Hi Experts,

I'm trying to write some simple .NET code to authenticate programmatically against a UAG 2010 (SP3) server. All I care about at this moment is authenticating a session, once I can nail that I will move on to accessing resources behind the UAG

I am using guidance from some links but I am unable to post them since my account isn't authorized to post links, so I'm posting them as text

usingnat.net/sharepoint/2011/2/23/how-to-programmatically-authenticate-to-uag-protected-sharep.html
stackoverflow.com/questions/11875646/how-to-authenticate-programmatically-to-uag-for-sharepoint-with-windows-phone-ap

However, every time I try and authenticate, I check in the UAG Web monitor and the session remainds unauthenticated. I am hardcoding the user credentials within the post. The basic method I'm following is:

1) Do a GET on the login page, get the cookie

2) Do a POST on the login page with encrypted user credentials (passed through the headers) and the cookie obtained from step 1.

I have tried everything now but the session simply won't authenticate. I can authenticate using a browser without a problem, so I know UAG is working. Do I need to make any configuration changes to either UAG or TMG to allow it to authenticate programmatically?

I have also used fiddler2 to trace the headers being exchanged, and from what I can tell all the right information is being sent to the UAG server, but authentication is failing. 

Any help is much appreciated

Thanks 

Hello kmittal82,

Some comments:

1. Make sure your 2nd request (POST) is to the VALIDATE page and not the login page (i.e. Validate.ASP).

2. In the POST request, one of the parameters in the repository name. Make sure you provide the exact name of your authentication repository as defined in the UAG.

If this still does not helps, try to compare the POST request you sends from interactive IE to the one your scripts sends and see the difference and also take look on the response you get back from the UAG, as it may contain some hints...

You can also setup HTTP trunk (not encrypted) for testing and use network capture tool to see exactly what is going on between your script and the UAG ...

Hope this helps..

Ophir.

Hi Ophir,

Thanks for your extremely useful tips, I wasn't sending the request to the Validate.ASP page to start with, and my repository name was wrong as well. I fixed those, however I still can't authenticate. 

The POST reqeust from IE goes through fine, but the POST request through my app results in a 302 Object not found type of error. I used fiddler2 to see the differences in the headers (both the header being sent and the response), and although there are minor differences, I can't see anything obvious which might cause a major problem

I have attached the two responses to this post just for your reference

Internet Explorer POST and RESPONSE

POST http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/Validate.asp HTTP/1.1
Host: portal.kmittal.com
Connection: keep-alive
Content-Length: 126
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://portal.kmittal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/portalPortalHomePage/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASPSESSIONIDCQRQRQRA=GCFPDAPDONFCHDLCPPHNGPIJ; uniquesigB149A8232171E3C30DB80F3DF71C094B004298D99D9EB84911D792DE89F362D6A1231C7973EE037347F0E4E5690C1A7A=GCFPDAPDONFCHDLCPPHNGPIJ; WhlPII=2; NLSessionCportal=R9ywg8urgu7FwlpKQ+Jqj54wOYe45EaSm4/z4rLgrJgD2OZjsgf7mW1ClEfBFmvrDqZxtSMNOuDUeiOugx1+2Z3zWIEl8rEtOVOVySfbdcgy3pObzl94+dCjEE5dOhbY; WhlInstall=False; WhlST=234000; NLSessionCportal=R9ywg8urgu7FwlpKQ+Jqj54wOYe45EaSm4/z4rLgrJgD2OZjsgf7mW1ClEfBFmvrDqZxtSMNOuDUeiOugx1+2Z3zWIEl8rEtOVOVySfbdcgy3pObzl94+dCjEE5dOhbY

user_name=testuser&password=Password1&repository=ws2012-dc&language=en-US&site_name=portal&secure=0&resource_id=2&login_type=2
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14607
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Server: Microsoft-IIS/6.0
Set-cookie: NLSessionCportal=R9ywg8urgu7FwlpKQ+Jqj54wOYe45EaSm4/z4rLgrJgD2OZjsgf7mW1ClEfBFmvrDqZxtSMNOuDUeiOugx1+2Z3zWIEl8rEtOVOVySfbdcgy3pObzl94+dCjEE5dOhbY;path=/
X-Powered-By: ASP.NET
Date: Mon, 27 May 2013 11:23:25 GMT


