Sharepoint URLs redirect to wrong AAM with WAP/ADFS
Hello,
I've started working with Sharepoint 2013 and have a site running.
Internally it all works well and im experiencing no problems.
To acces it from the outside i have ADFS 2.0 running with Web Application proxy (reverse proxy).
Alternate Acces Mappings
Default: https://sharepoint.xxx.com
Intranet: https://sharepoint
Extranet: https://extranet.xxx.com
I'm able to acces the website through the extranet, but when i go to my document library or any other link on my site, it will go to https://sharepoint.xxx.com which is only available inside my network.
All the links seem to go to the wrong url.
Any help solving this would be great.
Hello,
The way IWA works is that all users within your internal network are force to authenticate to AD FS using the current logon ID and credentials. So a custom URL might not work in this scenario because as long as the user is internal and logon with an AD issue
credentials that's what will be passed to AD FS.
Here are some possible solutions you can try. I have done this in most of the medical AD/AD FS environment I have worked in and it solves the problem.
1. Configure a GPO to override the current IWA settings. If you look at your current GPO Zone Assignment Settings, you will notice that your adfs URL is assigned to Zone 1 in the Site to Zone Assignment list. This allows automatic logon to intranet sites.
What you need to do is configure another policy that places the AD FS URL to zone 4 (Restricted Site Zone) and apply only to the EnterpriseGenericUsers. What this will do is each time any one that attempts to access any AD FS resources from any generic user
logged on computer, they will be challenged with a prompt to enter their domain credentials (username and password).
2.The second option. Most organization I have done consulting for enforces their users to use Internet Explorer. So Option 1 will be the definite route to take. Another option is to force generic users to use Firefox. If your firefox is not configured for
IWA, then you will be prompted each time to enter your domain credentials. One of the issues I have seen here is that users might select the always remember my credentials on firefox and that means anyone can access the AD FS resources with that user's credentials
until firefox browser cache is cleared.
Hoppe that helps!
Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>
Similar Messages
-
Opening a document from a SharePoint URL
Using the SDK's instructions on how to open a file, I cannot find the right way to open a file from a SharePoint URL
I understand it relates to the ASFileSys, and I thought ASGetDefaultFileSysForPath would give me the right type, but I cannot figure the right combination of pathType to get the right ASFileSys.
Whatever I try, I get the below error
Code below:
ASAtom pathType = ASAtomFromString("CString");
ASText titleText = ASTextNew();
ASTextSetPDText(titleText, "This PDF was opened by using the Acrobat SDK");
ASFileSys fileSys = ASGetDefaultFileSysForPath(pathType, sharePointUrl);
ASPathName pathName = ASFileSysCreatePathName(fileSys, pathType, sharePointUrl, NULL);
AVDoc myDoc = AVDocOpenFromFile(pathName, fileSys, titleText);
Anyone able to give me a push in the right direction?Are you able to open a sharepoint URL at all (i.e. with the UI, somehow)? If so, you may be able to write some test code in a plugin that looks up the code for the relevant ASFileSys. I have a feeling that ASGetDefaultFileSysForPath serves a very special and limited purpose.
-
Using FreeRadius to do Mac authentication Bypass with External URL redirect. I have confirmed that I'm sending cisco AV-pair for url-redirect, and the WLC shows the client having that url applied(along with the url-redirect-acl that I've applied)
My issue, the URL presented to the client doesn't have the action_URL appended when I apply it via 802.1x. If I change the SSID and force external webauth I get a good URL to the client(generally http://<SITE>?action_URL=http://1.1.1.1/login.html or something similar). How can I use url-redirect to force authentication with the proper action_URL appended?
WLC 5508 with 7.2 code
FreeRadius running on CentOSHello Jeremy,
As per your query i can suggest you the following solution-
Configure WLC Splash Page Redirect with the information to configure the features described.
Complete these steps in order to configure the devices to use the splash page redirect feature:
1.Configure the WLC for RADIUS authentication through the Cisco Secure ACS server.
2.Configure the WLANs for the Admin and Operations departments.
3.Configure the Cisco Secure ACS to support the splash page redirect feature.
For more reference refer to the link-
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml#conf
Hope this will help you. -
Issues getting url-redirect working with Cisco ISE
Hi,
I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
I have also attached my switch config. Any help would be greatly appreciated.
DanSo im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
if anyone can explain why, it would help out a great deal..
