Quantcast
Channel: Security
Viewing all 1881 articles
Browse latest View live

IIS www-authenticate: Basic response header

June 5, 2018, 12:49 pm
$
0
0

I'm using a TFS 2017.3 version on my Windows 2012 server IIS 8.

When I'm trying an HTTP request, I'm getting 3 www-authenticate headers:

  1. www-authenticate: Bearer
  2. www-authenticate: Basic <realm>
  3. www-authenticate: NTLM

I'm only allowed Windows Authentication.

This is quite problematic for me because I need the order to be different. I want to use Windows Authentication but when the www-authenticate: Basic comes before www-authenticate: NTLM the NTLM authentication isn't successful (Like in this case).

It's quite weird because I've disabled BasicAuthentication on IIS and still the www-authenticate: Basic is present in the HTTP response HEADERS.

When the BasicAuthentication is enabled with WindowsAuthentication (NTLM provider) then suddenly www-authenticate: NTLM comes before www-authenticate: Basic header (Which is super weird because when BasicAuthentication was disabled then it didn't handle in the same way).

Any suggestions and tips what should I do and how can I manage the www-authenticate headers order?

Maybe someone knows how can I remove the www-authenticate: Basic header when BasicAuthentication is disabled?

Search

Problem with HSTS and proxy

June 6, 2018, 12:15 am
$
0
0

Hello,

I'm try rewrite http to https in iis. But everything i did do when i have proxy monitor with target specific computer doesn't work.

Without proxy, when i try access site mysite.mydomain.com or http://mysite.mydomain.com, i'm redirect to https://mysite.mydomain.com. that is correct.

But when i use bettercap (bettercap --gateway 192.168.1.1 --target 1192.168.1.10 --parsers POST --proxy --proxy-port 8081 --sniffer --proxy-https) and try access mysite.mydomain.com or http://mysite.mydomain.com i can. 

Someone can explain why?

HTTP/HTTPS Redirection specific blocking rules

June 11, 2018, 1:16 pm
$
0
0

Let say that i theoretically got hacked and my website got redirected to another domain.

Would it be possible to stop redirecting for specific domains ?

for example to google.com or *.com in the website,

but the internal redirection for example after logging in and redirecting to welcome.html, or another website that is intended to redirect to, would not be affected.

event id 2307

June 14, 2018, 12:42 pm
$
0
0

The worker process for application pool 'AppPool' encountered an error 'The configuration section 'system.webServer' cannot be read because it is missing a section declaration
' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\AppPool\AppPool.config', line number '133'. The data field contains the error code.

I have already Done the below steps:

  • Repair DotNet Framework
  • Reinstall IIS
  • Given Full Permission to Respective Users
  • Also, try with the new app pool  

Please help me to resolve this issue

IIS Directory/Folder restriction

June 19, 2018, 6:54 am
$
0
0

Hi,

I have a public facing website in IIS8.5 . I am using anonymous authentication and App pool Identity for my IIS site

Now i want to enable read only access to a specific folder in my Website to some specific users. All other users should not have access to that folder

What is best way to achieve this. As this is Public facing websites users are both domain users as well as non domain users

Regards,

Abhishek

Added deny IP record to "IP Address And Domain Restrictions" and IP can still access the site

June 21, 2018, 5:47 am
$
0
0

I want to deny an IP address to access my web site. I added it in "IP Address And Domain Restrictions" using "Add Deny Entry" and "Settings" is configured as below:

Access for unspecified clients: Allow

Deny Type Action  : Forbidden

But when I try to reach the web site with denied IP address, it still can reach the site. 

Getting thousands of Error 404. The requested page (/computers) was not found

June 23, 2018, 4:20 pm
$
0
0

Hello,

I have a website hosted on a Windows 2012, IIS 8.0 server.  My website has a log file that logs activities of the website.

It has one annoying entry every 30 seconds from various IP addresses.  Here are some of the entries:

Error 404. The requested page (/jewelry) was not found

Error 404. The requested page (/accessories) was not found

Error 404. The requested page (/computers) was not found

Does anyone have any idea of how I can stop this annoying activity?

I tried putting in Deny Restriction Rules, but the IP address of the entry keeps changing.  I have put in almost 200 Deny Restriction Rules and it is still happening.

Any help would be gratefully appreciated.

Thanks,

Tony

Server to Server FTP

June 28, 2018, 2:15 pm
Search

IIS 8.5 Patch Release List

June 28, 2018, 2:16 pm
$
0
0

Does Microsoft have a list of the patches that have been released for IIS 8.5?

You can go into IIS Manager > Help > About Internet Information to get the patch the server currently is running. For instance, mine is on 8.5.9600.16384. However, I cannot find a list of patches/releases anywhere online. My organization is requiring that we have installed the latest IIS patch, or be within one release back.

