AD Auth with login page

How do you setup Windows authentication and display a login page where the user has to supply their credentials?

I believe I have authentication working, following the basic example on: https://docs.universaldashboard.io/security/authentication/windows. When I visit my site I see my username as the value for $user.

I removed the “-PassThru” parameter on New-UDLoginPage, thinking this would require me to have to provide my credentials. However removing this parameter made no change.

Thanks for any help!
guy

Hello @guy thanks for posting your question. I ended up using two functions one to test the credential, and another to verify if the user was in a specific security group. This may not be the best way but it works without issues to Active Directory:-


Hopefully this will help you out :smile:

Hello @psDevUK thanks for the reply. I tested using your $LoginPage variable, and the $FormLogin variable but I am still not seeing any change. When I visit the site there is no login page.

Thanks anyway,
guy

So I can have a better understanding of where to troubleshoot, if I remove the -PassThru parameter on New-UDLoginPage, I should then be presented with a page where I have to enter my credentials. Is this understanding correct?

@guy have a look at the main dashboard file I state two pages in there:-

$FormLogin = . (Join-Path $Root “Pages\FormLogin.ps1”)

$LoginPage = New-UDLoginPage -AuthenticationMethod $FormLogin -LoginFormFontColor “#ffffff” -LoginFormBackgroundColor “#305768” -PageBackgroundColor ‘#FFFFFF’ -Logo (New-UDImage -Url “http://www.pensworth.co.uk/wp-content/uploads/2015/07/pensworth-logo.png”) -Title “Pensworth Complaint System” -WelcomeText “Logon using your network credentials” -LoadingText “Please wait…” -LoginButtonFontColor “#FFFFFF” -LoginButtonBackgroundColor “#FF6666

Finally in the main dashboard file when it calls the dashboard you also specify the LOGIN form:-

$Dashboard = New-UDDashboard -Title “PENSWORTH COMPLAINT SYSTEM” -Pages @(
$HomePage,
$HelpPage,
$HistoryPage,
$NewPage,
$MyCallPage,
$AllCallPage,
$AssignedPage,
$EditPage
) -NavBarLogo (New-UDImage -Path “$Root\imgs\cm.png”) -NavbarLinks $NavBarLinks -Theme $theme -Footer $Footer -NavBarColor “#2c505f” -NavBarFontColor “#000000” -EndpointInitialization $Init -LoginPage $LoginPage -Navigation $Navigation

@psDevUK Thanks for the efforts. I understand what you are saying about having to call the $LoginPage via the “-LoginPage” parameter, and also the need to have the $FormLogin available. I was unable to get your example to work.

Here is what I have working.

$Root = $PSScriptRoot
$HomePage = New-UDPage -Name "Home" -Icon home -DefaultHomePage -Title "" -Content {
New-UDCard -Title "Card Title" -Text "Some Text to display"
}
$Page2 = New-UDPage -Name "Page2" -Icon _lock -Title "Page Title" -Endpoint {
New-UDHeading -Text "$user"
}

$Auth = New-UDAuthenticationMethod -Windows

$LoginPage = New-UDLoginPage -AuthenticationMethod $Auth 

$LogonDashboard = New-UDDashboard -Title "" -Pages @(
$HomePage
$Page2
)  -NavBarLogo (New-UDImage -Path 
"C:\Projects\LogonTest\Resources\logo255x59White.png") -LoginPage $LoginPage

Start-UDDashboard -Dashboard $LogonDashboard -Port 88 -AutoReload -Force -Wait - 
AllowHttpForLogin

However when I run this code and then visit the site I am not getting a login page. What am I missing?

Just to confirm @guy you are using a licensed version not community edition?

@psDevUK Yes that is correct. I am using the licensed version.

Windows authentication is really just single-sign on and won’t prompt you for a username\password unless the machine you are on is not domain joined. In that case, you’ll be prompted by the web browser and not a UD login page.

What @psDevUK has in his dashboard is actually forms-based authentication. In that example, he’s using an Endpoint to validate that the user is logging.

Here’s the code for that: https://github.com/psDevUK/psUniversalDashboard/blob/master/PagesGitHub/FormLogin.ps1

As you can see, New-UDAuthenticationMethod is using Endpoint rather than the -Windows switch parameter. It’s a bit more manual on the UD side but allows you to validate against whatever system you need but in this case, it’s just Active Directory.

1 Like

Thank you @adam and @psDevUK both for helping me better understand this.

1 Like

@psDevUK After I gained a better understanding of how authentication works in UD, I was able to get your FormLogin script working in my test build. It worked perfectly, and was exactly what I was looking for. Thank you so much for sharing your work! I don’t know if I would of have been able to get this working how I wanted without your help.

Thanks again,
Guy

1 Like

@guy no worries, that’s what this community is all about, helping one another and sharing ideas. Like that weird saying goes “there’s always more than one way to skin a cat” if they have that weird saying where you are from. But anyways the main thing is you got it working, and now you have a better understanding. Hopefully the next time someone posts how do I get login pages working you will be the resident to answer the question :smile:

Good Afternoon,

I’m currently using the script that @adam provided above and everything is working great but I was wondering if it would be possible to pass the username and password to a variable so I can use it later on in my dashboard. My end goal is to be able to pass the username and password to a servicenow API so it’ll automatically open a ticket for that user(using their username and password) after they submit a form.

Thanks
Shaun

Hello @Shaun and a big happy welcome to the UD forums. There is a very neat special variable called $User it is documented here:- https://docs.universaldashboard.io/security/authentication/windows#claims-based-authorization-with-windows-authentication
I hope this helps a brother in need. Peace

Crumbs I only just saw the password bit (i need some glasses) not to sure how to achieve this…?

Thanks for the warm welcome! Its all good. The $User should work.

Thanks again

1 Like

Sweet…I did think more about this question after…and was thinking I am sure there is some key-logging modules out there, and I am sure you could hack yourself together a password gathering tool on login, but I’m no powershell master but I know you could encrypt that password and pass that as credentials, as I do this for my scheduled tasks…but I also understand you can decrypt the files as well, so don’t think this would work too well depending on how secure your encrypted passwords have to be…I use the $User variable to log what time and date that user visits so management can check that people are using it, and I create a $USER folder in the IIS folder which I can then use to plonk any output from the INPUT fields, to check the data before inputting the data into the database.

@adam How would IIS Authentication have to be configured to make this work?

Or would you even need IIS?

You’ll need IIS if you want single-sign on. For IIS, you’ll need to enable Windows auth and disable anonymous auth.

Then you need to make sure that the web.config is setup to forward the auth token. Directions for that here:

https://docs.universaldashboard.io/security/authentication/windows

1 Like

@adam
got it - understand the IIS piece but if you want the above custom form auth to work, it cannot and/or doesn’t need to be in IIS

For the above custom form login, it doesn’t need to be in IIS. It can be if you want but you can host that kind of auth anywhere.