Enterprise Portal Forms-based Authentication Failing

(0) Share

Report

Posted on by Community Member

I'm experiencing authentication issues with a customer facing Development EP Site built to use Forms Based Authentication following the Technet Article "Deploy an Enterprise Portal site that uses forms-based authentication [AX 2012]" https://technet.microsoft.com/EN-US/library/hh575253.aspx#configurecerts

The Development Environment consists of an AOS Server with DB also hosting an Internal EP Site on SP2013 Foundation Edition, and in a separate SP Farm an Extranet SharePoint 2013 Enterprise Edition App + DB Server. An associated WFE located in a DMZ exists but this has excluded in the initial installation tests.

I have been very careful to follow the guide document and have been rechecking multiple times.

Windows Authentication using the Installer User Account works, but other registered AX AD Users with System Admin Roles receive an Access Denied error. The denied users are however able to access the Internal EP Site hosted on the AOS Server.

Claims users have been successfully created using the Dynamics AX 2012 Management Shell appearing in the aspnetdb and Dynamics AX Users List. Roles have been added to the accounts.

I've captured ULS Logs from each authentication attempt but my experience and knowledge of SharePoint doesn't extend to pinpointing the root cause of the issue.

I do see a great number of errors of the type: Exception trying get context compatibility level: System.IO.FileNotFoundException: https://server.domain:5000/_login/default.aspx?ReturnUrl=%2fsites%2fDynamicsAx%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252Fsites%252Fdynamicsax&Source=%2Fsites%2Fdynamicsax could not be found in the Web application SPWebApplication Name=DynamicsAxEP - 5000. at Microsoft.SharePoint.SPSite.LookupSiteInfo(SPFarm farm, Boolean contextSite, Boolean swapSchemeForPathBasedSites, Uri& requestUri, Boolean& lookupRequiredContext, Guid& applicationId, Guid& contentDatabaseId, Guid& siteId, Guid& siteSubscriptionId, SPUrlZone& zone, String& serverRelativeUrl, Boolean& hostHeaderIsSiteName, Boolean& appWebRequest, String& appHostHeaderRedirectDomain, String& appSiteDomainPrefix, String& subscriptionName, String& appSiteDomainId, Uri& primaryUri) at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.GetContextCompatibilityLevel(Uri requestUri)

Exception trying get context compatibility level: System.IO.FileNotFoundException: The site https://server.domain:5088/_Layouts/FormsAuth/Login.aspx?wa=wsignin1.0&wtrealm=urn%3aserver%3aFormsAuth&wctx=https%3a%2f%2fserver.domain%3a5000%2fsites%2fDynamicsAx%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252Fsites%252Fdynamicsax could not be found in the Web application SPWebApplication Name=DynamicsFormsSTS - server.domain-5088. at Microsoft.SharePoint.SPSite.LookupSiteInfo(SPFarm farm, Boolean contextSite, Boolean swapSchemeForPathBasedSites, Uri& requestUri, Boolean& lookupRequiredContext, Guid& applicationId, Guid& contentDatabaseId, Guid& siteId, Guid& siteSubscriptionId, SPUrlZone& zone, String& serverRelativeUrl, Boolean& hostHeaderIsSiteName, Boolean& appWebRequest, String& appHostHeaderRedirectDomain, String& appSiteDomainPrefix, String& subscriptionName, String& appSiteDomainId, Uri& primaryUri) at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.GetContextCompatibilityLevel(Uri requestUri)

From what I could find this error related to Web Applications without a Site Collection, which is appears to be the case for the STS Site. I'm not sure about how the Login page has been added to the EP Web Application.

Any suggestions from those who have successfully deployed EP with Forms-based authentication would be gratefully received. Many thanks in advance.

*This post is locked for comments

I have the same question (0)

All responses (9)

Answers (0)

Iulian Cordobin 8,201 on at

Like (0)

Report

So, the STS generated site is located on port 5088, right?

When you are opening up the external EP site, you get the initial dialog asking you to select either Windows Authentication or Forms-based?

Was this reply helpful? Yes No
Suggested answer

Iulian Cordobin 8,201 on at

Like (0)

Report

So, there should be a folder called after your Forms-based authentication provider (call it ABCForms) in the Sharepoint's folder located at c:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\ABCForms, in which the content of the FormsSTSTemplate should have been copied, that has the files of the STS generated site. This folder should reside on the IIS holding the external EP site.

Was this reply helpful? Yes No
Douglas Noel 3,905 on at

Like (0)

Report

Hello,

I've no idea, but there seems to be a kernel fix available KB3037673 dealing which some problems in claim based authentication. Maybe this resolves your problem?

regards

Douglas

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Yes, the selection dialog is presented.

