IIS Windows Auth not working for me

I will have to see what’s going on there. I agree.

1 Like

@PorreKaj,

Did authorization start working for you once you fixed matched the typo?

@adam,

I can’t get it to work. The UDAuthorization endpoints don’t seem to be running at all. Does this bug break Windows-integrated authorization entirely? I can’t find where in your source code the login page is called to see if the right object is passed.

Thanks,
Tim Curwick

Nah, ran out of time, I’ll revisit it once it’s fixed.

Looking into this now. I am also seeing this no longer work. The source code for this is part of a private repo because it is part of the enterprise functionality.

I’ve created an issue here: https://github.com/ironmansoftware/universal-dashboard/issues/553

Ok. I have some more information.

I have fixed the issue where $ClaimsPrincipal is spelled wrong, where errors in a authorization policy will allow the user to continue and UD logging. I’m going to get nightly builds of the enterprise edition published somewhere as there isn’t a good way to expose an AppVeyor project for a private repo.

But, with the authorization policies themselves, they appear to be working. The problem I was having was that the group policy claims must be cached some how.

I have an Accounting and Admins group. I added my local user adamr to the accounting group. I can see both an Admin and Accounting page in this configuration. I then remove the user from the group and then open the dashboard again. I still have access to the Accounting page. I can see in the ClaimsPrincipal object that I still am receiving that group claim from IIS.

I was using Chrome. So I closed Chrome complete (no Chrome.exes running). I then launch it again, still same claim in there.

I then launch with Edge. It prompts me for a user name and password. I no longer have access to the accounting page and can see that claim is missing from my claims list.

I then log out completely of my Windows session (logged in as adamr) and then open Chrome again and go to the dashboard and no longer have access to the accounting page.

Can you please try the following steps and see if you have a similar experience?

Adam,

I have been testing with a group that I am a member of and one that I have never been a member of. (I’m at a client and don’t have easy access to change membership.)

In design mode, I can see in my claims that I am a member of GroupA and not a member of GroupB.
I have a UDAuthorizationPolicy for each, and a test page for each.
Testing with Chrome, I have full access to both pages.
Logging out of and back into Windows or restarting my laptop have no effect.

If I try to test with Edge or Internet Explorer, I get a blank page instead of my home page or any other pages I try to go to directly, and am not prompted for credentials. (I presume that discussion will be a new thread.)

I added a command to one of my endpoints to write to a log. It never happens, implying the endpoint is never run.

Thanks,
Tim C

Here is the latest build with the fixes I mentioned: https://adamdriscollstorage.blob.core.windows.net/universaldashboard-releases/UniversalDashboard.2.3.0.118.zip

If you please try that in your environment and enable UD logging. The log path needs to be somewhere the AppPool user can write to.

Enable-UDLogging -Level Debug -FilePath C:\mylogs

This should give some more information on why the policy may not be invoked. Additionally, if you could post your dashboard script, that would be helpful.

As for the IE\Edge problem, can you open the F12 developer tools to see if you have any errors in there?

Where do I put Enable-UDLogging?

Put it in your dashboard.ps1 that you are deploying with your IIS site.

I finally got it working. I was using -AuthorizedRole with New-UDPage where I needed -AuthorizationPolicy.

There is at least one place in the 2.3.0.118 code which still has the misspelling, as this line appears in the log:

16:23:32 [Debug] ExecutionService ClaimsPrinciple = System.Security.Claims.ClaimsPrincipal

And Get-UDElement appears to be broken in this build.

Thanks,
Tim Curwick

I left the missing spelling in there so I didn’t break people’s scripts. It should be setting both the incorrect and correct spelling now.

I’ll take a look at Get-UDElement.

Thanks

I’m running into the same issues as above. I’m stumped I’m using my login as test here and have taken myself out of the groups in my claims for the time being. But I’m still able to load both dashboards. I know the login page is working because I get the Sign Out button when I load the webpage. So it has to be the claims not taking effect. Unfortunately when I attempt to Enable-UDLogging IIS won’t start. Is there a certain place that needs to be called in the dashboard.ps1? If it helps my current running version of UD is 2.2.1.

