topic Re: Custom Security Extension using Forms Authentication sending invalid URI on redirect in Developer

Custom Security Extension using Forms Authentication sending invalid URI on redirect

abeckham7305 — Mon, 31 Mar 2025 16:33:23 GMT

I implemented a custom security extension for PowerBI server using the sample provided at https://github.com/microsoft/Reporting-Services/blob/master/CustomSecuritySample. I updated the Logon Page_Load to redirect to an OIDC provider for authentication. Everything works fine in my local environment. It also works fine on one of our dev servers.

We created a new environment to match the Production environment where we are hoping to deploy. It is not work there. The issue I found is that the URI sent from PowerBI to the Logon.aspx page in my custom security extension is not formatted correctly. To be specific, there are two query strings in it. Here is an example of the URI:

https://pbi.prod-server.com/ReportServer/logon.aspx?ReturnUrl=/ReportServer/localredirect?url=%252fReports%252fbrowse

Notice after the logon.aspx there is a ? to start the query string, then after localredirect there is another ? to seemingly start a second query string, which is invalid for a URI. I understand the purpose of the second query string. It is supposed to be apart of the 'ReturnUrl', but I would think that is should be encoded then.

I don't know why this works locally and in our dev environment. Locally I'm using Windows 11 as my OS. Our dev environment is using Windows Server 2019 Datacenter. Our simulated Prod environment is using Windows Server 2022 Datacenter. I'm check now to see if that has any impact.

Any thoughts on how I can get this to work? Since the URI is coming from PowerBI I'm not able to manipulate it in my custom Logon page. Maybe there is a setting in the web.config to tell it to encode the ? in the ReturnUrl. Any help would be greatly appreciated.

Thanks!

Re: Custom Security Extension using Forms Authentication sending invalid URI on redirect

Anonymous — Tue, 01 Apr 2025 06:42:44 GMT

Hi @abeckham7305,

Thank you for reaching out to Microsoft Fabric Community Forum.

Can you please check if the Windows Server 2022 environment has a different version of .NET installed compared to the Dev environment. Sometimes, different .NET versions handle URL encoding differently, which could be causing the issue.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Regards,
Vinay Pabbu

Re: Custom Security Extension using Forms Authentication sending invalid URI on redirect

abeckham7305 — Tue, 01 Apr 2025 15:17:18 GMT

Thanks for the suggestion Vinay!

I checked the versions of .NET Framework, which is needed to run PowerBI, and they match across both servers. Both are using 4.8.

I don't know if it matters, but the dev server that works has both .NET 6 Core and .NET 8 Core installed on it. The 'Prod' server only has .NET 8 Core. I've been focusing mainly on .NET Framework because of PowerBI.

Do you think the .NET Core versions could matter for this?

Re: Custom Security Extension using Forms Authentication sending invalid URI on redirect

abeckham7305 — Tue, 01 Apr 2025 18:39:25 GMT

I had a new server created in our dev environment with Windows Server 2022 Datacenter as the OS and PowerBI Server installed. I was able to recreate the issue on that server. It seems to be an issue with Windows Server 2022 Datacenter rejecting the invalid URL.

I also installed .NET Core 6 on the server and the issue remained, so it does not seem to be related to the .NET Framework or .NET Core versions.

I'm going to try to figure out if I can manipulate the URL before PowerBI sends it to the browser so that I can encode the extra '?'. Not sure how to do that yet, if it is even possible.

Re: Custom Security Extension using Forms Authentication sending invalid URI on redirect

abeckham7305 — Fri, 04 Apr 2025 18:26:20 GMT

I figured out a solution. It's more of a workaround though.

I learned, without any specific details, that Windows Server 2022 datacenter has much more restrictive policies around URL validation and allowable query strings. My custom extension only needs the query string in order to determine where to redirect the user back to PowerBI once they are authenticated. Instead of trying to capture this in my Page_Load method, I moved that code to the OnInit method at the very beginning. I first check for the ReturnUrl parameter and if present I capture the url parameter from it into a cookie and then immediately redirect to my Logon.aspx page again without any query string.

Here's an example of the code:

override protected void OnInit(EventArgs e)
{
var uri = new Uri(HttpContext.Current.Request.Url.AbsoluteUri);
var returnUrl = HttpUtility.ParseQueryString(uri.Query).Get("ReturnUrl");
if (returnUrl != null)
{
var returnUri = new Uri("https://dummy.com" + returnUrl);
var encodedRedirectUrl = returnUri != null ? HttpUtility.ParseQueryString(returnUri.Query).Get("url") : null;
var decodedRedirectUrl = encodedRedirectUrl != null ? HttpUtility.UrlDecode(encodedRedirectUrl) : null;
if (decodedRedirectUrl != null)
{
var redirectUrlCookie = new HttpCookie("redirectUrl", decodedRedirectUrl)
{
HttpOnly = true,
Secure = true
};
Response.Cookies.Add(redirectUrlCookie);
}
string urlWithoutQueryString = uri.GetLeftPart(UriPartial.Path);
HttpContext.Current.Response.Redirect(urlWithoutQueryString);
}

InitializeComponent();
base.OnInit(e);
}

This manages to remove the query string from the URL that PowerBI is providing before the Windows Server 2022 restrictions apply to it.

Now my custom extension works on both Windows Server 2019 and 2022.