We have an app which is split into two, a back end and a front end. The back end as well as most the systems we use are being authenticated through Active Directory (AD). This works fine, people can log in, no problem.

The problem is the front end, where clients come in and register and then log in. This works fine if the first screen you access is Log In, which in most cases it is because it's the end point of the default entry.

But if you come in through an email link to view, for example, to the page OrderDetail, you get an AD log in pop up and won't redirect to the LogIn page as it should. 

User provider is Users, for both apps. 

Platform: OS 10 on premise. 

All Flows and individual pages have their Integrated Authentication and Internal Access Only to 'No', and still we get the AD prompt. 


Anything else I can check?

Hi Mariano,

Does this only happen in your email links, or does it happen in any direct links you have that bypass the Login page?

What do you see when you debug this behaviour? Do you manage to trigger any breakpoints before the AD prompt? Are you routed through an Exception Handler at any point?

Any page you open directly, like if you right click any of our pages and Open in browser, you'll get AD prompted. Couldn't capture anything on the debuggers, it doesn't even reach the Start node of that page's preparation.

Solution

Not knowing how your web flow is structured, my first guess would be that the request is entering an Exception Handler, and that this is trying to redirect you into a page that is AD-protected. How are you handling your Exceptions? Do you have per-flow Handlers?

When you were debugging, did you set your breakpoints only on the page that you were visiting? Did you have the Break on All Exceptions setting turned on?

There's only so much we'll be able to consider without having access to your code. Anything that you can share about your implementation would be very valuable.

Solution

Afonso Carvalho wrote:

Not knowing how your web flow is structured, my first guess would be that the request is entering an Exception Handler, and that this is trying to redirect you into a page that is AD-protected. How are you handling your Exceptions? Do you have per-flow Handlers?

When you were debugging, did you set your breakpoints only on the page that you were visiting? Did you have the Break on All Exceptions setting turned on?

There's only so much we'll be able to consider without having access to your code. Anything that you can share about your implementation would be very valuable.

Never thought of turning that on, good catch. On entering the page it says ThemeUser role required. 

Should the theme even have roles?

I went into the Theme module and checked, all is default, all is Integrated Authentication: No. We're just using the Header and Footer web blocks from this; they don't have any authentication at all. So I went and just deleted that reference. 

Now it catches Portal_User role required. Which, of course it is, it wants you to log in. And then straight into the AD Pop up. Debugged into, it wants to redirect to NoPermission (which has Integrated authentication NO) which has an If in the preparation: User_GetUnifiedLoginUrl.Url <> "" 

This is what is redirecting to the IntegratedAuthentication page. Changed this to go straight into our log in page.


Many thanks Afonso, problem is solved!

Glad to know you got to the bottom of it - that's one big flow. Whenever you think your user is being redirected to where he shouldn't be and your debug isn't catching anything, think of Exception Handlers.