Skip navigation

Ad hoc Apple App distribution IIS7 Windows Authentication IOS 5?

7894 Views 16 Replies Latest reply: Sep 23, 2013 1:04 PM by rtang Houston RSS
1 2 Previous Next
djroadstar Level 1 Level 1 (0 points)
Currently Being Moderated
Oct 19, 2011 7:10 AM

We have a Add hoc distribution for enterprice apps by a secure website. Since version 5 we have a problem with authentication in combination with IIS7. The user logs in with a windows username and password and clicks download. Then a "*itms-services://?action=download-manifest&url=domain*" action is been started.

 

 

**Before IOS 5:**

The user goes to url, types the username and password. The user press download and ***again*** the user need to type the username and password. The application is been installed.

 

 

**After installing IOS 5:**

The user goes to url, types the username and password. The user press download and get a domain "...." not found. There is no popup again, with the credentials, like before version of IOS 5..

 

 

**IIS Log**

When going to the website and clicking on the action=download that contains the Plist file  the IIS shows 401 errors (not authenticated). But when I access the .plist or ipa file directly by url in safari I do get a POPUP to authenticate.

 

It look like there is a bug in IOS 5 "*itms-services://?action=download-manifest&url=domain*" actions does not support to authenticate....

 

This solution was working for a half year, but since IOS5 it doesnt work anymore...

iOS 5
  • etresoft Level 7 Level 7 (23,890 points)

    That sounds like you need to use one of those Apple support tickets.

  • _lucas Level 1 Level 1 (0 points)

    I'm really glad you mentioned this, DJ. I've been troubleshooting the same problem for several days.

     

    Our company had successfully implemented enterprise apps for over a year, but our employees have been unable to download any updates after the OS release. Our situation sounds nearly identical to yours: our apps are hosted on a secure Sharepoint server running IIS7, we no longer get a credentials challenge upon clicking the manifest link, and we get a 401 error in the console log.

     

    I agree with your conclusion that this is a problem with iOS, and I'm interested to hear if Apple has any answers for you.

  • _lucas Level 1 Level 1 (0 points)

    Our problems may be different after all. It seems that the apps are now simply unable to be installed while our employees are on our network.

     

    • App hosted on internal server, user connected to company Wi-Fi: installation fails
    • App hosted on external (non-company) server, user connected to company Wi-Fi: installation fails
    • App hosted on internal or external server, user connected to 3G or public Wi-Fi: installation succeeds

     

    You may want to verify that you aren't experiencing the same thing.

  • umichscoots Level 1 Level 1 (0 points)

    Has anyone been able to find a solution for this?  We are also experiencing the same issue:

     

    We have a windows authentication site set up in IIS 6.  We have granted a small set of users rights to download and install the applications.  We are currently testing using our internal networks, we have not been able to try external networks like _lucas has suggested.

     

    • iOS 4 - The application installs fine with the double authentication prompts.

     

    • iOS 5 - The application does not install, with the error "SSErrorHTTPStatusCodeKey=401, NSLocalizedDescription=Cannot connect to [our domain here]"

     

    • iOS 5 - The application installs fine if we convert our IIS site to Anonymous authentication.

     

    Our IIS logs show 401 unauthorized as well.  This is holding up our development efforts and planned rollout of our applications to our executives.

     

    Our best guess is the iPhone/iPad hands off the URL now to some other process but does not take the authentication cookies with it.  If this is true, this is a horrible regression.

  • rizwan.tech Level 1 Level 1 (0 points)

    DJRoadStar,

    I am experiencing the same issue. Please post here when anyone find a solution.

     

     

    Lucas,

    I have tested this within our network and then by connecting through a public wi-fi and installation on iOS 5.0 fails in all the cases. YOUR CASE IS DIFFERENT.

