VIP Access Manager

Expand all | Collapse all

ADFS 4.0 (Windows Server 2016) and Symantec VIP

Jump to Best Answer
  • 1.  ADFS 4.0 (Windows Server 2016) and Symantec VIP

    Posted 02-06-2020 02:53 AM
      |   view attached

    Hello!

    We I trying integrate our ADFS farm and Symantec VIP Manager for push authenication via JavaScript integration. I am using this guide (I have done all steps from chapter 4), but when I try to put correct login and password I get the following error in log file:


    06.02.2020 10:41:59 : Log File Path : C:\Program Files\Symantec\ADFS\
     06.02.2020 10:41:59 : VipService Authentication URL: https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_4
     06.02.2020 10:41:59 : Vip Services Timeout: 10000
     06.02.2020 10:41:59 : Vip Certificate Path: C:\Program Files\Symantec\ADFS\vip_cert_12-26-2019_12-16AM.p12
     06.02.2020 10:41:59 : Automatic Business Continuity: False
     06.02.2020 10:41:59 : Javascript Integration : True
     06.02.2020 10:41:59 : IpAddress Fetched:192.168.20.71
     06.02.2020 10:41:59 : Fetched VIP service settings successfully
     06.02.2020 10:42:33 : Exception while signing the username : System.ArgumentOutOfRangeException: Length cannot be less than zero.
    Parameter name: length
       at System.String.Substring(Int32 startIndex, Int32 length)
       at SymcVIP.AuthenticationAdapterWindowsAccountName.SignUserName(String vipUser)
     06.02.2020 10:42:52 : Certificate chain count: 3
     06.02.2020 10:42:53 : User a.ivonin Authentication failed, Request ID: ADFS_9_9_0_192_168_20_71_34501. Invalid Security Code
     06.02.2020 10:42:53 : Exception while signing the username : System.ArgumentOutOfRangeException: Length cannot be less than zero.
    Parameter name: length
       at System.String.Substring(Int32 startIndex, Int32 length)
       at SymcVIP.AuthenticationAdapterWindowsAccountName.SignUserName(String vipUser)


    But if uncheck the tick Enable VIP Java Script Integration in VIP Integration Settings - Security Code works properly. 


    Could anybody help me?



     



  • 2.  RE: ADFS 4.0 (Windows Server 2016) and Symantec VIP

    Posted 02-06-2020 03:21 PM

    Anton -

    Below is the JS I am using, Can you compare to yours? Your appId and IdP URL will be different. 

    Did you add your domain to your VIP Manager account under the POLICIES tab? 

    <!-- BEGIN VIP integration code -->
    <script type="text/javascript" src="https://userservices.vip.symantec.com/vipuserservices/resources/js/v_1_0/vip?appId=12345678&idpURL=https://EGW99.example.com:443/vipssp/trustedserviceaccess&autoIntegration=manual"></script>
    <script type="text/javascript">
    function vipAuth() {
    vipIaIntegrationProperties.setAuthenticationMode('uo');
    vipIaIntegrationProperties.setUsernameFieldName('username');
    vipIaIntegrationProperties.setPasswordFieldName('vippassword');
    vipIaIntegrationProperties.setSecurityCodeFieldName('security_code');
    vipIaIntegrationProperties.setFormName('loginForm');
    }
    window.onload = function() {
    document.getElementById("continueButton").click();
    }
    </script>
    <!-- END VIP integration code -->

     



  • 3.  RE: ADFS 4.0 (Windows Server 2016) and Symantec VIP

    Posted 02-07-2020 02:53 AM

    Hello,


    When I generate JS code in my VIP manager I leave the filed "SSP IDP Proxy URL:" is blank, because if we open the manual on page 30 we will see the words:

    "SSP IDP Proxy URL: You do not need to enter SSP IdP Proxy URL when integrating JavaScript only for Push"


    So, I do not use idp URL in my configuration.

    My JS code:

    <!-- BEGIN VIP integration code -->
    <script type="text/javascript" src="https://userservices.vip.symantec.com/vipuserservices/resources/js/v_1_0/vip?appId=3623748765&autoIntegration=manual"></script>
    <script type="text/javascript">
    function vipAuth() {
    vipIaIntegrationProperties.setAuthenticationMode('uo');
    vipIaIntegrationProperties.setUsernameFieldName('username');
    vipIaIntegrationProperties.setPasswordFieldName('vippassword');
    vipIaIntegrationProperties.setSecurityCodeFieldName('security_code');
    vipIaIntegrationProperties.setFormName('loginForm');
    }window.onload = function() {
    document.getElementById("continueButton").click();
    }
    </script>
    <!-- END VIP integration code -->


    Could you give me advice should I use SSP IDP Proxy URL when I try to generate JS code?



  • 4.  RE: ADFS 4.0 (Windows Server 2016) and Symantec VIP

    Posted 02-07-2020 05:17 PM

    The IdP URL isn't necessary for PUSH. It is used when you want to enable additional methods for getting the code, such as SMS or Voice call. It is also necessary when using Intelligent Authentication. 

    I reviewed your JS and it is fine. So something else is going on.

    On the ADFS server, can you please move the put the VIP certificate into the same folder as the VIP ADFS plugin files? You will need to point to this new location in the VIP configuration console, then restart the ADFS service. Try again.

    If you still get a failure, attempts a login in from a browser after enabling the browser console logging (F12). Make sure you click on the CONSOLE tab in the dev tools, and enable persistent logs. 



  • 5.  RE: ADFS 4.0 (Windows Server 2016) and Symantec VIP

    Posted 02-10-2020 02:31 AM

    Hello!

    I have checked my ADFS server and have not founded ADFS plugin files folder.  What is in my the installation folder in the screenshot below:

     

     

    My setting from adfs_config.exe:

     

     

     


    I have enabled F12 + console in my browser and what I got:

     

     

    Maybe I missed some steps when I installed VIP app for ADFS?

     



  • 6.  RE: ADFS 4.0 (Windows Server 2016) and Symantec VIP
    Best Answer

    Posted 02-10-2020 05:13 PM

    You can see from the error invalid user ID. Check that the user exists in your VIP Manager account.

    If the user ID does exist, ensure that the Enable enterprise login ID mapping is set to NO in your VIP Manager settings. This setting is not required for the Enterprise Gateway.



  • 7.  RE: ADFS 4.0 (Windows Server 2016) and Symantec VIP

    Posted 02-11-2020 07:16 AM

    Thanks, after the setting "Enable enterprise login ID mapping" was enabled the push was sent to my cell phone. So, it is working fine now.