When enabling the HSTS header in IIS 7.x, is it ok to do this in the web.config for one or more virtual apps or must this be done at the IIS root web site level?
↧
HTTP Strict Transport Security header configuration in iis 7.x ?
↧
HSTS shows as invalid
hello
the hsts setting shows as invalid on ssllabs.com but if i look at the headers using Chrome i can see the
Strict-Transport-Security: 'max-age=31536000'could it be loadbalancers F5 need something too?
↧
↧
seeing string not int
hsts is displaying as 'max-age=31536000' not as max-age=31536000.
if ($Site.HSTS)
{
if ($Site.HSTSAge -lt 31536000)
{
}
cIisCustomHeaders ($FQDN + '_HSTS')
{
Name = 'Strict-Transport-Security'
Value = "max-age=$($Site.HSTSAge)"
Location = $FQDN
Ensure = $Site.HSTS
}
}
↧
Filtering and Bad header in the http response
Hi,
In the filtering I deny the following verbs: OPTIONS, TRACE etc...
Then I perform a request with a dummy verb like 'asd'.
Then the server returns a 405 error, but in the response,I have the following header:
Allow: GET, HEAD, OPTIONS, TRACE.
Is it a bug ? How can I configure the proper header in the response ?
Tx.
↧
Certificate Based Authentication Across Domain Trust
Hello
Not entirely sure whether this is an IIS issue or a Windows authentication issue.
We have a web server in one domain, and users in another. There is a two-way domain trust between the two and using Negotiate or NTLM authentication in IIS, this works absolutely fine.
However we now have some Android smartphones that are using SCEP/NDES to gain client certificates to avoid people having to enter username and passwords when they access internal resources, and for some reason AD Certificate Based Authentication Mapping
is not able to authenticate these users, so they are receiving authentication prompts when accessing sites hosted on this web server.
On other web servers which are in the same domain as the users, this works successfully, so I know the basics work, but there is some problem when it comes to authenticating users in another domain.
It appears that the certificate is being accepted quite happily, as A) I am prompted to choose a client cert and B) If I use one of the test .asp pages you can find the code for on the internet and enter your credentials you can see the certificate details appearing as expected, but I suspect that certificates are not being successfully mapped to AD users by the DS Mapper due to the user being in a different domain to the server.
I have ensured that DS Mapper Usage and Negotiate Client Certificate are both enabled on the SSL Certificate Binding.
Has anyone managed to get a similar setup working? Or have any ideas as to how I can debug the certificate mapping process? Nothing useful appears in Failed Request Tracing or the IIS or Windows logs, so far as I can tell.
Thanks
Ralf
↧
↧
Kerberos Double Hop Issue
We have the infamous Kerberos double hop issue.
This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017).
WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance)
The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials" is enabled.
SPN created:
HTTP/<url of web service> <AppPool Creds>
We are able to login to the web service via a browser on a remote computer, enter domain credentials and have the expected response (web page displayed). IIS Log shows domain user creds as expected.
The SQL server is a named instance, running under domain creds. SPNs created:
MSSQLSvc/<fqdn>:<Instance> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<Instance> <SQL Domain Creds>
MSSQLSvc/<fqdn>:<port> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<port> <SQL Domain Creds>
The IIS App Pool user account in AD is setup for constrained delegation to the SQL server for both the port and the named instance.
When logging in through software to web service (WPF calling WCF Service with no database call), a normal response is seen.
When logging in through software to web service with a database call, sql profiler shows Anonymous Logon. With Kerberos Logging enabled on IIS box, the following error is received:
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000225 KLIN(0)
Server Name: MSSQLSvc/<sql server fqdn>:49942
Target Name: MSSQLSvc/<sql server fqdn>:49942@<domain.com>
We also tried unconstrained delegation, but received same result.
SETSPN -X shows no duplicates.
Here's where it gets strange. On Friday, after doing nothing other than rebooting the web server, it magically started working. Then Monday, came back, with no changes over the weekend (I am the only developer working on this project and it is solely on my desktop), and it is back to Anonymous Login... arg. I have rebooted all of the servers now and still it doesn't work.
Please help a guy stop pulling his hair out!
Thank you in advance for your help!
↧
Security for the path different than if explicitly specified default document
I had a previous post - https://forums.iis.net/t/1238417.aspx
Solution there was great, worked fine.
But then I noticed one odd side effect.
When I look at Server Variable "auth_user" when I access the specific document (http://server/folder/test.asp) - it pulls the correct identity [the user that is using the browser]. However, if I access it via the default document (http://server/folder) - it pulls the worker processes' ID. The default document is test.asp in this case. Seems like there is a security setting that needs to be applied at the root of the directory - the path and files in it vs just the files. Haven't been able to find the resolution to it.
Thanks.
↧
Request for the permission of type 'System.Security.Permissions.FileIOPermission failed
I'm writing a HTTPModule for Microsoft IIS. As part of the initalization callback function, it reads in a configuration file from disk. This has worked fine on one of our development environments, but on a newly created environment, we get the following error:
Server Error in '/' Application.
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException:Requestfor the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]System.Security.CodeAccessSecurityEngine.Check(Object demand,StackCrawlMark& stackMark,Boolean isPermSet)+0System.Security.CodeAccessPermission.Demand()+55System.Configuration.ConfigurationFileMap.GetFilenameFromMachineConfigFilePath()+77System.Configuration.ClientConfigurationHost.OpenExeConfiguration(ConfigurationFileMap fileMap,Boolean isMachine,ConfigurationUserLevel userLevel,String exePath)+44System.Configuration.ConfigurationManager.OpenExeConfigurationImpl(ConfigurationFileMap fileMap,Boolean isMachine,ConfigurationUserLevel userLevel,String exePath,Boolean preLoad)+112System.Configuration.ConfigurationManager.OpenMappedExeConfiguration(ExeConfigurationFileMap fileMap,ConfigurationUserLevel userLevel)+50
abc..ctor()in C:\repos\myrepo\src\a\Configuration\MyConfig.cs:40def..ctor()in C:\repos\myrepo\src\a\MyModule.cs:48The code that throws the error looks as follows
string config_path =ConfigurationManager.AppSettings["configPath"];
log.Debug("Config path: "+ config_path);ExeConfigurationFileMap configMap =newExeConfigurationFileMap();
configMap.ExeConfigFilename= config_path;System.Configuration.Configuration config =ConfigurationManager.OpenMappedExeConfiguration(configMap,ConfigurationUserLevel.None);The trust level is set to "Full" on both servers and we have tried all sorts of combinations of file permissions on the file, so what could be causing this?
↧
Disabling TLS 1.0 Crashing my website
Hay
I have a server 2008 with iis 7.5
When I disable TLS 1.0 The website is crashed.
Any Ideas ?
Thanks,
Elad
↧
↧
Change Authorization Rules using script
Hello :)
I’m trying to change authorization rules using A powershell script (It doesn’t really matter to me the way of doing it, as long as it done from the command line and not throw the GUI (Powershell, Cmd, AppCmd, even change the web.config with code.. whatever will work is fine).
The changes I want to do is or add a specific Allow rule for a specific user or to remove the Deny All user rule. (The fine result should be that a user name “test” will be able to open my website, its fine that all users in the domain will be able to (The reason I cant do it now is becasue of the Deny all users rule).
I tried any possible command I was able to find online but nothing really works (it seems commands like Add-WebConfigurtaion, RemoveWebConfigurtaio, are runing with no errors but still the authorization roles are not changing)
Thank you for the help!
I’m trying to change authorization rules using A powershell script (It doesn’t really matter to me the way of doing it, as long as it done from the command line and not throw the GUI (Powershell, Cmd, AppCmd, even change the web.config with code.. whatever will work is fine).
The changes I want to do is or add a specific Allow rule for a specific user or to remove the Deny All user rule. (The fine result should be that a user name “test” will be able to open my website, its fine that all users in the domain will be able to (The reason I cant do it now is becasue of the Deny all users rule).
I tried any possible command I was able to find online but nothing really works (it seems commands like Add-WebConfigurtaion, RemoveWebConfigurtaio, are runing with no errors but still the authorization roles are not changing)
Thank you for the help!
↧
Windows authentication iis 8.5 windows server 2012 r2
I have anasp.net intranet application that needs windows authentication enabled on Windows Server 2012 R2 (iis 8.5), but I cannot get it to work.
When I try to access the page from either a client browser or the web server I get prompted to enter credentials, which never works regardless of what username/password I enter. I always get error 401, access denied due to invalid credentials.
I've got WA enabled, anonymous disabled, NTLM at the top, allow all users, etc. I've tried all of the different application pool built-in identities. To try and resolve the permissions issue I used an admin account instead of one of the built-ins. When I ran the basic setting/test settings I got green checks on authentication and authorization, but I still got the same 401 error when trying to access the page.
I'm perplexed. What permissions need to be set? And, what identity should the page use for windows authentication? The page displays data only, so no write access is required for any folders. Also, the page displays perfectly with anonymous access, but that's useless to me because I need the identity of the users that are accessing the page.
↧
IP Restrictions On FTP Folders In IIS Not Working
Hello.
I've exhaustively searched for an answer to this IP Restrictions issue without success. Any guidance provided is greatly appreciated.
The environment is FTP running in IIS on Windows Server 2016 in Azure. Multiple users are setup in FTP using FTP User Isolation of 'User name physical directory'.
I need to restrict FTP access by IP for some users, but not all. It appears I can add an IP restriction by User folder, as the changes are reflected in the ApplictionaHost.config file for the specific folder. In my sample I am denying one IP address
as a test on the 'UserA" folder. (No 'Allow' feature is set within this testing.)
I hope these images come through.
I have restarted the IIS and FTP services between tests. I cannot get the restriction to work at the folder level. In testing, the only place the IP restriction seems will work is if it is at the top FTP site level. Setting it there it give a 'home folder
inaccessible' error.
The FTP log file shows correct client IPs so it's not a NAT or Proxy issue.
Any thoughts on how to get the IP Restrictions to work on selected FTP User folders? Many thanks in advance.
↧
Host Intranet websites on secured URL (HTTPS)
Hello Team,
We are currently in the process to move the the HTTP protocol hosted Intranet websites to the secured HTTPS intranet protocol.
The current websites are accessible like: http://intranet.
Example domain, like : CORP.CONTOSO
Now, when we have deploy the SSL certificate, issues to *.CORP.CONTOSO, we are unable to access the website usinghttps://intranet. Can it be confirmed if we are required to use the website name ashttps://intranet.corp.contoso ? This URL looks long and seems not appropriate to share with the users.
What are the options/alternatives to resolve the issue - Host the intranet websites on https?
Thanks for the help.
↧
↧
Can't use a domain username as a specified user in IIS 10.0
Hi, i having a problem when i tried to use a domain user as a specified user name in basic settings-> connect as. I want to access a shared folder that located in another server.
The web server always says if the username or password isn't correct and always throw 500.19 error when I started to browse the application.
However when I explore the app from IIS, it can be opened. I even tried a remote login to the server using the same username and password and it's just fine.
The server I am using for running the web server is a Workgroup computer and in a DMZ. Is that a reason why IIS can't authecticate domain user?
Sorry for my terrible english here, because i'm in panic situation right now. I hope you can understand what i'm asking about and hope somebody has an answer. Thanks
↧
Reverse Proxy IIS to Apache Tomcat 8.0 with NTLM Authentication (SSO)
Dear Team,
We are currently using NTLM for SSO authentication in our application using IIS as our web server, but with the new upgrade in the application we now has to use Apache Tomcat as our primary web server.
