UD 2.3.1 - Unable to get Claims Authentication to work (IIS)

I have recently updated to 2.3.1 and I’m trying to resolve Claims Authentication issues with my Dashboard. I’ve followed all the relevant documentation available and even worked here on the forums with people having similar issues to no avail. I’ve been staring at this for multiple days now and just can’t wrap my head around what’s not working. Take a look at my code below and if you see something I’m missing please let me know.

I’m running a 2 page Dashboard that will host a Prod version of my Support Teams dashboard with useful tools to allow them to do mundane day-to-day tasks with limited clicks. And a second page that will act as my Admin dashboard for development of future toolsets. There will be more boards in the future but I would like to just get Claims Authentication working on these first and move forward from there. I have to make sure this is working properly before I can release it to Prod as some of the tool sets provide access to high level changes on our Domain and right now without the claims working at all anyone who loads the dashboard will have access to these tools.

Any help would be greatly appreciated.

Dashboard.ps1

#Claims Based Authorization Policy Settings
$SupportPolicy = New-UDAuthorizationPolicy -Name "Support" -Endpoint {
    param($ClaimsPrincipal)
    $ClaimPrincipal.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", "S-1-5-21-48200957-2212589444-2584372378-21785")
}

$AdminPolicy = New-UDAuthorizationPolicy -Name "Admin" -Endpoint {
    param($ClaimsPrincipal)
    $ClaimPrincipal.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", "S-1-5-21-48200957-2212589444-2584372378-21786")
}


#Authorization Method and Login Page Settings -Passthru enabled
$Auth = New-UDAuthenticationMethod -Windows
$LoginPage = New-UDLoginPage -AuthenticationMethod $Auth -PassThru -AuthorizationPolicy 
@($SupportPolicy, $AdminPolicy)

#Set License
Set-UDLicense -License (Get-Content .\license.txt -Raw)

#Dashboard and Page Creation
$Pages = @()
Get-ChildItem (Join-Path $PSScriptRoot "pages") | ForEach-Object {
$Pages += . $_.FullName
}

Start-UDDashboard -Wait -Dashboard(
    New-UDDashboard -LoginPage $LoginPage -Title "Title" -NavBarColor '#FF1c1c1c' -NavBarFontColor "#FF55b3ff" -BackgroundColor "#740606" -FontColor "#FFFFFFF" -Pages $Pages -FontIconStyle FontAwesome           
) -AllowHttpForLogin 

Enable-UDLogging -Level Debug -FilePath C:\Scripting\UDLogs\udlog.txt

Home.ps1

New-UDPage -Name "Support-Tools" -AuthorizationPolicy "Support" -Icon user -Content{ *All Content Omitted* }

Dev.ps1

New-UDPage -Name "Dev-Board" -AuthorizationPolicy "Admin" -Icon user -Content{ *All Content Omitted* ) 

I’ve tried just about everything I can find at this point with no results. I’m completely stumped… I also tried using the -Design flag I found in this thread but when I put it anywhere in my Start-UDDashboard command IIS fails to start.

Thanks in advance for any recommendations!
Caleb B

You need v2.3.2.

Thanks,
Tim Curwick

Maybe. I don’t remember what fixes were where. But there were several bugs with 2.3.1 and IIS.

Hey Tim,

I just went ahead and shut everything down and updated to 2.3.2
image

After getting everything back up and running I can still access both of the dashboard pages from my testing accounts and the -Design flag still seems to be causing IIS to crash currently.

Do you have anonymous authentication disabled in IIS?

Not sure about the -Design issue. It’s working for me.

Thanks,
Tim Curwick

And just to make sure, you do have Windows Auth enabled in IIS?

@MadWithPowerShell @Jacob-Evans I have Anon Disable and Window Auth is the only current authentication enabled in IIS.

Where exactly are you putting the -Design flag in your Start command @MadWithPowerShell?

Thanks,

Caleb B

I’m feeling like my License may not have gotten applied properly. I just have the licence.txt file being called in my dashboard.ps1 file. Is that enough for UD to know I’m on enterprise?

That wouldn’t affect being able to run the permissions.

But what i did was i took the license and put it into a “license.lic” file.

