There are lots of variations of this question/problem and it seems like this something that a lot struggle with. At a high level, I am trying to hit a site that uses IWA for auth. In more detail, we are trying to hit the site from a test VM. The test VM does not have a user logged in, so when the browser is opened by selenium or another driver, there is no IWA authenticated user. The session just times out each time.
I have tried for almost 2 weeks now and can't find a solution. Things that we have tried.
Opening the browser as a specific Chrome prolile (this doesn't seem even remotely possible, but I still tried it unsuccessuflly)
Enabling impersonation in IIS/Web.config and granting the permissions to this domain user (site still opens as no user using selenium, or opens as my account if I RDP to the box)
Disabling auth in the application, but that goes against what flows/features that we'd like to test
enabling and using proces.start in the selenium project but errors would arise about permissions creating folders on the VM
Auto login with AD account when VM boots up but domain GPO blocks that
From being very new to this and only troubleshooting for a couple weeks, that the approach should be somehow in the test project be able to login as that test user and open the browser/url. I just have not found out how to do that.
What is the best approach when in this situation? Is it possible to have a selenium/C# solution run on a windows machine and initiate a login? If that is even possible, could you pass that to the chrome driver and then the browser?
Related
I am writing SpecFlow/Selenium tests with headless Google Chrome in --incognito and I would like to know if the headed or headless instances will be more separated than when I use Chrome as a desktop browser.
Specifically, I have two tests running at the same time which require accessing the same site and performing the login steps of two different users. Will those browsers have unique, separate logins or will they behave like incognito does for me as a user - that is, will the first login be recognised by the second instance?
They are both completely isolated from eachother.
You can verify this by running either, and then checking for stored cookies or login information.
To answer directly, no, the first login will not be recognized by the second instance.
I’m developing an MVC5 application that’s been configured to use ADFS as Identity Provider with the web app acting as a Relying Party. The app is behaving differently on IE9 and Chrome as far as authentication is concerned.
When I run the app on IE9 for the first time and go to a page that requires the user to be authenticated, IE asks me to authenticate as expected. But when I launch a new IE9 window and navigate to the same page, IE asks me to authenticate again which is not expected as it should know I am already logged in. However this does not happen on Chrome, i.e. the second instance of Chrome knows I am already logged in.
Similarly, on IE9 when I log out of the application on one instance the other instance thinks I am still logged in, whereas when I run two instances of Chrome and I log out on one, the other knows I’m logged out.
How can I get IE9 to behave the same as Chrome? Is this some configuration issue on ADFS or do I need more server side code in the application to ensure IE9 behaves properly?
Many thanks in advance
Its not AD FS. Its the IE browser config that needs investigating. I suggest taking fiddler traces when you repro this using two IE windows.
I assume you are referring to AD FS 2.x or on 2012 R2. When AD FS authenticates the user, it writes MSISAuth cookies if the credentials are valid. WIF apps consume tokens from AD FS and write FedAuth cookies.
When the 2nd browser window accesses the app, if it doesn't receive a FedAuth cookie, it will kick off the flow to request auth by redirecting to AD FS. If AD FS doesn't receive the MSISAuth cookies, it will cause the client to auth again.
Sounds like the 2nd browser window is not using the same cookie store and is thus unaware of the FedAuth and MSISAuth cookies.
I suspect this is whats happening here.
I assume you are testing from a PC running IE and Chrome. You don't mention much about browser OS/config so I don't know whether these are terminal server published apps from a farm (with multiple browser instances across terminal servers in farm) or simple browser installs on a PC.
There are other reasons why another prompt for creds happen. You can configure AD FS to force fresh auth again by disabling SSO or configuring the RP related auth policy to insist fresh auth. But given the chrome behaviour I don't think that's it.
We need to review fiddler traces and browser config to answer more specifically.
If you need to get to the bottom of this urgently and quicker than forum responses are received, please raise a case with Microsoft.
Whenever I run my MVC web application which uses Windows Authentication from Visual Studio, I get authenticated to my real domain account without any prompting.
The problem is I want to run a few test and need to connect with other accounts as well.