<HTML>
<HEAD>
<title>Microsoft Forefront Unified Access Gateway - Logon Page</title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">

<LINK rel="STYLESHEET" type="text/css" href="/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/css/template.css">

<script>
var bWhlClientComponents = isWhlClientComponents();
function isWhlClientComponents()
{
if ("1" == 2)
return true;
else
return false;
}

function postValidateInstall()
{
if (bWhlClientComponents)
Install('/internalsite/installxml.asp?stage=0&uninstall_lln=0&remove_lln=0&lln_mode=0&use_wio=0&site_name=portal&secure=0&force_lln=0')
}

var isPostValidate = true;
</script>

</HEAD>
<BODY height="100%" onload="postValidateInstall();RedirectToOrigUrl();">

<table id="mainTable" height="98%" width="100%" style="display:none" cellspacing="0" cellpadding="0">
<tr>
<td valign="middle">
<TABLE align="center" class="blueBorder" cellspacing="0" cellpadding="0">

<tr >
<td id="companyTD" width="100%" colspan="3" style="">
<span  class="header1 header1pos">
Application and Network Access Portal
</span>
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td width="32px">
<img src="/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/headertopl.gif" align="absmiddle">
</td>
<td  style="background-image: url('/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/headertopm.gif'); background-repeat: repeat-x">
&nbsp;
</td>
<td width="520px"  style="background-image: url('/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/headertopr.gif');">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="100%"  colspan="3" style="">
<span   style="margin-">

</span>
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td width="30px">
<img src="/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/headerbottoml.gif" align="absmiddle">
</td>
<td  style="background-image: url('/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/headerbottomm.gif'); background-repeat: repeat-x">
&nbsp;
</td>
<td width="30px"  style="background-image: url('/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/headerbottomr.gif');">
</td>
</tr>
</table>
</td>
</tr>

<tr>
<td valign="top" class="contentleft">
</td>
<td class="internalTD">
<table height="100%" width="100%" cellspacing="0" cellpadding="0">
<span id="appletSpan"></span>
<tr>
<td v-align="top">
<TABLE id="loadingTable" height="100%" border="0" class="content" cellspacing="0" cellpadding="0">
<tr height="20%">
<td id="td1" valign="top">
<span align="left" id="msgSpan" class="blueBold"><nobr>Downloading Endpoint Component Manager...</nobr></span><br><br>
<table cellpadding="0" cellspacing="0" class="nopadding">
<tr>
<td id="progressTD">
<table class="progressBarFrame" cellpadding="0" cellspacing="0">
<tr>
<td id="progressBar1" class="progressBarLeft">&nbsp;</td>
<td id="progressBar2" class="progressBarRight">&nbsp;</td>
</tr>
</table>
</td>
<td>&nbsp;&nbsp;<label class="blueBold" id="percents"></label></td>
</tr>
</table>
</td>
<td valign="top" rowspan="2" align="left" id="securityWarningTD">
<img id="securityWarningImg" width="300px" height="144px"><br>
<span class="blueBold" valign="bottom" align="right">If this prompt appears<br>click Install to install the components.</span>
</td>
</tr>
<tr height="80%">
<td valign="top" id="td2" class="regText">
<br><br>
Please wait a few minutes for component downloads to complete.<br>Corporate policy might require components for site access.
</td>
</tr>
</TABLE>
<TABLE id="blockedPopupTable" height="100%" border="0" class="content" cellspacing="0" cellpadding="0" style="display:none">
<tr>
<td class="bottomText" style="font-weight: bold;" valign="top" height="20%">
Access to this site requires one or more additional applications to be launched. Automatic launching of the required applications was blocked by your browser, probably by a pop-up blocker.<br>