My setup BTW is
1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
2. ISE 1.2 - Doing simple Wireless only implementation
3. 3650 - Just acting like a switch - no ACLs etc - just a switch
4. Integrated into AD
Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
thanks again how i can get some feedback -
Need help with URL Redirect in Sun Web Server 7 u5
All I am trying to do is redirect to a static URL and for the life of me I can not get it to behave the way I would expect. I am new to Sun Web Server so I am just trying to use the Admin Console to set this up.
Here is what I'm trying to do:
Redirect from - http://www.oldsite.com/store/store.html?store_id=2154
To - http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
Here's what I tried in the console.
Added a new URL Redirect
Set the Source to be Condition and set it to: '^/store_id=2154$' (quotes included)
Then set the Target to: http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
Then for the URL Type I checked Fixed URL
When I tested with: http://www.oldsite.com/store/store.html?store_id=2154 it did redirect as desired
BUT
When I tested with: "http://www.oldsite.com/store/store.html?store_id=5555" it too got redirected to the Target and I can't figure out how this second URL can satisfy the condition to get redirected.
Any help is most appreciated.thanks for choosing sun web server 7
it is simpler if you just edit the configuration files manually
cd <ws7-install-root>/https-<hostname>/config/
edit obj.conf or <hostname>-obj.conf (if there is one for you depending on your configuration so that it look something like)
<Object name="default">
AuthTrans..
#add the folllowing line here
<If defined $query>
<If $urlhost =~ "/oldsite.com" and
$uri =~ "/store/store.html" and
$query =~ "store_id=2154" >
NameTrans fn="redirect" from="/" http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
</If>
</If>
..rest of the existing obj.conf. continues
NameTrans...
now, you can either do <ws7-install-root>/https-<hostname>/bin/reconfig -> to reload your configuration without any server downtime or <ws7-install-root>/https-<hostname>/bin/restart -> to restart the server
if it did work out for your, you will need to run the following so that admin server is aware of what you just did
<ws7-install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname.domainname>
hope this helps -
Hi,
I am setting up wired ISE environment. Everything is going fine, except url redirect is not working.
I just wondering, if using self-signed certificate on ISE server has anothing to do with the problem ?.
Appreciate your input.
ThanksHi,
As long as you have not changed the hostname or the domain name (and dns is accurate). You should only receive the certificate warning but still get redirected without any issues.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Region Buttons with Optional URL redirect?
Hi there,
Is there anyway to have a button that is created using
"Create a button displayed among this region's items"
but that also can have an Optional URL redirect?
Why is this option not available for these types of buttons?
Thanks in advance!Hello but that also can have an Optional URL redirect?Why is this option not available for these types of buttons? That's just how it is. The action taken by a button of the kind that is shown amongst the region's items is not usefully configurable. What I generally do when I need a button to align with a page item is to simply stick some HTML into the 'Post Element Text' of the item after which I need a button to show up. Something along the lines of <input type=button value='Redirect' onClick=doRedirect()>
varad -
I have a html region with the following code:
<html>
<head>
<title>Report</title>
</head>
<SCRIPT language="JavaScript1.2">
function items()
$s=('BINDTEST1');
function popon(url)
window.open (url, "EasyReportWriter",
"location=1,status=1,scrollbars=1,width=1000,height=700, resizable");
</SCRIPT>
I have a text box item "BINDTEST" that has html element set to:
onchange="items();"
I have a button with a url redirect of:
javascript:popon('http://test/' + items());
When I click on the button, popup window opens with test url but bindtest1 variable is not appended. What am I missing?
Thanks,
Brett
Edited by: 794218 on Sep 12, 2010 8:20 AMThis worked perfectly!
Thanks. One question, what Oracle documentation contains the details such as: document.getElementById
for one to reference? I thought I used to see a Apex developer manual in previous releases and no longer see it with the recent releases. Please clue me in on what Oracle manual/documentation exists for such programming details.
Thanks,
Brett -
Can URL redirects be configured with XE and what is the HTTP Server
I would like to be able to URL redirects. I'm running XE with Application Express 2.1.0.00.39.
I want to be able to have a URL like www.schoolwebsite.com and when the user hits it - have it redirect to the Apex page for the application. I was thinking that I needed to use a redirect in the HTTP config file, and that XE used Oracle_HTTP and I could configure in that manner.
But, I can't find an Apache directory.
1. What HTTP server is used with XE and Application Express 2.1.0.00.39?
2. Can I configure for this type of redirect?
3. Do I need to install an HTTP server to accomplish this?
Thanks,
StephenHi Steven,
search for "proxy" in this forum.