When accessing the Extranet EP URL with the Administrator account used to perform the installation Windows Authentication works, albeit slowly.

When accessing the Extranet EP URL using another registered user account and selecting Windows Authentication an Access Denied message is returned. This same user account can successfully authenticate against an Intranet EP hosted on the AOS.

When the Forms-Based Trusted Identifier is selected the STS page on port 5088 is presented. Authenticating using registered Claims based user account results in "Your login attempt was not successful. Please try again"

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Yes, the "FormsAuth" folder exists, with the following files: Login.aspx, Login.aspx.cs, and web.config.

In troubleshooting the issue I've checked the web.config to ensure the connection string to the aspnetdb was correctly formed by the command:

Add-AXSharepointClaimsAuthenticationProvider -Type Forms -Name FormsAuth -SigningCertificate $SigningCert -Credential $Cred -Port 5088 -SSLCertificate $SSLCert -ConnectionString "Data Source=V042D058S\SPMSSQL;Initial Catalog=aspnetdb;Trusted_Connection=true"

<?xml version="1.0"?>



<configuration>

<system.web>

<customErrors mode="RemoteOnly" />

</system.web>

<appSettings>

<add key="applicationName" value="/" />

<add key="maxInvalidPasswordAttempts" value="10" />

<add key="passwordAttemptWindow" value="20" />

<add key="minRequiredNonAlphanumericCharacters" value="2" />

<add key="minRequiredPasswordLength" value="4" />

<add key="passwordStrengthRegularExpression" value="" />

<add key="enablePasswordReset" value="true" />

<add key="enablePasswordRetrieval" value="false" />

<add key="requiresQuestionAndAnswer" value="false" />

<add key="requiresUniqueEmail" value="true" />

<add key="writeExceptionsToEventLog" value="true" />

<add key="connectionStringName" value="FormsAuth" />

<add key="IssuerName" value="PassiveSigninSTS" />

<add key="SigningCertificateName" value="CN=FORMS-CERT" />

<add key="EventSourceName" value="Dynamics .NET Business Connector 6.0" />

<add key="EventId" value="172" />

<add key="enableForceChangePasswordOnce" value="false" />



<add key="hashAlgorithmType" value="SHA1" />

</appSettings>

<connectionStrings>

<add name="FormsAuth" connectionString="Data Source=V042D058S\SPMSSQL;Initial Catalog=aspnetdb;Trusted_Connection=true" />

</connectionStrings>

</configuration>

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi there,

many thanks for the reply.

Our Dynamics AX 2012 R3 build is: 6.3.164.0 (RTM). Correct me if I'm wrong but it looks like this kernel fix is for CU8. Our project hasn't validated CU8 yet.

I'll certainly ask our support channels if this issue could be related and if it's present in CU7.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Update on this issue.

I have narrowed the problem down to the register new users through the command: New-AXUser -AccountType ClaimsUser -AXUserId jdd -UserName johndoe -UserDomain FormsAuth -CreateInProvider -ClearTextPassword "Yukon!!90"

This is storing the passwords in an Hashed / Encrypted format in the Aspnetdb. The Clear Text passwords passed from the FormsAuth site are not being compared properly.

I manually registered a user in the aspnetdb with a clear text password and referenced it as a new User in Dynamics AX. Bingo! We could authenticate against the Extranet EP Site.

I just need to find out where this needs to be configured....

Also found the problem for the Windows Authentication of users other than the Installer Admin... Site Collection Permissions.

Was this reply helpful? Yes No
Iulian Cordobin 8,201 on at

Like (0)

Report

I did not encountered any issues when registering the user using the AX Powershell New-AxUser. I did some research and of course this powershell behind thew scene just calls the SPs found in the Aspnetdb. So, calling them manually or via this ax provided script should be the same(?). I am just wondering if the password (what you are suspecting) is the real issue.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

When manually creating the User "janedoe" in the ASPNETDB I did not populate the @PasswordSalt parameter, and the @PasswordFormat parameter was set to 0.

I definitely included the -ClearTextPassword option in the New-AxUser cmdlet used to create "johndoe", so perhaps that's not working properly?

