle[TSource](IEnumerable1 source, Boolean& found) at System.Linq.Enumerable.Single[TSource](IEnumerable1 source)
at Microsoft.AspNetCore.Authentication.Negotiate.ReflectedNegotiateStateâŚcctor()
â End of inner exception stack trace â
at Microsoft.AspNetCore.Authentication.Negotiate.ReflectedNegotiateStateâŚctor()
at Microsoft.AspNetCore.Authentication.Negotiate.ReflectedNegotiateStateFactory.CreateInstance()
at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
I updated to beta5. Looks like I get an error trying to go through the load balancer. I updated the CorsHosts and Api Url also in appsettings.json.
These settings are copied over that works in production.
2023-06-01 15:57:14.751 -04:00 [ERR] Connection id "0HMR2R95M21CQ", Request id "0HMR2R95M21CQ:00000044": An unhandled exception was thrown by the application.
System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.
at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2023-06-01 15:57:14.751 -04:00 [DBG] Connection id "0HMR2R95M21CQ" completed keep alive response.
2023-06-01 15:57:14.752 -04:00 [INF] Request finished HTTP/1.1 GET https://servername.contoso.com/api/v1/identity/my - - - 500 0 - 0.8059ms