</td>
</tr>
<tr>
<td class="bottomText" style="font-weight: bold;" height="200px" valign="top">

<br>Click&nbsp;<a href="javascript:launchAfterBlock();">here</a>&nbsp;to launch the application and access the site.<br><br>
To access this site in the future, it is recommended that you disable pop-up blockers for this site.
</td>
</tr>
</TABLE>
</td>
</tr>
</table>
</td>
<td valign="top" class="contentright">
</td>
</tr>

<tr>
<TD width="100%"  colspan="3" style="">
<span  class="bottomText bottomTextPos">
&#169; 2010 Microsoft Corporation. All rights reserved. <a href='javascript:alert(&#39;Microsoft Corporation licenses the software and services on this portal to you according to your Microsoft Unified Access Gateway 2010 (the &quot;software&quot;) license. You may not use this portal without a license for the software. Contact your IT administrator for the license terms.&#39;)'>Terms and Conditions.</a>
</span>
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td width="47px">
<img src="/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/footerbgl.gif" align="absmiddle">
</td>
<td  style="background-image: url('/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/footerbgm.gif'); background-repeat: repeat-x">
&nbsp;
</td>
<td width="47px"  style="background-image: url('/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/images/footerbgr.gif');">
</td>
</tr>
</table>
</td>
</tr>

</TABLE>
</td>
</tr>
</TABLE>
<script>
//getting domain cookie path (for set and invalidate) before using install.js
sDomainCookieAttr = ""
sDomainCookieToRemove = ""

//domain without AAM, or shortname/IP - remove domain cookie%>
sDomainCookieToRemove = "Kmittal.com"

sLoginURL  = "";
sOrigURL  = "http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/portalPortalHomePage/";
</script>

<script language="JavaScript" src="/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/scripts/install.js"></script>


<script language="JavaScript">
//init page messages
var WhlClientComponentsNotInstalledMsgTitle = "Install Forefront UAG client components:";
var WhlClientComponentsNotInstalledMsgDirections = "To install the components:<br>1. Right-click the Information Bar.<br>2. Select <b>Install This Add-On for All Users</b>, as follows:";
var WhlClientComponentsNotInstalledMsgNote = "To install the components, you must have administrator privileges on this device.<br>If you cannot see the Internet Explorer Information Bar, enable your browser is to allow download of ActiveX components."
var WhlClientComponentsNotInstalledMsgSkip = "To skip this installation and continue with limited functionality click here:";

var DownloadAndInstallWaitMsg = "Downloading Endpoint Component Manager...";
var FailedUpdatingMsg = "Component updates failed.";
var TransferToLoginMsg = "Redirecting to logon page...";
var stopStr = "Stop";
var stopProgressStr = "Stopping...";
var completedStr = "completed";
var continueStr = "Continue";

var WhlClientComponentsNotInstalledStatus = "Forefront UAG client components were not installed...";

var piiMsg = "To provide full site functionality, data collected from this device might include personal information.<br>Without this option, you can access this site with limited functionality.<br>Do you want to enable this option?";
var piiOption1 = "Enable and continue with full functionality";
var piiOption2 = "Continue with limited functionality";
var piiCheckbox = "Don't show me this message again";
var piiSubmit = "Continue";

var isSecure = "C"
if ("0" == "1")
var isSecure = "S"
var eGapCookieName = "NLSession" + isSecure + "portal"

var newWinVer = true;
if ("True" != "True")
newWinVer = false;

