Options
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 911 views
  • Users 0 members are here
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

M-Files and windows authentication from Web API

dejan

Hi community and M-Files, 

I am tasked to design new Web API which should download and open documents from M-Files. Our users are not satisfied with links created by M-Files.

I am struggling to authenticate user with SSO M-Files functionality. Basically, I have .NET 6 Web Api running under own app pool. It tries to authenticate over SSO functionality:

public async Task AuthenticateUsingSSO(string vaultGuid)
		{
			// Build a request to WebServiceSSO.aspx.
			var request = new RestRequest($"/WebServiceSSO.aspx?popup=1&vault={vaultGuid}");

			try
			{
				// Execute the request.
				var response = await _client.GetAsync(request);

				if (response.StatusCode == HttpStatusCode.Unauthorized)
					throw new AuthenticationException(response.Content, response.ErrorMessage);

				// Populate our cookie container with the cookies (i.e. session tokens)
				// returned by the request to WebServiceSSO.aspx.
				if (response.Cookies != null)
				{
					foreach (var cookie in response.Cookies.AsEnumerable())
					{
						_client.CookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, cookie.Domain));
					}
				}
			} 
			catch (Exception ex)
            {
				throw new AuthenticationException(ex);
            }
		}

When I execute "await _client.GetAsync(request);", I already starts getting 401 Unauthorized error. 

RestClient is initialized like this:

return new RestClient(
				new RestClientOptions
				{
					Credentials = CredentialCache.DefaultNetworkCredentials,
					BaseUrl = new Uri(_baseUrl)
				}
			);

This should pick up credentials from executing user.

I am following examples from M-Files client library from Git and I am using RestSharp library. 

Has anyone implemented windows authentication / SSO in IIS? Basically taking user credentials with windows authentication and logging with those credentials over SSO API from M-Files.

I would appreciate any sharing in this area. It would be also great to know if someone used .NET Core or .NET 6 to implement this one.

Best regards,

Dejan

Parents
  • 0

    I would guess that the issue is a combination of two things:

    1. You need to make sure that your code is actually running as the authenticated user.  Even though they are authenticated, the code is probably running as a lower-privileged user.  There are different ways to do this in different flavours of .NET, I recall, but I haven't done it for a long time.
    2. Even if the code is running as the correct user, the token itself may not be usable due to some sort of double-hop problem.

    Regards,

    Craig.

  • 0 in reply to Craig Hawker

    Hi Craig, 

    Well based on logs from IIS I can see that my API is called with correct account, I have there in place windows authentication. 

    The question is how to provide M-Files those network credentials. This WebServiceSSO.aspx page is actually part of ASP.NET M-Files web access and not part of MFWS. The examples in git uses DefaultNetworkCredentials and this works well when called from console app as a specific account. However, M-Files web access runs under app pool with ApplicationPoolIdentity, app pool has its own hidden account. So even though I provide DefaultNetworkCredentials which should be my account (I see it in logs as well), WebServiceSSO.aspx is called with app pool user. 

    So I am wondering how can I provide user credentials from my API to M-Files API.

    I can not imagine I am the first person implementing this. I would appreciate tips from community or M-Files how to propagate user credentials in hosted IIS API/Web app. If someone has example working using windows authentication and WebServiceSSO.aspx concept hosted in IIS, this would be great or at least some tips.

    Best,

    Dejan

  • 0 in reply to dejan

    Hi Dejan,

    I believe that the core issues are as I described above. Unfortunately I do not have exact code/guidance that I can provide, but you may be interested in this post: https://github.com/dotnet/aspnetcore/issues/8880. Of course, if anyone else has guidance then please do contribute! 

    In the link I provided above the RunImpersonated call relates to my point #1 above. The broader issue that the user is posting relates to #2.

    Note that both of these need to be resolved for it to work. If you use RunImpersonated but the intermediate (web) server is not trusted for delegation then the call will still fail (as the token provided cannot be used on the second hop - the M-Files server). 

    It's important to note here that the issue is not directly related to the M-Files REST API, but is a largely a matter of ensuring that the trust is configured correctly within your network. 

    As I said: I don't have specific guidance. I have only had to get this working once before and that was many years ago, before things like federated authentication were commonplace. Normally I implement #1 and then someone else configures #2 for me. Wink

    My suggestion would be to ensure that RunImpersonated is correctly implemented and then bring in your network team to look into configuring a way around the double hop issue. 

    Regards, 

    Craig. 

  • 0 in reply to Craig Hawker

    You could also reach out to your account manager to see whether someone here can provide you with some more hands on assistance.

  • 0 in reply to Craig Hawker

    Hi Craig, 

    Actually, I already tried to run my web method code in RunImpersonated wrapper but this hasn't really helped. I will double check it though. This could be really a major setback for our whole concept based on M-Files.

    Best,

    Dejan

  • 0 in reply to dejan

    Hi Dejan, 

    To be clear: the issue isn't with M-Files. Or, the issue as I understand it. The issue would affect any tertiary web application that you try and proxy SSO through. To get it to work you must configure those two things. 

    It should be possible to configure using delegation, as I suggested earlier. I just don't have specific details as to what needs to be configured in your network to enable that. Because it's typically something implemented by a network admin, and not a developer like myself.

    But it's a fairly common problem. The phrase you're after is "double hop"; that should give you some pages describing the issue and potential approaches.

    If you still come up blank then do, please, reach out to your account manager to see whether there's anything additional we can offer.

    Regards,

    Craig. 

  • 0 in reply to Craig Hawker

    Hi again,

    Today we tried different things, using separate Web Site in IIS, creating SPNs for different accounts, running sites with different accounts.

    Actually idea is authenticate with app pool user credentials but it does not work. Obviously we don't get app pool credentials or they are not correctly propagated to M-Files site.

    One thing we found out: it seems M-Files does not support either Kerberos or NTLM with negotiate option. This is a worry point. Is there any official documentation which describes which authentication providers are supported in IIS?

    Best,

    Dejan

Reply
  • 0 in reply to Craig Hawker

    Hi again,

    Today we tried different things, using separate Web Site in IIS, creating SPNs for different accounts, running sites with different accounts.

    Actually idea is authenticate with app pool user credentials but it does not work. Obviously we don't get app pool credentials or they are not correctly propagated to M-Files site.

    One thing we found out: it seems M-Files does not support either Kerberos or NTLM with negotiate option. This is a worry point. Is there any official documentation which describes which authentication providers are supported in IIS?

    Best,

    Dejan

Children
No Data




              

© M-Files Corporation 2024 | Privacy Policy