Then place that into the wwwroot folder and the net472 folder.

That worked for me as far as the license went.

@Jacob-Evans thats how I’ve got mine setup currently. In IIS should basic settting be setup for Application Authentication (Pass-Through Authentication)? I’m not an IIS guru sorry for any stupid questions…

In your Web.config file, did you change

forwardWindowsAuthToken="false"

to

forwardWindowsAuthToken="true"

Caleb,

Here is my dashboard.ps1

<#
.SYNOPSIS
    Dashboard.ps1
    IIS launcher for Contoso automation website.

.NOTES
    This file must be named "Dashboard.ps1" to be found by Universal Dashboard and IIS.

    Dependencies
        Note: Dependent modules and scripts have additional dependencies

        Module
            UniversalDashboard v2.x

        Files
            $PSScriptRoot\Scripts\Get-ContosoDashboard.ps1

    v1.0  2109/ 1/16  Tim Curwick  Created
#>
#  Path to UD dashboard (site) definition
$FilePath   = "$PSScriptRoot\Scripts\Get-ContosoDashboard.ps1"

#  Set to True for debug logging and UD design mode
$DesignMode = $True

#  Dashboard name
$DashboardName = 'ContosoAutomation'

#  Log path
$DateString    = (Get-Date).ToString( 'yyyy-MM-dd.hh.mm' )
$DebugPath     = "$PSScriptRoot\Log\$DashboardName.Website.$DateString.Debug.log"

#  If run in DesignMode
#    Enable debug logging
If ( $DesignMode )
    {
        Enable-UDLogging -Level Debug -FilePath $DebugPath
    }

#  ## NOTE: -AllowHttpForLogin does not really allow unsecure communication
#           when used with IIS, but is required for IIS authentication to work.

#  Start dashboard (web site)
Start-UDDashboard -Name $DashboardName -FilePath $FilePath -Wait -Design:$DesignMode -AllowHttpForLogin

Thanks,
Tim Curwick

@Jacob-Evans Yes I’ve set that up as well in my web.config file.

@MadWithPowerShell that’s interesting so you aren’t doing any of your Authorization’s in the Dashboard file? As well how does this work with Multipage dashboard? I guess you would need to call New-UDDashboard in a separate file in the $PSScriptRoot\Scripts directory? Maybe that is why -Design is not working for me because I’m calling everything directly in my Dashboard.ps1 file.

Caleb,

I have Scripts and Config folders and an empty Log folder that I copy into the UD folder. Scripts has a separate ps1 for the endpoints of each dynamic page and a script defining the dashboard. Config has my nav bar logo image, a credential file my app uses plus any files that need to be copied into the UD structure: Dashboard.ps1, web.config, Index.html, favicon.ico, and license.lic. Dashboard.ps1 (posted above) is just a wrapper for launching the dashboard defined by the script in the Scripts folder.

This makes development and deployment easier, but should not impact behavior. I would expect -Design to work for you.

Thanks,
Tim Curwick

So when I enabled logging and the -Design flag I’m seeing that UD is showing Designer as being False as well as my login page being null. IIS just fails to start though so I can’t trouble shoot it further.

Here’s some snippets from the log file that is generated.

10:41:45 NewDashboardCommand {"id":"00000000-0000-0000-0000-000000000000","Title":"Texas A&M Office of the Provost IT","NavBarColor":"rgba(28, 28, 28, 1)","NavBarFontColor":"rgba(85, 179, 255, 1)","BackgroundColor":"rgba(116, 6, 6, 1)","FontColor":"rgba(255, 255, 255, 0.05882353)","FontIconStyle":"FontAwesome","NavbarLinks":null,"Scripts":null,"Stylesheets":null,"CyclePages":false,"CyclePagesInterval":10,"Error":null,"Designer":false,"LoginPage":null,"LoadingScreen":null,"Footer":null,"NavBarLogo":null,"Demo":false,"geolocation":false,"FilterText":null}