In trying to understand how FBA works I've been examining the SQLMemberShipProvider in the following resource: msdn.microsoft.com/.../ff648345.aspx

I notice the FormsAuth web.config includes Hash Config key being added:



<add key="hashAlgorithmType" value="SHA1" />

</appSettings>

**********************

The original STS Web.config

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<system.serviceModel>



<behaviors>

<serviceBehaviors>

<behavior name="SecurityTokenServiceBehavior" >



<serviceMetadata httpGetEnabled="true" />



<serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />

</behavior>

<behavior name="ApplicationSecurityTokenServiceBehavior" >

<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />

<serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />

</behavior>

</serviceBehaviors>

</behaviors>



<services>

<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract"

behaviorConfiguration="SecurityTokenServiceBehavior" >



<endpoint

address=""

binding="customBinding"

bindingConfiguration="spStsBinding"

contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />



<endpoint

name ="ActAs"

address="actas"

binding="customBinding"

bindingConfiguration="spStsActAsBinding"

contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />



<endpoint address="mex"

binding="mexHttpBinding"

contract="IMetadataExchange" />

</service>

<service

name="Microsoft.SharePoint.IdentityModel.ApplicationSecurityTokenService"

behaviorConfiguration="ApplicationSecurityTokenServiceBehavior">

<endpoint

name="app"

address=""

binding="customBinding"

bindingConfiguration="spStsApplicationBinding"

contract="Microsoft.SharePoint.IdentityServices.IApplicationSecurityTokenServiceContract" />

</service>

<service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">

<endpoint address=""

binding="customBinding"

bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding"

contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />

</service>

</services>



<bindings>

<customBinding>

<binding

name="spStsBinding">

<binaryMessageEncoding>

<readerQuotas

maxStringContentLength="1048576"

maxArrayLength="2097152"/>

</binaryMessageEncoding>

<httpTransport

maxReceivedMessageSize="2162688"

authenticationScheme="Negotiate"

useDefaultWebProxy="false" />

</binding>

<binding

name="spStsActAsBinding">

<security

authenticationMode="SspiNegotiatedOverTransport"

allowInsecureTransport="true"

defaultAlgorithmSuite="Basic256Sha256"

messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />

<binaryMessageEncoding>

<readerQuotas

maxStringContentLength="1048576"

maxArrayLength="2097152"/>

</binaryMessageEncoding>

<httpTransport

maxReceivedMessageSize="2162688"

authenticationScheme="Negotiate"

useDefaultWebProxy="false"/>

</binding>

<binding

name="spStsApplicationBinding">

<binaryMessageEncoding>

<readerQuotas

maxStringContentLength="1048576"

maxArrayLength="2097152" />

</binaryMessageEncoding>

<namedPipeTransport

maxPendingAccepts="250"

maxPendingConnections="250"

maxReceivedMessageSize="2162688">

<connectionPoolSettings

idleTimeout="00:30:00"

maxOutboundConnectionsPerEndpoint="250"/>

</namedPipeTransport>

</binding>

<binding name="SPWindowsTokenCacheServiceHttpsBinding">

<security

authenticationMode="IssuedTokenOverTransport"

defaultAlgorithmSuite="Basic256Sha256" />

<textMessageEncoding>

<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152"/>

</textMessageEncoding>

<httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />

</binding>

</customBinding>

</bindings>

</system.serviceModel>

<system.webServer>

<security>

<authentication>

<anonymousAuthentication enabled="true" />

<windowsAuthentication enabled="true">

<providers>

<clear />

<add value="Negotiate" />

<add value="NTLM" />

</providers>

</windowsAuthentication>

</authentication>

</security>

<modules>

<add name="WindowsAuthenticationModule" />

</modules>

</system.webServer>

<system.net>

<connectionManagement>

<clear />

<add address="*" maxconnection="10000" />

</connectionManagement>

</system.net>

</configuration>

In troubleshooting we added:

<connectionStrings>

<add name="FormsAuth" connectionString="Initial Catalog=aspnetdb;data source=[server\instance]l;Integrated Security=SSPI;" />

</connectionStrings>

<system.web>

<roleManager>

<providers>

<add name="aspnetrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="FormsAuth" applicationName="/" />

</providers>

</roleManager>

<membership>

<providers>

<add name="aspnetmembership" connectionStringName="FormsAuth" applicationName="/" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, passwordFormat="Hashed", PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

</system.web>

This did not resolve the authentication issue with the "johndoe" user, but the passwordFormat="Hashed", affected authentication from "janedoe" resulting in a runtime error. As soon as it was removed it worked. I also tried passwordFormat="Encrypted", more runtime errors.

*********************************

The machine.config located in \Windows\Microsoft.Net\Framework\v2.x\Config

<system.web>

<processModel autoConfig="true"/>

<httpHandlers/>

<membership>

<providers>

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>

</providers>

</membership>

Was this reply helpful? Yes No