logo

Warning: The forum is now for consultation only. Please use GitHub Discussions to post any questions or comments.


Welcome Guest ! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
TheStigh  
#1 Posted : Monday, April 17, 2017 1:06:52 AM(UTC)
TheStigh

Rank: Member

Groups: Registered
Joined: 4/17/2017(UTC)
Posts: 12
Norway

Thanks: 6 times
Hi all,

Web-server is not my strongest point. This is what I have done:
Made sure IIS 7.5 has installed ASP, ASP.NET, Basic Authentication & Windows Authentication.
Windows Authentication is set to NTLM, and set to True inside ApplicationHost.config
For authentication within IIS/Seal Report, I have disabled Anonymous and activated Windows Authentication.

Started Server manager as Administrator, Connection is successful to SQL. Local reports work.
Configured Web Security to use Integrated Windows Authentication (is this correct when I want to use the Windows Account as login?).
Published Website on IIS with Success. PS; upon question if I want to try it out now, I get the response "Application not found".

When I open the browser, I get prompted for user/pass where I enter my local admin account credentials, with success.
At the bottom of the page I get Error: Unable to connect to the server: '/seal/'

I would be very grateful if somebody could assist me solving this.

Also, is there a proper documentation somewhere for setting up security etc for IIS/Web Server?

Regards,
Stigh

Edited by user Monday, April 17, 2017 1:37:58 AM(UTC)  | Reason: Not specified

epf  
#2 Posted : Tuesday, April 18, 2017 6:56:24 AM(UTC)
epf

Rank: Administration

Groups: Administrators
Joined: 12/20/2013(UTC)
Posts: 1,209
Switzerland

Thanks: 14 times
Was thanked: 206 time(s) in 199 post(s)
Looks like you made the good configuration...

Integrated Windows Authentication means that the user is logged using is current Windows Credential, there is normally no login prompted in this case...

Can you check first that the site works fine with No Authentication (re-enable Anonymous Authentication with IIS Manager).
Use F12 from your browser to see any JavaScript errors in the console.

Check also this post https://sealreport.org/forum/default.aspx?g=posts&t=89#post171

thanks 1 user thanked epf for this useful post.
TheStigh on 4/19/2017(UTC)
TheStigh  
#3 Posted : Tuesday, April 18, 2017 9:52:02 AM(UTC)
TheStigh

Rank: Member

Groups: Registered
Joined: 4/17/2017(UTC)
Posts: 12
Norway

Thanks: 6 times
Originally Posted by: epf Go to Quoted Post
Looks like you made the good configuration...

Integrated Windows Authentication means that the user is logged using is current Windows Credential, there is normally no login prompted in this case...

Can you check first that the site works fine with No Authentication (re-enable Anonymous Authentication with IIS Manager).
Use F12 from your browser to see any JavaScript errors in the console.

Check also this post https://sealreport.org/forum/default.aspx?g=posts&t=89#post171



Hi epf,

I managed late last night after making 'Mr Google' very tired of me, to get IIS to play along :) but it was to late for me to update this post. Sorry.
First, setting up IIS from Server Manager did not create the application within IIS, I needed to do that myself.

Now, with Windows Authentication, I get a 'Microsoft' popup login box and not the Seal Report login window. After I enter the credentials I get straight to Seal Report and can choose from the reports.
Is this correct?

I would actually prefer to not using Windows "crappy" login window but rather use your nice login window.
As I can't find any documentation on how to easy setup alternative authentication, I do understand from the article you sent me I have to use scripting.

Could you provide me with an example on;
I would like to "buypass" Windows authentication (how should then the security setting in IIS be?)
I would like to use Seal Report login window. What is then the best alternative (of the alternatives for chooising security level)?
How do I set up the script to match username vs security group?

This is a lot, but I really hope you would assist me on this!

/Stigh

epf  
#4 Posted : Tuesday, April 18, 2017 12:42:10 PM(UTC)
epf

Rank: Administration

Groups: Administrators
Joined: 12/20/2013(UTC)
Posts: 1,209
Switzerland

Thanks: 14 times
Was thanked: 206 time(s) in 199 post(s)
I think you get the Windows Popup Login window because IIS does not managed to identify directly your Window logon, normally the login to Seal is automatic....
Did you try the [Test a login] button from the Server Manager ?
You have also parameters you can play with in the Security Manager Authorization.


Basic Windows Authentication could help you to authenticate the user defined locally in Windows.
Then according to the groups it belongs, you can define and set rights you want.

e.g:
Create a user group named 'Seal' in Windows, create a Window user in this group.
Then create a security group named 'Seal' in seal report and configure the 'Basic Windows Authentication',
finally edit the Parameters and set 'Add security groups matching Windows groups' to true.
And Test a login using the [Test a login] button...it should work like this.

Do not hesitate to edit the script if necessary (e.g. adding some messages to understand what is going on...)

thanks 1 user thanked epf for this useful post.
TheStigh on 4/19/2017(UTC)
TheStigh  
#5 Posted : Tuesday, April 18, 2017 12:51:40 PM(UTC)
TheStigh

Rank: Member

Groups: Registered
Joined: 4/17/2017(UTC)
Posts: 12
Norway

Thanks: 6 times
Originally Posted by: epf Go to Quoted Post
I think you get the Windows Popup Login window because IIS does not managed to identify directly your Window logon, normally the login to Seal is automatic....
Did you try the [Test a login] button from the Server Manager ?
You have also parameters you can play with in the Security Manager Authorization.