//install Endpoint Component Manager
if (bWhlClientComponents && getCookie("WhlInstall") != "False")
{
//Don't try to install on old Windows version
if ("True" != "True")
document.cookie = "WhlInstall=False; path=/;";

if (isNewDM() || !newWinVer)
WhlInstallComponentManager('');
else
WhlInstallComponentManager('');
}

function isNewDM()
{
var bNewDM = true;

try
{
testObj = new ActiveXObject("ComponentManager.Installer.2");
}
catch(e)
{
bNewDM = false;
}

return bNewDM;
}

//popup blocker launching function
function launchAfterBlock()
{
if (isPostValidate)
startAutoLaunch();
else if (isStartApp)
{
LaunchStartApp();
setPageView();
removeProgress();
setMessage("Launching applications...");
hideAppletLauncher();
//for the case when using !http application as initial application
setTimeout("document.getElementById('mainTable').style.display = 'none';", 3000);
}
}

function Install(sURL)
{
if (getCookie("WhlInstall") != "False")
{
var sAskBrowserRestart="You are about to install Forefront UAG client components. After installation all open browser windows will be closed, and the browser will restart. Do you want to proceed?";
var bPersistCookie="1";
//If not using authenitcation at all, or session is not authenticated yet, don't persist the cookie:
if ("-1" == "0"  || "-1" == "0")
bPersistCookie="0";

//component manager checks for component updates
WhlUpdateComponents("NLSessionCportal=R9ywg8urgu7FwlpKQ+Jqj54wOYe45EaSm4/z4rLgrJgD2OZjsgf7mW1ClEfBFmvrDqZxtSMNOuDUeiOugx1+2Z3zWIEl8rEtOVOVySfbdcgy3pObzl94+dCjEE5dOhbY",sURL,sAskBrowserRestart,"portal","0", bPersistCookie,"1");
}
}

function getMessage(eNotify)
{
switch(eNotify)
{
case 1:
return("Downloading and extracting" + " ");
case 2:
return("Downloading and extracting" + " ");
case 8:
return("Installing" + " ");
}
}

var errorStr = "";

function getErrorMessage(eNotify)
{
switch(eNotify)
{
case 1:
return("The following component cannot be downloaded:" + " ");
case 2:
return("The following component cannot be extracted:" + " ");
case 4:
//Invalid file checksum
return("The following component cannot be installed:" + " ");
case 8:
return("The following component cannot be installed:" + " ");
case 16:
return("The following component cannot be registered:" + " ");
case 32:
return("File in use:" + " ");
case 64:
return("The client configuration file cannot be updated:" + " ");
default:
return "";
}
}
</script>

<SCRIPT FOR=whaleClientComponentManager EVENT="SetProgress(progress,bDownload)" LANGUAGE="JavaScript">
if (bWhlClientComponents)
setProgress(progress)
</SCRIPT>

<SCRIPT FOR=whaleClientComponentManager EVENT="FileNotification(compName, fileName, fileVer, eNotify)" LANGUAGE="JavaScript">
//var strFile = getMessage(eNotify) + compName + " (" + fileName + ")";
if (bWhlClientComponents)
{
var strFile = getMessage(eNotify) + "Forefront UAG client components...";
setMessage(strFile);
}
</SCRIPT>

<SCRIPT FOR=whaleClientComponentManager EVENT="FileError(compName, fileName, fileVer, eNotify)" LANGUAGE="JavaScript">
if (bWhlClientComponents)
{
if(eNotify!=32) //32 = file in use error - don't show it...
{
errorStr += getErrorMessage(eNotify) + compName + " (" + fileName + ")\n";
}
}
</SCRIPT>

<script language="JavaScript">
function RedirectToOrigUrl()
{
if (getCookie("WhlScheduledLogoff") == "True") 
document.cookie = "WhlScheduledLogoff=False; path=/;";


setPageView();
removeProgress();
setMessage("Successful log on");
showUI();