But despite I tried a lot of thing (tried several browsers, cleared hisotry, cookies, etc. and even tried removing a few credentials from the Seven "Credential Manager") I always and always get auto authenticated withouth any prompting (or warning or whatever that could help me cancel that).
How can I prevents this or at least authenticate myself with another account?
Note: There's no logout button on the website.
EDIT (obsolete)
I tried Private Browsing as someone (who removed his comment?!) suggested. I still get auto-authenticate but this time I don't see the same exact output.
Where I usually see my login on the page (Chrome, IE, FF) I here see my full name.
So, that changes something, but I don't know what and it still doesn't allow me to authenticate myself as someone else.
EDIT
NVM that previous edit, it was a side effect of an unrelated operation I did before (It just took a restart to have a visible effect).
To make Internet Explorer asks credentials every time you open an intranet page follow this steps:
Tools->Internet Options->Security-> Select "Local intranet" and go to "Custom level...".
After that go all the way down in the option list and change the option of "Logon" under "User Authentication" to "Prompt for user name and password.
I managed to change user, I don't know if every step I used were necessary but here's what I did that eventually allowed me to "logout".
Switch to IIS Server instead of VS Dev server
Close all browsers
Close all runnin ASP.Net Dev server
Reset IIS (iisreset)
Launch Debug (which start a FF window)
Now if I repeat the 3 last step, I can change user with no problem.
I have a few websites which allow both anonymous and window auth users at the same time. Basically if you hit the site with IE or Webkit based browsers on a windows system, the server instantly recognizes your active directory user and group.
In the past I've provided a link to a windows auth only page which allows the current user to login, or bounce back to where they started.
I find the management of this kind of frustrating as I need to make certain that IIS has the correct security settings for that single page after every deployment.
Is there a better way for me to allow a user to elevate from anon to authenticated?
There is no other way to do that elevation automatically. The server can't know that the current user is a Windows user and elevate them, or automatically redirect them to the Windows auth only page. On the other hand, if every user will get through the Windows auth only page, all of them which are not inside the domain will see the challenge/response dialog box (user + password).
As for the management part of making sure that this special page has the correct security settings, you can (and should) automate the check somehow. For example, by querying the IIS metabase for that setting when the application starts (in Global.asax) and if the setting is not there, log it as an email message or so.
Personally I prefer a different attitude - a special "integration/deployment" page which contains a series of tests against my application so I can make sure everything's set up correctly on the server, i.e. NTFS write permissions to certain folders, availability of the SMTP server set in web.config to send emails through, etc.
Note: You're using Windows authentication along with anonymous access. Just keep in mind that if you consider implementing Forms Authentication in the future, a misarchitecture (I don't know if by design or due to a flaw) of IIS 7 does not allow you to set the app to be Forms Authentication and set one specific page to be Windows Authentication. The override just doesn't work and it's very frustrating.
Good luck!
OK, I figured out a fairly nice way to do this...however it's not as elegant as I had hoped since it doesn't work across applications.
Basically, if you create a single page within your Anon + Integrated Auth IIS6 website or virtual directory, let's call it auth.aspx, then you can use this page to prompt authentication.
Go into IIS settings and specify that auth.aspx is Integrated Auth ONLY (no anon). Then create a hidden iframe somewhere on your page. I then created a simple JavaScript action to update the src attribute of the iframe to the auth.aspx page. This forces the browser to try and authenticate using NTLM. Once you enter valid credentials you've successfully elevated your current user beyond the generic anonymous user.
One final touch was to then include a Response.Redirect into the auth.aspx which reloads the current page. Assuming your ASP.net session tokens are set correctly, the page will reload and the user will be authenticated.
Currently I am using windows authentication but several of the non technical users seem to have trouble entering their credentials when the browser requests them. The web app needs to be able to identify the users to keep track of their input throughout the site. I was initially thinking cookie but I would need to be able to tell which users entered what and the possibility of them clearing their cookies could cause issues. windows Authentication would be great if I could just get around requiring the users to enter their credentials.
On a properly configured network, internet explorer users should not have to enter their credintials. Furthermore, I think all the other browsers have settings to do automatic NTLM authentication (Chrome and Firefox definitely do).
What do you mean "have troup entering their credientials"? How do they log in to their computer?