If you mean the Windows logon should not appear but the Seal logon should be the one and only, I would rather prefer this.
Do you think this is a IIS issue or something I've done wrong in the Server Manager setup?

epf  
#6 Posted : Tuesday, April 18, 2017 1:06:46 PM(UTC)
epf

Rank: Administration

Groups: Administrators
Joined: 12/20/2013(UTC)
Posts: 1,209
Switzerland

Thanks: 14 times
Was thanked: 206 time(s) in 199 post(s)
No, with Windows Integrated Authentication, you should not have any login window, you should be logged directly without entering any user name and password...
The problem is a pure Windows internal problem, IIS cannot identify you from your browser (try first with IE but I works also with Chrome).
It should come from your windows network configuration: Is it an Active Directory ? If yes, how is it configured ? Your browser should be executed from a computer on your LAN (of course this cannot work if you login from the Internet)....

Edited by user Tuesday, April 18, 2017 1:07:48 PM(UTC)  | Reason: Not specified

thanks 1 user thanked epf for this useful post.
TheStigh on 4/19/2017(UTC)
TheStigh  
#7 Posted : Tuesday, April 18, 2017 1:17:17 PM(UTC)
TheStigh

Rank: Member

Groups: Registered
Joined: 4/17/2017(UTC)
Posts: 12
Norway

Thanks: 6 times
Originally Posted by: epf Go to Quoted Post
No, with Windows Integrated Authentication, you should not have any login window, you should be logged directly without entering any user name and password...
The problem is a pure Windows internal problem, IIS cannot identify you from your browser (try first with IE but I works also with Chrome).
It should come from your windows network configuration: Is it an Active Directory ? If yes, how is it configured ? Your browser should be executed from a computer on your LAN (of course this cannot work if you login from the Internet)....


Hehe, back to my initial comment, my IIS knowledge is not good at all.
We need to have access through internet as our servers are in the cloud.

So, then to get Seal logon, I need to use Basic Authentication and link groups vs security group?
epf  
#8 Posted : Tuesday, April 18, 2017 1:57:15 PM(UTC)
epf

Rank: Administration

Groups: Administrators
Joined: 12/20/2013(UTC)
Posts: 1,209
Switzerland

Thanks: 14 times
Was thanked: 206 time(s) in 199 post(s)
Yes if you must have access through Internet, you need first to allow IIS to perform Anonymous Authentication.
Then comes Seal Authentication through the script: Basic Authentication or Basic Windows Authentication will work for you...
You can manage also your logins using LDAP or Database Authentication if you wish (e.g. you store your login password in the Database or you have an external LDAP server).

Edited by user Tuesday, April 18, 2017 1:59:06 PM(UTC)  | Reason: Not specified

thanks 1 user thanked epf for this useful post.
TheStigh on 4/19/2017(UTC)
TheStigh  
#9 Posted : Tuesday, April 18, 2017 2:15:55 PM(UTC)
TheStigh

Rank: Member

Groups: Registered
Joined: 4/17/2017(UTC)
Posts: 12
Norway

Thanks: 6 times
Originally Posted by: epf Go to Quoted Post
Yes if you must have access through Internet, you need first to allow IIS to perform Anonymous Authentication.
Then comes Seal Authentication through the script: Basic Authentication or Basic Windows Authentication will work for you...
You can manage also your logins using LDAP or Database Authentication if you wish (e.g. you store your login password in the Database or you have an external LDAP server).


Ok, so I want to use the function where I set authentication through the script file for each usergroup vs securitygroup.
Is this then the Basic Windows Authentication?
And the IIS is set to anonymous authentication then?

Could you please provide me with a script example for a Windows User Group named 'SEAL' and the corresponding Securitygroup is called 'GeneralUser'?
epf  
#10 Posted : Wednesday, April 19, 2017 6:42:05 AM(UTC)
epf

Rank: Administration

Groups: Administrators
Joined: 12/20/2013(UTC)
Posts: 1,209
Switzerland

Thanks: 14 times
Was thanked: 206 time(s) in 199 post(s)
Well, the script samples are obvious depending on how you want to manage the user names/passwords.
The simplest is the Basic Authentication (nothing to do with Windows) where everything is hardcoded in the script:

Code:
    //security check can be hardcoded
	if (user.WebUserName == "userName" && user.WebPassword == "password")
	{
		user.AddSecurityGroup("SEAL");
	}
	else {
		throw new Exception("Invalid user name or password");
	}



The script for Basic Windows Authentication is
Code:
	user.Identity = Impersonator.CheckWindowsLogin(user.WebUserName, user.Security.GetValue("default_domain_name"), user.WebPassword);
	
    if (user.Identity != null) 
    {
        user.Name = user.WebUserName;
		if (user.Security.GetBoolValue("add_windows_groups"))
		{
			user.AddWindowsGroupToSecurityGroup(user.Security.GetBoolValue("windows_groups_skip_domain"), user.Security.GetValue("windows_groups_ad_context"));
		}
		else 
		{
			user.AddDefaultSecurityGroup();
		}
		
		if (user.SecurityGroups.Count == 0)		
		{
			user.Error = "The user is authenticated but he does not belong to any security group.";        
		}

        //User default culture, theme and logo can be also overwritten with
        //user.SetDefaultCulture(group.Culture);
        //user.SetDefaultTheme(group.Theme);
        //user.SetDefaultLogoName(group.LogoName);  
    }
    else 
    {
        user.Error = "The user is not authenticated by Windows.";        
    }


It should work as is, and will match the Windows user belonging to SEAL if you have set the parameter "add_windows_groups" to true.

I recommend to use the [Test a login] button to achieve your goals.

Edited by user Wednesday, April 19, 2017 6:45:38 AM(UTC)  | Reason: Not specified

thanks 1 user thanked epf for this useful post.
TheStigh on 4/19/2017(UTC)
Users browsing this topic
Guest (3)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.