//used after finish launching applications (Java)
redirectUrl = "/InternalSite/RedirectToOrigURL.asp?site_name=portal&secure=0";
startAutoLaunch();
//RESOURCE_OPERATION_LOGIN - change the location just in case there is no java applet to run or no autolaunch applicatios
if (bWhlClientComponents || "0" == 0)
{
setMessage("Successful log on.<br>Redirecting to the site home page...");
if (document.images)
window.location.replace("/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/RedirectToOrigURL.asp?site_name=portal&secure=0");
else 
window.location.href = "/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/RedirectToOrigURL.asp?site_name=portal&secure=0";
}

}


function startAutoLaunch()
{
var bError = false;
if ('' != '')
{
setMessage("Launching applications...");
hideAppletLauncher();
//in case we work with java, and java is disabled no need to launch applications
checkActiveX();
if (bWhlClientComponents)
{

}
else
{
//used after finish launching applications (Java)
redirectUrl = "/InternalSite/RedirectToOrigURL.asp?site_name=portal&secure=0";
if (navigator.javaEnabled() && "True" == "True")
{
;
}
else
{
alert("The following applications cannot be started because the browser does not allow Java applets to run:\nTo use these applications, configure the browser settings to enable Java.");
if (document.images)
window.location.replace("/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/RedirectToOrigURL.asp?site_name=portal&secure=0");
else 
window.location.href = "/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/RedirectToOrigURL.asp?site_name=portal&secure=0";
bError = true;
}
}
}
if ('0' == '1' && !bError)
{
alert("The following applications cannot be launched:");
}
}

</script>
</BODY>
</HTML>

Application POST and RESPONSE

POST http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/Validate.asp HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: portal.kmittal.com

Cookie: NLSessionCportal=y1cYOi5Rj/hfK8ezAZrXz+XEhPYXUN90P4GoJ4MffwqTTn4tQHUj8cVEKEJTTw6G+MFfsktnf5JbOsW7/ROWZ4TgcUgNdTQqrqic6X5u3xF2wjVSs0xvG2Wa7Txs053O

Content-Length: 111

Expect: 100-continue



user_name=testuser&password=Password1&repository=ws2012-dc&resource_id=2&login_type=8&site_name=portal&secure=0

HTTP/1.1 302 Object moved

Cache-Control: private

Content-Length: 220

Content-Type: text/html

Location: /uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/InternalError.asp?error_code=116

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDCQRQRQRA=MCFPDAPDKNLGDFNJGILGKECO; Path=/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/

Set-Cookie: uniquesigB149A8232171E3C30DB80F3DF71C094B004298D99D9EB84911D792DE89F362D6A1231C7973EE037347F0E4E5690C1A7A=MCFPDAPDKNLGDFNJGILGKECO; Path=/

Server: Microsoft-IIS/6.0

Set-cookie: NLSessionCportal=y1cYOi5Rj/hfK8ezAZrXz+XEhPYXUN90P4GoJ4MffwqTTn4tQHUj8cVEKEJTTw6G+MFfsktnf5JbOsW7/ROWZ4TgcUgNdTQqrqic6X5u3xF2wjVSs0xvG2Wa7Txs053O;path=/

X-Powered-By: ASP.NET

Date: Mon, 27 May 2013 11:25:28 GMT



<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/InternalError.asp?error_code=116">here</a>.</body>

Bit more info:

Through the app, when I do a POST on the validation URL (Validate.asp), and right after that the app does a GET. In the GET, the URL is that of InternalError.asp, with an errorcode of 116. I looked this error code and it relates to the page is being accessed from an unauthorized URL.

I'm not sure what this means, to me it looks like the app is somehow not authorized to POST on the validation page, but I don't see why it wont be.