    If it can install via a public wi-fi it means that:

    Apple says "If the devices are connected to a closed internal network, you should allow iOS devices access to these sites." in articlehttp://developer.apple.com/library/ios/#featuredarticles/FA_Wireless_Enterprise_ App_Distribution/Introduction/Introduction.html The wifi is on your work environment and is possibly preventing access to these two sites apple mentioned:

    1) ax.init.itunes.apple.com\

    2) ocsp.apple.com

     

     

     

     

    On a seperate not, I can not search for Problem '9794546' on https://bugreport.apple.com. I guess apple doesnt allow you to see bugs opened by others, right?

  • mcnahum Level 1 Level 1 (0 points)

    any news on the subject ?

    For us it's worked properly until last week ... and now it's working in 10% of the case ... still don't know why !

  • ScottCher Level 1 Level 1 (0 points)

    Hate to pile on, but we seem to be having the same issue here.  Just started to use OTA to allow our employee's to install applications to their iOS devices.  When the user connects using the itms-services url to our site (which is using SiteMinder for authentication and authorization) they are getting prompted over and over and over again and never able to download and install the app.

     

    This isn't happening to everyone - but once it starts happening to a device, it seems to never work again on that device.  It almost seems as though once the app is installed, the user is no-longer able to re-install the app (after deleting it) using the OTA method.  So, first time might work but subsequent installs after deleting the app don't seem to work.

     

    We've had our users delete cookies, purge cached data and website data in Safari but none of that seems to help.  On our SiteMinder server, we are seeing messages that indicate that an expired authentication cookie is hitting the server so that's what's causing the credentials prompt to happen over and over again.  When we navigate to the site used to host the OTA app using a standard https:// url, users authenticate fine and are able to hit the site.  That does no good for us because you can download the file but not cause an install using teh https: URL format.

     

    If anyone has seen a work-around for this or more information from Apple, please post.  We're growing a little desperate.

  • mcnahum Level 1 Level 1 (0 points)

    I think we made progess today on this ...

    are you using cookies? do you have more than one environement with the same cookie name?

     

    the "installer" don't use the same user-agent as Safari and there is no way to clean the cookie...

    and by the way it's why we've the double prompt

    try to change the name of the cookie and it'd fix the issue ...

  • ScottCher Level 1 Level 1 (0 points)

    Yeah, we use cookies for authentication and we are getting the dbl-prompt the first time someone tries to install the app.  After that first time, however, they can never install it again.

     

    There's truly no way to delete the installer user-agent cookie cache?

  • PerlDev Level 1 Level 1 (0 points)

    Once itms-services link is tapped, a new process (with different user agent) is spawned. The new process doesn't contain authentication cookie/token while requesting the plist file, that's why you will get 403 error like: SSErrorHTTPStatusCodeKey=403, NSLocalizedDescription=Cannot connect to ###.

  • ScottCher Level 1 Level 1 (0 points)

    Yeah, of that (the separate user-agent that performs the install, kicked off from the itms-services call) I am aware - the so-called itunes user agent (you can find that out from the user-agent string exposed during TCP traces.

     

    That user-agent is where the "bug" resides about handling the auth cookies.  Once it gets its hands on an auth-cookie, that cookie cannot be deleted or refreshed and there is no way from the OS level to purge cookies (unlike Safari which provides this functionality throught its settings dialog on the device).

     

    So, you get the cookie and you are able to install the app.  Then the cookie expires (probably 60-120 minutes unless set differently by your admins) and because of the bug, it cannot be removed so you cannot authenticate again, the calling environment always gets an expired cookie.

     

    The only way I've seen to get around this is to wipe the device - this removes the old auth cookie allowing you to authenticate again (but only once) so you can download an app.

     

    Apple has gone through several iOS iterations and has still not resolve this issue.  My ticket, and others I've heard about, have been closed as duplicates and from what I can tell, they've all been marked as a "serious bug" and all refernece back to the same original ticket.

     

    None of us can see the original ticket (aside from the organization that created it, I suppose) and Apple either isn't updating all of the related tickets that were closed or they haven't done anything to resolve this issue yet.

  • nucorAdam Level 1 Level 1 (0 points)

    I get 3 authentication promts:

    • When first loading the site
    • When clicking the itms-services link
    • After the browser has closed and the app is downloading

     

    Has anyone found a workaround for supressing all these excess prompts?

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.