It explains how to configure a plain Apache http server as a proxy to XE. Then you can use the default mechanisms to rewrite an url.
Here is an example (save the file as XE.conf and store it in the Apache conf directory (file httpd.conf is there).
The following instructions are valid for Apache2.
# Activate the following modules in httpd.conf:
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule headers_module modules/mod_headers.so
# include the XE configuration (this file XE.conf) in httpd.conf:
#include "conf/XE.conf"
# XE listener is buggy, thus downgrade to http 1.0
SetEnv force-proxy-request-1.0 1
RewriteEngine On
RewriteLog "D:\Programme\Apache Group\Apache2\logs\rewrite.log"
RewriteLogLevel 0
## Rewrite requests /apex, /i, /public, /sys to locally installed XE
RewriteCond %{REQUEST_URI} /(([^/]+)(/.*)*)$
RewriteCond %2 =apex [OR]
RewriteCond %2 =i [OR]
RewriteCond %2 =public [OR]
RewriteCond %2 =sys
RewriteRule ^/(.*) http://%{SERVER_NAME}:8080/%1 [P]
## Rewrite main page
RewriteEngine On
RewriteRule ^/$ http://%{SERVER_NAME}/apex/f?p=107:1 [R]
RewriteRule ^/index.html$ http://%{SERVER_NAME}/apex/f?p=107:1 [R]
## Rewrite /app1
RewriteRule ^/app1$ http://%{SERVER_NAME}/apex/f?p=107:1:0 [R=303]Regards,
~Dietmar.
Edited by: Dietmar Aust on Oct 14, 2008 1:16 AM -
How to do auto URL redirect in sun web server ?
Hi, i need to do auto url redirect in my sun web server. Currently i'm setup some rules for the reverse proxy in obj.conf file and the syntax looks like:
<Object name="reverse-proxy-/test">
<If $internal and $uri =~ "index.html">
NameTrans fn="redirect" from="/" uri="/examples/abc.html"
</If>
Route fn="set-origin-server" server="http://localhost:8989"
</Object>
The situation is:
1) When users browse "*http://localhost/examples/abc.html*" it will redirect to abc.html
2) When users browse "*http://localhost/test*" it will redirect to the localhost admin GUI (http://localhost:8989/admingui/admingui/serverTaskGeneral)
My desire output should be whenever users browse the "*http://localhost/test*" , it will redirect to abc.html page.
the syntax might be wrong. So, anyone knows how to fix this? I'm keep trying but nothing worked. Please help me.Moderator action: Moved from Servers General Discussion.
db -
Is there a way to create a popup to a page in URL Redirect ?
I have a button (also with a report link column) that is doing a URL Redirect to another page in my app. This works fine.
However, some pages I branch to are small forms and a popup of that form would be more appropriate.
Is there any way to create a URL Redirect that redirects as a popup rather than a page navigation? Similarly, can you branch to a popup page with a report link column?
Thanks,
Reid
Edited by: reidster on Jul 30, 2009 7:10 PMWith your help, I was able to create a popup on a report link column using this:
I just added an "a href" around it.
Thanks again!
Edited by: reidster on Jul 30, 2009 10:18 PM
Edited by: reidster on Jul 30, 2009 10:18 PM -
Set item value at other page via URL-redirect
Hi, I have a button and I want to open a new window with it using an url-target.
</br>
</br>
javascript:window.open ('f?p=&APP_ID.:143:&SESSION.::NO:143:P143_KDT_ID,P143_MESSAGE:&P140_KDT_ID.,&P140_MESSAGE.') </br>
</br>
When I use branching I get an error that there is no page to branch to. I don't understand why. As a workaround I use an url-redirect when the button is pressed, but I'm stuck on getting the current item value into the target page. I tried using $v('P140_MESSAGE') but I can't get the url valid.Jacob,
The problem was that when the HTML for the button is rendered, the value of P1_ITEM from session state was "glued in" to the generated URL at that time. If you then entered a value for the iterm, even though your onChange AJAX technique changed the value in session state it was too late to change the already generated HTML for the button, specifically the URL target for the button.
I created a Set Item2 button on your page with this for the URL attribute:
javascript:window.open('f?p=&APP_ID.:2:&SESSION.::NO::P2_ITEM:' + document.getElementById('P1_ITEM').value);
Let me know if that does what you need.
There is another problem and I don't know the cause. When you click the button, it opens the new window properly but leaves the original page in an error state of some kind. I could not reproduce this in my application using the same js, so I'll be interested in how you solve that.