Still trying out stuff, will keep this log posted if I find anything

To summarize, here is the order of the headers from within my app:

1) Do a GET to portal.kmittal.com (Response Header 302 Object not found)

2) Redirected - do a GET on InitParams.aspx?refererrer=xxxxx.... (Response Header 302 Found)

3) Redirect - do a GET on InstallAndDetect.asp?resoruce_id=2&xxxx....(Response Header 200 OK)

4) POST on /InternalSite/Validate.asp (Response Header 302 Object Moved)

5) GET on InternalError.asp?error_code=116 (Response Header OK)

To the best of my understanding, the problem is that the cookies I get from the logon page are not all passed to the validation URL. when I look at the GET cookies, I get ASPSESSIONIDCSTRATTB, NLSessionCportal and uniquesidDxxxxxxx cookies, but when I post the only one being posted is NLSessionCportal. 

Also, although my portal is portal.kmittal.com, I don't have any real applications behind that apart from file access. So I do a GET on portal.kmittal.com. I have also tried doing a GET on portal.kmital.com/uniqesig34xxxxxxx , but that doesn't change anything.

Hi kmittal82,

Error 116 mean you are breaking the "state machine" of the authentication flow, meaning you are accessing the pages in wrong order.

The UAG tries to enforce right authentication flow, basically, you should first go to login page, and only then to validate page.

Your applications seems to follow that requirement, however the way the UAG is tracking the flow is by using session variables in IIS.

For IIS to keep context of a session, it use the ASPSessionID cookie, and I guess this is what break your application, as without sending the ASPSessionID cookie, you break the IIS session context and hence you break the state-machine ...

I recommend to capture also the IIS cookie, the same way you do with the UAG cookie (NLSession) and see if this make things better...

(I think you can ignore the "other" cookie, as this is just another copy of the ASPSessionID but in signed version....)

Hope this helps..

Ophir.

Hi Ophir,

I'm capturing cookies using the .Cookies property of HttpWebResponse

The code is simple

private void Connect()

        {

            HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://portal.kmittal.com");

            request.CookieContainer = new CookieContainer();

            request.UserAgent = this.UserAgent; // UserAgent is set elsewhere

 

            //Do a GET on the URL

            using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())

            {

                //Get the UAG generated cookies from the response

                this.Cookies = response.Cookies;

...

...

}

The thing is, when I checked through fiddler2 there are certainly more cookies being sent, but using the inbuilt cookies method seems to only capture NLSession but doesn't get back the ASPSessionID cookie. 

Quick update: If I disable redirect on the request (request.AllowAutoRedirect=false), I do get back 3 cookies (but as expected the redirects stop working), but then I get an error 152 which suggests that the user got authenticated by AD but something else went wrong. Interestingly, I get the same error code even if I provide bogus credentials, so I'm not convince the AD authorization is actually working! I guess this gets me one step closer, but still no cigar!

Hi kmittal82,

It seems the .Cookies return back only the last (or first) "Set-Cookie:" header's value, and since some of the pages generate the cookies with multiply "Set-Cookie" headers, you may get only one. I recommend to disable the redirect and request just the login.asp and then post to validate.asp.

Error 152 (ADFS) sometimes indicate problem with cookies, so I recommend to compare the request header generated from your code to the headers generated from browser and see what cookie/element is missing.

Indeed it seems you are getting close...

Ophir.

Hi Ophir,

Firstly, thank you so much for your help, much appreciated :)

Indeed there seems to be some oddity about getting multiple Set-Cookie, thanks for spotting that. To get around it, I have set the redirect to false and I get back the same amount of cookies as shown by the browser. On top of that, I added some extra bits into the header (when compares to the headers from the browser) which were missing from the application, but I'm still getting an "Object Moved" through the app. For your reference, here are the post requests:

