Users need to introduce their Windows credentials when accesing the software from a different domain #1447
Comments
|
I don't think the issue you're having here falls in scope of Identity Server, so I'm not sure how much help the guys will be able to offer in that regard. However, my past experiences with hosting on IIS (I'm assuming that's how you're hosting Identity Server in this instance) makes me think you have Windows Authentication enabled for the site in IIS. Having it enabled means browsers will attempt to authenticate using the user's Windows credentials, even though it's not used in the application. For Identity Server, you can disable Windows Authentication and enable Anonymous Authentication. That should let you get to Identity Server and carry on as normal. |
|
Thank you for your answer! No, we are using Kestrel, We were using http.sys when we had the "old" open source IdentityServer, but moved to Kestrel when we upgraded to Duende's and from .NET Framework to .NET 8. We had some issues like the one we mentioned in #1435, but generally it is working if you use HTTPS. The current problem is a support case from a customer that complains about their users having to introduce their Windows credentials (similar to the case where you don't use HTTPS) Update: after sending my message I asked the support department for additional information. The customer is using the http.sys based version. We are not using IIS, so I don't know how this could affect the authorization process. |
|
Can you please check if your customer doesn't have Windows authentication enabled as described here? |
|
@RaulRG Would you like to follow up on this? if not I'd like to close the issue. |
|
Sorry, Roland. The customer did check some things and they send us following information: "we are working with two different domains under Windows. They don't trust eachother due to security reasons, but as you are using Kerberos we cannot authenticate the users from the other domain" The customer works with another company in the same system. They are related, but don't use the same domain. We are not security experts and don't really understand what the alternative to using Kerberos could be. My understanding was that you need to be in the same domain, but they say that this could work if we didn't use Kerberos. Is there any way we could implement their requirements using IdentityServer? Thank you for your help |
|
IdentityServer doesn't use Kerberos as a protocol. It is using OAuth with OpenID Connect. The project you are running IdentityServer in might require Kerberos if that is specifically configured. |
|
Thank you again Roland. If the customer is using Windows Authentication with IdentityServer: how does it really work? As far as I understood, Windows Authentication is not being implemented with OpenID. How does IdentityServer authenticate the users against the Windows Active Directory? |
|
We have an example of that here. |
Which version of Duende IdentityServer are you using?
We are using the version 7.0.6
Which version of .NET are you using?
We are using the version 8.0.204
Describe the bug (question)
We have a customer where the server is installed in Germany and some users connect to this server from Romania using a VPN connection. The users are in a different Windows domain and have to introduce the Window's credentials every time before accesing to the server. We already have a similar question but with other root cause. In our other question the issue is caused because we don't use HTTPS in our test system. #1435
This is not the case in the current issue. The customer does use HTTPS, but the result is exactly the same. They are not using Windows authentication, the users would like to use username / password, but the browser keeps asking for their Window's credentials even before showing the IdentityServer's form.
Any help about how to solve this issue would be appreciated
The text was updated successfully, but these errors were encountered: