Reply
abeckham7305
Regular Visitor

Custom Security Extension using Forms Authentication sending invalid URI on redirect

‎03-31-2025 09:33 AM

I implemented a custom security extension for PowerBI server using the sample provided at https://github.com/microsoft/Reporting-Services/blob/master/CustomSecuritySample.  I updated the Logon Page_Load to redirect to an OIDC provider for authentication.  Everything works fine in my local environment.  It also works fine on one of our dev servers.

 

We created a new environment to match the Production environment where we are hoping to deploy.  It is not work there.  The issue I found is that the URI sent from PowerBI to the Logon.aspx page in my custom security extension is not formatted correctly.  To be specific, there are two query strings in it.  Here is an example of the URI:

https://pbi.prod-server.com/ReportServer/logon.aspx?ReturnUrl=/ReportServer/localredirect?url=%252fR...

 

Notice after the logon.aspx there is a ? to start the query string, then after localredirect there is another ? to seemingly start a second query string, which is invalid for a URI.  I understand the purpose of the second query string.  It is supposed to be apart of the 'ReturnUrl', but I would think that is should be encoded then.

 

I don't know why this works locally and in our dev environment.  Locally I'm using Windows 11 as my OS.  Our dev environment is using Windows Server 2019 Datacenter.  Our simulated Prod environment is using Windows Server 2022 Datacenter.  I'm check now to see if that has any impact.

 

Any thoughts on how I can get this to work?  Since the URI is coming from PowerBI I'm not able to manipulate it in my custom Logon page.  Maybe there is a setting in the web.config to tell it to encode the ? in the ReturnUrl.  Any help would be greatly appreciated.

 

Thanks!

 

Labels:
Message 1 of 5
259 Views
0
1 ACCEPTED SOLUTION
abeckham7305
Regular Visitor

Friday

I figured out a solution.  It's more of a workaround though.

 

I learned, without any specific details, that Windows Server 2022 datacenter has much more restrictive policies around URL validation and allowable query strings.  My custom extension only needs the query string in order to determine where to redirect the user back to PowerBI once they are authenticated.  Instead of trying to capture this in my Page_Load method, I moved that code to the OnInit method at the very beginning.  I first check for the ReturnUrl parameter and if present I capture the url parameter from it into a cookie and then immediately redirect to my Logon.aspx page again without any query string.

 

Here's an example of the code:

override protected void OnInit(EventArgs e)
{
var uri = new Uri(HttpContext.Current.Request.Url.AbsoluteUri);
var returnUrl = HttpUtility.ParseQueryString(uri.Query).Get("ReturnUrl");
if (returnUrl != null)
{
var returnUri = new Uri("https://dummy.com" + returnUrl);
var encodedRedirectUrl = returnUri != null ? HttpUtility.ParseQueryString(returnUri.Query).Get("url") : null;
var decodedRedirectUrl = encodedRedirectUrl != null ? HttpUtility.UrlDecode(encodedRedirectUrl) : null;
if (decodedRedirectUrl != null)
{
var redirectUrlCookie = new HttpCookie("redirectUrl", decodedRedirectUrl)
{
HttpOnly = true,
Secure = true
};
Response.Cookies.Add(redirectUrlCookie);
}
string urlWithoutQueryString = uri.GetLeftPart(UriPartial.Path);
HttpContext.Current.Response.Redirect(urlWithoutQueryString);
}

InitializeComponent();
base.OnInit(e);
}

 

This manages to remove the query string from the URL that PowerBI is providing before the Windows Server 2022 restrictions apply to it.

 

Now my custom extension works on both Windows Server 2019 and 2022.

View solution in original post

Message 5 of 5
106 Views
0
4 REPLIES 4
abeckham7305
Regular Visitor

Friday

I figured out a solution.  It's more of a workaround though.

 

I learned, without any specific details, that Windows Server 2022 datacenter has much more restrictive policies around URL validation and allowable query strings.  My custom extension only needs the query string in order to determine where to redirect the user back to PowerBI once they are authenticated.  Instead of trying to capture this in my Page_Load method, I moved that code to the OnInit method at the very beginning.  I first check for the ReturnUrl parameter and if present I capture the url parameter from it into a cookie and then immediately redirect to my Logon.aspx page again without any query string.

 

Here's an example of the code:

override protected void OnInit(EventArgs e)
{
var uri = new Uri(HttpContext.Current.Request.Url.AbsoluteUri);
var returnUrl = HttpUtility.ParseQueryString(uri.Query).Get("ReturnUrl");
if (returnUrl != null)
{
var returnUri = new Uri("https://dummy.com" + returnUrl);
var encodedRedirectUrl = returnUri != null ? HttpUtility.ParseQueryString(returnUri.Query).Get("url") : null;
var decodedRedirectUrl = encodedRedirectUrl != null ? HttpUtility.UrlDecode(encodedRedirectUrl) : null;
if (decodedRedirectUrl != null)
{
var redirectUrlCookie = new HttpCookie("redirectUrl", decodedRedirectUrl)
{
HttpOnly = true,
Secure = true
};
Response.Cookies.Add(redirectUrlCookie);
}
string urlWithoutQueryString = uri.GetLeftPart(UriPartial.Path);
HttpContext.Current.Response.Redirect(urlWithoutQueryString);
}

InitializeComponent();
base.OnInit(e);
}

 

This manages to remove the query string from the URL that PowerBI is providing before the Windows Server 2022 restrictions apply to it.

 

Now my custom extension works on both Windows Server 2019 and 2022.

Message 5 of 5
107 Views
0
abeckham7305
Regular Visitor

‎04-01-2025 11:39 AM

I had a new server created in our dev environment with Windows Server 2022 Datacenter as the OS and PowerBI Server installed.  I was able to recreate the issue on that server.  It seems to be an issue with Windows Server 2022 Datacenter rejecting the invalid URL.

 

I also installed .NET Core 6 on the server and the issue remained, so it does not seem to be related to the .NET Framework or .NET Core versions.

 

I'm going to try to figure out if I can manipulate the URL before PowerBI sends it to the browser so that I can encode the extra '?'.  Not sure how to do that yet, if it is even possible.

Message 4 of 5
178 Views
0
v-vpabbu
Community Support
Community Support

‎03-31-2025 11:42 PM

Hi @abeckham7305,

 

Thank you for reaching out to Microsoft Fabric Community Forum.

 

Can you please check if the Windows Server 2022 environment has a different version of .NET installed compared to the Dev environment. Sometimes, different .NET versions handle URL encoding differently, which could be causing the issue.

 

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!


Regards,
Vinay Pabbu

Message 2 of 5
210 Views
0
abeckham7305
Regular Visitor
In response to v-vpabbu

‎04-01-2025 08:17 AM

Thanks for the suggestion Vinay!

 

I checked the versions of .NET Framework, which is needed to run PowerBI, and they match across both servers.  Both are using 4.8.

 

I don't know if it matters, but the dev server that works has both .NET 6 Core and .NET 8 Core installed on it.  The 'Prod' server only has .NET 8 Core.  I've been focusing mainly on .NET Framework because of PowerBI. 

 

Do you think the .NET Core versions could matter for this?

Message 3 of 5
193 Views
0
avatar user

Helpful resources

Announcements
March PBI video - carousel

Power BI Monthly Update - March 2025

Check out the March 2025 Power BI update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

Stop
View All
Top Solution Authors (Last Month)
View All
Top Kudoed Authors (Last Month)
View All