IE Post request

POST http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/Validate.asp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/portalPortalHomePage/
Accept-Language: en-GB,en;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 126
DNT: 1
Host: portal.kmittal.com
Pragma: no-cache
Cookie: ASPSESSIONIDAQTQCTTA=BHFHMMNBMBLNLLLKLKPHFMCM; uniquesig81F0F6057F19F8E1CC0E25B61BD05726331911EF9577961065761696A9C29D9DCDCA75C218E8B52317774C657503DA64=BHFHMMNBMBLNLLLKLKPHFMCM; NLSessionCportal=221k1BKJ8SLpxU+Es1DCsffPvNcssZ3WeYcoyp7VjzO0Vs0vjgfdi+SWdscbdgDhrM2PJY8/RKfN38o7EUDwAUaXRJ7IULHAKqzLXeEZ3DxDDPuTtW22u6dhRyv4k++D; WhlPII=2; WhlST=238000; WhlInstall=False

user_name=testuser&password=Password1&repository=ws2012-dc&language=en-US&site_name=portal&secure=0&resource_id=2&login_type=2
HTTP/1.1 200 OK

APP Post Request

POST http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/InternalSite/Validate.asp HTTP/1.1
DNT: 1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Referer: http://portal.kmittal.com/uniquesig34acdc567b43b64f9e0fb44c575e2be4/uniquesig0/portalPortalHomePage/
Content-Type: application/x-www-form-urlencoded
Host: portal.kmittal.com
Cookie: ASPSESSIONIDAQTQCTTA=DIFHMMNBBKIKKBJLLOLDOHKA; uniquesig81F0F6057F19F8E1CC0E25B61BD05726331911EF9577961065761696A9C29D9DCDCA75C218E8B52317774C657503DA64=DIFHMMNBBKIKKBJLLOLDOHKA; NLSessionCportal=xY9jlpYhwM7Ic9JFcLflCjHozfwSp41JjW1a9t/F7dsx824mG2/PAtlmOTSYr6z/hv5cDoLp1IkTIYyHsJOhCeNMTPzBI2cunCf1RHy1N9QnSpKpiAqFD9euQjslK/pI; WhlInstall=False; WhlPII=2; WhlST=238000
Content-Length: 111
Expect: 100-continue

user_name=testuser&password=Password1&repository=ws2012-dc&resource_id=2&login_type=8&site_name=portal&secure=0
HTTP/1.1 302 Object moved

The only differences in the 2 I can spot are:

• Accept-Encoding is missing from the App
• Expect: 100-continue is only present in the App
• Pragma: No cache is missing from the App

Can you spot anything obvious in the POST requests which might be leading to the problem?

Once again, thanks a lot

I have made a change to the configuration and ticked the box for "Disable component installation and activation"

After doing so, I now hit a new error after doing the POST on the validation page, error code 120 which says that the user could not be authenticated. This happens only when I have redirects enabled (i.e. 1 cookie obtainted from the original GET)

If I keep disable redirects, I get 3 cookies and I try and make it as close as possible to the browser response, but then I get the 152 error.

Hi kmittal82,

From first look it seems really good. I notice you do not send the language parameter, but I don't think it needed (and you can uncheck the "Enable users to select language" option to avoid problems...

What does look suspicious is the parameter login_type, that in the IE it is 2, but from some reason, in your APP it is 8.

I tried to re-submit a form with login_type=8 in my lab machine, but this did not generate error 152, but I still recommend to try again with login_type=2 and see if this make difference...

Beside that, I'm out of ideas, it is really look like it should work...

Ophir.

Hi Ophir,

I got it working, but I'm not sure how! I reverted the code back to enable redirection and removed all explicit cookie addition, and it just authenticated. I have a feeling it had to do with disabling component installation, but I really wish I knew what was the actual fix.

Thanks a lot for taking the time to help, your guidance was invaluable. I have another question regarding UAG, but I'll ask that in a separate thread since its not related to authentication

Thanks! :)

Hi kmittal82 

Hi kmittal82,

I am still  facing an issue in accessing  UAG protected  SharePoint web service from a console application even after  checking the option  Disabling components installation and  activation under session tab of UAG trunk configuration.

In fiddler trace, I have seen  the following error in the response  of Validate.asp URL request.
"The site cannot be accessed. To access this site, adjust the security settings in the browser to a lower level."

Can you please share the updated code that is working for you?

Regards
Vidya Sagar Alti