Scott -
URL redirection config in PI SOAP receiver communication channel
Hi,
I am working on a similar scenario where I my consuming an external web service using https protocol from PI.
I have configured a soap receiver channel to call the target url of this web service as https://portal.xyz.org.uk/webservice_alt.
I am getting an error HTTP 302 suggesting that PI is not able to follow the re-direction to the target URL as the service resides not on that URL but on https://portal1.xyz.org.uk/webservice_alt or https://portal2.xyz.org.uk/webservice_alt.
This is their server fail over handling mechanism which is very common. But PI 7.0 is not able to handle this.
So if I change the target URL on the SOAP receiver channel to https://portal1.xyz.org.uk/web service or https://portal2.xyz.org.uk/webservice_alt , PI works fine without errors . But this is not the right approach because, every time the web service provider takes one of these systems down for upgrade/patching etc, they inform us and then I manually go and change the target URL to the available server on my production PI system config.
My problem is I want to resolve this redirection error in PI. I have tried raising a call with SAP itself and they pointed out to use Axis adapter which is still not working.
So I am here asking for help. any suggestions please from the experts?
Thanks
Jhansi.Hi guys,
I am sorry if I have not been clear so far!!
What I am talking about is a URL redirection capability of PI. what i mean is , when you call any service in general using a browser/soap ui etc, it pings that url and follows the redirection.
For example when i try to test this external web service directly using soap ui tool, it also returns HTTP 302 error. But when I set the 'Follow redirect' property to 'true' , it follows the redirection and calls the service on 'portal1' or 'portal2' .
You assume PI is a test tool like SOAPUI. When the address or URL changed in WSDL and if you load the latest WSDL in soapUI it post the request to the latest URL. YOu import WSDL only in ESR not in IR. Dont forget it. Though WSDL has soap address location, it will not impact the wsdl changes directly in ID.
It makes no sense to complain regarding the behaviour of PI when the reason for the problem is outside (WS provider).
please note that the target url is fixed which is https://portal.xyz.org.uk/webservice_alt.
so we are not talking here about the service provider altering the service and sending us new wsdl's etc.
All users of this webservice have been non-sap users so far and consumers use java, .net etc platforms and are easily able to handle the redirection.because this redirection is a part of failover mechanism.
I hope i am able to picture my problem.
thanks
Jhansi. -
Hello,
say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
But then, why does it let me choose multiple interfaces, what happens if I select all of them?
Am I missing another spot in ISE admin where I can control this?
Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
Thanks!Take a look at the following document:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with.
I hope this helps!
Thank you for rating helpful posts! -
ISE & Switch URL redirect not working
Dear team,
I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
Here is some output from my 3560C:
Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
SW3560C-LAB#sh auth sess int f0/3
Interface: FastEthernet0/3
MAC Address: f0de.f180.13b8
IP Address: 10.0.93.202
User-Name: F0-DE-F1-80-13-B8
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A005DF40000000D0010E23A
Acct Session ID: 0x00000011
Handle: 0xD700000D
Runnable methods list:
Method State
mab Authc Success
SW3560C-LAB#sh epm sess summary
EPM Session Information
Total sessions seen so far : 10
Total active sessions : 1
Interface IP Address MAC Address Audit Session Id:
FastEthernet0/3 10.0.93.202 f0de.f180.13b8 0A005DF40000000D0010E23A
Could you please help to explore the problem? Thank you very much.With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
tips:
1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
Which can win the race: increasing bandwidth with new technologies VS QoS?
Maybe you are looking for
-
My Ipod will not power on, it is fully charged and if I plug in into the computer it doesn't even ackowledge it. Any suggestions?
-
Generate Service Control for WSDL: NullPointerException
Steps to demonstrate the problem: in Platform Workshop (8.1.4) in Integration mode, create a Tutorial Process Application, then for RequestQuote.jpd, Generate WSDL file, then for that WSDL, Generate Service Control. <pre>ERROR: requestquote/RequestQu
-
How do i automatically import ics calendar invitations from email into apple calendar?
how do i automatically import ics calendar invitations (sent from Windows computer - Outlook) from email into apple calendar?
-
I've rented several movies over AppleTV, but can not download. I get a message "An error occurred loading this content. Try again later. " i've been trying for 3 days now... anyone with similar problem?
-
My macbook makes weird pixels!
Hey Apple people I have some problem with my macbook 13'' midi 2010. Often there comes some pixel/bar errors on my screen. If I touch my mouse or keys it disappears again. The screen looks like this: The picture is only a little error sometimes it is