10:41:45 StartDashboardCommand  - C:\inetpub\wwwroot\dashboard.ps1 - False

10:41:45 StartDashboardCommand {"id":"00000000-0000-0000-0000-000000000000","Title":"Texas A&M Office of the Provost IT","NavBarColor":"rgba(28, 28, 28, 1)","NavBarFontColor":"rgba(85, 179, 255, 1)","BackgroundColor":"rgba(116, 6, 6, 1)","FontColor":"rgba(255, 255, 255, 0.05882353)","FontIconStyle":"FontAwesome","NavbarLinks":null,"Scripts":null,"Stylesheets":null,"CyclePages":false,"CyclePagesInterval":10,"Error":null,"Designer":false,"LoginPage":null,"LoadingScreen":null,"Footer":null,"NavBarLogo":null,"Demo":false,"geolocation":false,"FilterText":null}

10:41:46 CustomAssemblyLoadContext Pointer Size:8
10:41:46 CustomAssemblyLoadContext Loading files in native directory: C:\inetpub\wwwroot\net472\runtimes\win-x64\native
10:41:46 CustomAssemblyLoadContext Loading file: C:\inetpub\wwwroot\net472\runtimes\win-x64\native\libuv.dll
10:41:46 CustomAssemblyLoadContext Loading file: C:\inetpub\wwwroot\net472\runtimes\win-x64\native\Microsoft.DiaSymReader.Native.amd64.dll
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 DashboardBuilder Adding endpoint:
10:41:46 EndpointService Register() 6b796b09-9f89-427c-bef7-a00c7a1de71b
10:41:46 EndpointService Unregister() 6b796b09-9f89-427c-bef7-a00c7a1de71b
10:41:46 EndpointService Register() 0130005a-ee53-48ce-a684-26c891828e7e
10:41:46 EndpointService Unregister() 0130005a-ee53-48ce-a684-26c891828e7e
10:41:46 EndpointService Register() 17852359-1b31-47e8-aa08-3c28955dd465
10:41:46 EndpointService Unregister() 17852359-1b31-47e8-aa08-3c28955dd465
10:41:46 EndpointService Register() 637b510d-7d3a-4f1c-8d6f-19df381d740a
10:41:46 EndpointService Unregister() 637b510d-7d3a-4f1c-8d6f-19df381d740a
10:41:46 EndpointService Register() b5bacaa2-0504-48f7-a005-6760fb1124d2
10:41:46 EndpointService Unregister() b5bacaa2-0504-48f7-a005-6760fb1124d2
10:41:46 EndpointService Register() 21485558-81ae-4e21-bce9-6b8e732cacb4
10:41:46 EndpointService Unregister() 21485558-81ae-4e21-bce9-6b8e732cacb4
10:41:46 EndpointService Register() 4e787cd6-bebb-4650-a4ba-4513b415e8d6
10:41:46 EndpointService Unregister() 4e787cd6-bebb-4650-a4ba-4513b415e8d6
10:41:46 EndpointService Register() c858b245-79bf-470a-b860-30f92e091ff8
10:41:46 EndpointService Unregister() c858b245-79bf-470a-b860-30f92e091ff8
10:41:46 EndpointService Register() 41bca12e-e23e-4e44-afac-061a08ff4d69
10:41:46 EndpointService Unregister() 41bca12e-e23e-4e44-afac-061a08ff4d69
10:41:46 EndpointService Register() 7987db9c-fede-4e56-a5d8-6400f940156c
10:41:46 EndpointService Unregister() 7987db9c-fede-4e56-a5d8-6400f940156c
10:41:46 EndpointService Register() 7374a482-b41c-41b3-8f01-0e3fc4879275
10:41:46 EndpointService Unregister() 7374a482-b41c-41b3-8f01-0e3fc4879275
10:41:46 EndpointService Register() d2d010b7-56fe-4247-8d53-6ce013ab497e
10:41:46 EndpointService Unregister() d2d010b7-56fe-4247-8d53-6ce013ab497e
10:41:46 EndpointService Register() b36c0660-0915-48bb-9d69-9128f48d7ce5
10:41:46 EndpointService Unregister() b36c0660-0915-48bb-9d69-9128f48d7ce5
10:41:46 EndpointService Register() 8b91600c-e39f-4d27-9521-970038e8d483
10:41:46 EndpointService Unregister() 8b91600c-e39f-4d27-9521-970038e8d483
10:41:46 EndpointService Register() b4d720e1-16bb-4f3e-af2e-e17384e6f860
10:41:46 EndpointService Unregister() b4d720e1-16bb-4f3e-af2e-e17384e6f860
10:41:46 EndpointService Register() 84e4c014-b751-4fef-a5da-4fcc980799eb
10:41:46 EndpointService Unregister() 84e4c014-b751-4fef-a5da-4fcc980799eb
10:41:46 EndpointService Register() d927c4c2-469f-422a-bcc5-4e2c3ac21b06
10:41:46 EndpointService Unregister() d927c4c2-469f-422a-bcc5-4e2c3ac21b06
10:41:46 EndpointService Register() e176170c-828a-4561-9229-aa6601e28392
10:41:46 EndpointService Unregister() e176170c-828a-4561-9229-aa6601e28392
10:41:46 EndpointService Register() 2feff130-9b94-4cb9-ba80-104ccb46af7b
10:41:46 EndpointService Unregister() 2feff130-9b94-4cb9-ba80-104ccb46af7b
10:41:46 EndpointService Register() 788d5320-c41f-4795-82ef-b5b481f76111
10:41:46 EndpointService Unregister() 788d5320-c41f-4795-82ef-b5b481f76111
10:41:48 ExecutionService ExecutionService constructor
10:41:49 Quartz.Impl.StdSchedulerFactory Using object serializer: Quartz.Simpl.BinaryObjectSerializer, Quartz
10:41:49 Quartz.Simpl.TaskSchedulingThreadPool TaskSchedulingThreadPool configured with max concurrency of 10 and TaskScheduler ThreadPoolTaskScheduler.
10:41:49 Quartz.Core.SchedulerSignalerImpl Initialized Scheduler Signaller of type: Quartz.Core.SchedulerSignalerImpl
10:41:49 Quartz.Core.QuartzScheduler Quartz Scheduler v.3.0.6.0 created.
10:41:49 Quartz.Simpl.RAMJobStore RAMJobStore initialized.
10:41:49 Quartz.Core.QuartzScheduler Scheduler meta-data: Quartz Scheduler (v3.0.6.0) ‘QuartzScheduler’ with instanceId ‘NON_CLUSTERED’
Scheduler class: ‘Quartz.Core.QuartzScheduler’ - running locally.
NOT STARTED.
Currently in standby mode.
Number of jobs executed: 0
Using thread pool ‘Quartz.Simpl.DefaultThreadPool’ - with 10 threads.
Using job-store ‘Quartz.Simpl.RAMJobStore’ - which does not support persistence. and is not clustered.