So in order to get SSO working we are trying to use Reverse Proxy from IIS 10 to Apache Tomcat 8.0.22, with Windows Authentication (NTLM) at IIS level.
We used URL-Rewrite to redirect the user request from IIS to Apache web server which is working fine for Anonymous authentication.
But we are facing issue when we are trying to do the WIA(NTLM) authentication and pass the request to Tomcat. It is throwing 401 error. Can you please help with the below :
- Is URL-Rewrite supported with WIA (NTLM) authentication, We cannot use Kerberos as per the comapny guidelines so we have to use NTLM.
- Is there a document which can share more details on how to configure the same.
- Our application listens to HTTP connector of Tomcat, so we cannot use ISAPI_Redirect as it works with AJP connector. Please let me know if this understanding is correct.
- Please suggest if there is any better approach for the same.
Many thanks for your help in advance.
Thanks
Suraj
↧
Getting a 401 making calls to localhost
Setup:
2 Windows 2016 web servers using IIS 10 in a load balance pool
Application and API is using Windows Authentication
host file entry directs API calls from the application back to localhost (127.0.0.1).
API calls get a 401 when originated from the server. Localhost call. Calls to the API from a different machine work fine. This is using the same user account. To simplify the issue I've tried navigating to a XML in site site. The XML loads in the browser fine if connecting from a different machine. Attempts to load the XML via a call to localhost still a 401.
Why would Windows Authentication not work when making call to the localhost?
↧
Site files on a file server VS in the root of site?
Hello All,
We have a site that is very file heavy, PDF to be exact. A while ago the IT department wanted to move the files to a file server because the initial server could not have any more space added to it. The infrastructure has since been upgraded and the web server no longer has a space issue. My question, is it worth moving the files back to the original location from file server? We are talking roughly a TB and half.
Thanks!
↧
↧
Installating IIS 10 on a harden Windows Server 2016
Hello everyone,
I have to install IIS on a hardened Windows Server 2016.
Is there any document out here listing what IIS' security requirements are ? What I mean by that is, for instance: what local accounts/groups created by setup, the local system rights they are granted, registry access and so on.... I'm definitely NOT looking to harden my web server but to to "soften" the Windows Server hardening for my future web server - yeah, I know, it's strange.
Thanks in advance :) !
Regards,
P.
↧
URL Path does not load at first, until browser loads root directory.
I installed a new certificate on IIS 8.0 and added SAN attributes in the certificate so Chrome, IE reports the cert as secure, everything on the surface is working fine.
However, after a server reboot, anyone tries to browse a URL that is a level down in the directory structure causes a 500 error, but then I have them open the root of the site, say,https://abc.123.com this loads fine, then they can loadhttps://abc.123.com/requirements/index.cfm successfully.
So in a nutshell, Monday morning after server reboot:
https://abc.123.com/requirements/index.cfm ---- causes 500 error for all users when pasted in the browser.,
I have them load https://abc.123.com and it's good.
Then I have them open a new browser to try https://abc.123.com/requirements/index.cfm again and now it works fine, and is good until the IIS server is rebooted again (end users reboot their machines, no problems, so I think its IIS)
Any ideas as to why I need them to load the root URL first? Is the TLS certificate not happy when they try to go to a folder a few layers down in the directory of the site? Steve
↧
Option to restrict via IP range as well as via AD User Group?
Hi all,
I have an IIS project, for which I'd like the following to be restricted for access, together if possible:
1) Two or three specific IP address ranges (I've done this part already). This is due to anonymous logins needed via a Smart TV, which do not use Windows Authentication;
2) Specific Active Directory User Groups (because certain users may travel to other locations occasionally etc - so no longer fit into the IP address ranges specified in #1.
Is there a way round me doing such a thing - so to mix IP restriction and domain user group restrictions?
Many thanks, in advance of any answers. 
↧