I’ve configured IIS for Windows Authentication per - https://github.com/adamdriscoll/universal-dashboard-documentation/blob/master/security/authentication/windows.md

My Claims are setup like so:

$SupportPolicy = New-UDAuthorizationPolicy -Name "Support" -Endpoint{
    param($ClaimsPrincipal)
    $ClaimPrincipal.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", "S-1-5-21-48200957-2212589444-2584372378-1151")
}

$AdminPolicy = NewUDAuthorizationPolicy -Name "Admin" -Endpoint{
    param($ClaimsPrincipal)
    $ClaimPrincipal.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", "S-1-5-21-48200957-2212589444-2584372378-20173")
}

Login Page:

$Auth = New-UDAuthenticationMethod -Windows
$LoginPage = New-UDLoginPage -AuthenticationMethod $Auth -PassThru -AuthorizationPolicy 
@($SupportPolicy, $AdminPolicy)

Support Page:

New-UDPage -Name "Support-Tools" -AuthorizationPolicy @("Admin", "Support") -Icon user -Content{...

Admin (Dev) Page:

New-UDPage -Name "Dev-Board" -AuthorizationPolicy "Admin" -Icon user -Content{...

Any idea how to fix logging and or why the claims aren’t processing correctly?

Attempted to Update to 2.3.0.118 Build @adam posted above and it broke IIS. Getting tons of application errors after the update. I redeployed from my backup and got everything working again. Is there a weird process for updating to this build? I thought I could just move the new files over to the webroot and restart the IIS Server.

When copying the files over from the new build, don’t include Dashboard.ps1 and Web.Config in the overwrite.

That exactly what I did and after restarting IIS I’m getting application errors pertaining to the UD.server.exe failing to start.

IIS AspNetCore Module Error:

Application 'MACHINE/WEBROOT/APPHOST/DEFAULT WEB SITE' with physical root 'C:\inetpub\wwwroot\' failed to start process with commandline 'C:\inetpub\wwwroot\net472\universaldashboard.server.exe ', ErrorCode = '0x80004005 : e0434352.

Windows Error Report:

Fault bucket 1530942474755084786, type 5
Event Name: CLR20r3
Response: Not available
Cab Id: 0

Problem signature:
P1: universaldashboard.server.exe
P2: 1.0.0.0
P3: f9fe6b61
P4: UniversalDashboard.Server
P5: 1.0.0.0
P6: f9fe6b61
P7: 1
P8: 1df
P9: System.Exception
P10: 

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_universaldashboa_849ba0e3bd391fcbd8d6384193454945ba321f6_7f3a1ad4_1a6fb826

Analysis symbol: 
Rechecking for solution: 0
Report Id: 24ac014b-321f-4edf-99ea-7e0d000153ce
Report Status: 0
Hashed bucket: 1b37562a7e1d0648e53f0011cb5591f2

Make sure to unblock the files in the web directory:

Get-ChildItem -Recurse | Unblock-File 

Since the ZIP was downloaded from the internet, the files may be blocked.

After doing that and restarting IIS I got two new errors.

Application Error:

Faulting application name: universaldashboard.server.exe, version: 1.0.0.0, time stamp: 0xf9fe6b61
Faulting module name: KERNELBASE.dll, version: 10.0.14393.2636, time stamp: 0x5bda7edc
Exception code: 0xe0434352
Fault offset: 0x0000000000034048
Faulting process id: 0xa3c
Faulting application start time: 0x01d4af5cce42c7c1
Faulting application path: C:\inetpub\wwwroot\net472\universaldashboard.server.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 1db3370d-b3f0-4406-b1b4-1b2426004c3f
Faulting package full name: 
Faulting package-relative application ID: 

.NET Runtime Error:

Application: universaldashboard.server.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Exception
   at UniversalDashboard.DashboardManager.Start()
   at UniversalDashboard.Program.Main(System.String[])

Any Idea? Did the zip file just not download correctly by chance?

There could be something wrong with the dashboard script.

Navigate to the installation directory in a cmd prompt and execute the UniversalDashboard.Server by hand. It might provide a better error message.

Nothing new, the cmd prompt pops up and quickly disappears (ran as Administrator). Event logs show the same errors as before.

So I was able to get Logging enabled but I’m getting the same FileLoadException mentioned in this thread. But it did create a log file but I’m not finding anything regarding the AuthorizationPolicies within the file. Is there something specific I should look for? I’m going to test out the -Design flag right now and see if I can get anything from there.

Update: Interestingly when I add the -Design flag into the Start command I’m getting the same errors generated in the event logs when I try to update to the 2.3.0.118 Build.