10:41:49 Quartz.Impl.StdSchedulerFactory Quartz scheduler ‘QuartzScheduler’ initialized
10:41:49 Quartz.Impl.StdSchedulerFactory Quartz scheduler version: 3.0.6.0
10:41:49 Quartz.Core.QuartzScheduler Scheduler QuartzScheduler__NON_CLUSTERED started. 10:41:49 Quartz.Core.QuartzSchedulerThread Batch acquisition of 0 triggers 10:42:12 Quartz.Core.QuartzSchedulerThread Batch acquisition of 0 triggers 10:42:27 Quartz.Core.QuartzScheduler Scheduler QuartzScheduler_NON_CLUSTERED shutting down.
10:42:27 Quartz.Core.QuartzScheduler Scheduler QuartzScheduler
_NON_CLUSTERED paused. 10:42:27 Quartz.Simpl.TaskSchedulingThreadPool Shutting down threadpool... 10:42:27 Quartz.Simpl.TaskSchedulingThreadPool Shutdown of threadpool complete. 10:42:27 Quartz.Core.QuartzScheduler Scheduler QuartzScheduler__NON_CLUSTERED Shutdown complete.

This is with Logging Enabled and -Design flag.

If you run the script in a PowerShell console, withe the Start-UDDashboard command commented out, (but still running New-UDDashboard), do you get a dashboard and no errors?

(One advantage of keeping the New-UDDashboard in a separate file from the Start-UDDashboard stuff is that it’s simpler to test that the dashboard script does successfully define a dashboard. (Whether that dashboard works or not is the next step.))

Thanks,
Tim Curwick