Certificate Rebind in IIS 8.5

June 30, 2018, 7:35 am
$
0
0

Hello,

I'm trying to rebind an expired public SSL certificate automatically as explained in this article:

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85

My Windows 2012 R2 with IIS 8.5 doesn't rebind automatically. Are there more steps required than mentioned in the article?

I have a expired public wildcard certificate that is bound to a few dozen sites and it would save me a lot of time if the rebind process could be automated.

Thank you in advance for any suggestions.

Change what to authenticate in Windows Authentication of IIS 8.5

July 3, 2018, 9:00 am
$
0
0

Hi all,

I have an IIS site implemented in one of my Windows Server 2012 R2 with IIS 8.5. It's joined into my AD. I've enabled Windows Authentication in IIS and it works well for all AD users.

But now I come into an issue that all AD users can only log on to the IIS site on the computers for which they have "log on to" permission in AD. For example, user A wants to access the IIS site with his own AD username/password on computer B and user A doesn't have the "log on to" permission to computer B. Then IIS keeps prompting "Unauthorized: access is denied due to invalid credentials". It works well after I add the "log on to" permission to computer B for user A. It seems that IIS authentication works the same way when an AD user logs into an AD computer locally.

What can I do to fix this issue without granting user A with logging on to permission to computer B? Is it possible to change IIS Authentication to authenticate just username/password, not the "log on to" permission?

Missing Link

July 5, 2018, 3:21 am
$
0
0

At the bottom of https://msdn.microsoft.com/en-us/library/dd163543.aspx, it says "To learn more about setting up Constrained Delegation and Protocol Transition, see ." and the link it is ommitted. What is the link, article, page, or reference that was supposed to be included at the end of the sentence but was not?

IIS manager Account

July 5, 2018, 11:10 am
$
0
0

Hi ,

I am trying to configure FTP with IIS manager user (using IisManageauth authentication ) IIS manager accounts are more secured than local account while accessing an FTP ?.

Also please let me know if there any way to audit the IIS manager accounts. 

Client Certificate Mapping with Constrained Delegation and Protocol Transition

July 5, 2018, 3:34 am
$
0
0

According to https://msdn.microsoft.com/en-us/library/dd163543.aspx, when client certificate mapping (not IIS client certificate mapping) is enabled with IIS 7.0, Constrained Delegation and Protocol Transition is required to enable delegation of authenticated identities.

  1. 1. Is this also true for IIS 7.5?
  2. 2. Is this true for versions higher than IIS 7.5?
  3. 3. How do I enable Constrained Delegation and Protocol Transition is required to enable delegation of authenticated identities when client certificate mapping is enabled in IIS 7.0 without modifying application code?

TLS 1.2 - session resumpotion

July 9, 2018, 9:30 am
$
0
0

Hello,

Is there a way to make TLS ticket session resumption working on Window 2016 ? No it only works on TLS 1.1

Search

Simple Basic Auth

July 10, 2018, 12:43 pm
$
0
0

I'm trying to get Basic Auth setup in front of our Legacy MVC .Net app that is hosted in a Windows Server 2016 Docker Container.

The issue is almost certainly more to do with how I'm setting up things in windows and in the web.config more so than anything to do with docker. I'm not a windows or IIS guy. So help is very much appreciated.

So the instance is a base image of Windows Server 2016 in which I'm running these commands to setup IIS and users:

Dockerfile

FROM microsoft/aspnet:4.7.1-windowsservercore-ltsc2016
ARG source


WORKDIR /inetpub/wwwroot
COPY ${source:-obj/Docker/publish} .

# Install Url Rewrite
ADD https://download.microsoft.com/download/C/9/E/C9E8180D-4E51-40A6-A9BF-776990D8BCA9/rewrite_amd64.msi /install/rewrite_amd64.msi
RUN Start-Process msiexec.exe -ArgumentList '/i', 'c:\install\rewrite_amd64.msi', '/quiet', '/norestart' -NoNewWindow -Wait
#RUN ["powershell", ". /Windows/System32/inetsrv/appcmd.exe set config 'Default Web Site' -section:system.webServer/security/authentication/basicAuthentication /enabled:'True' /commit:apphost"]
#RUN $Acl = Get-Acl 'C:\inetpub\wwwroot'; $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule('client','FullControl','Allow'); $Acl.SetAccessRule($Ar); Set-Acl 'C:\inetpub\wwwroot' $Acl


#RUN New-LocalUser -Name 'client' -FullName 'Basic Auth User' -Description 'Basic Auth User' -Password (ConvertTo-SecureString 'NOTTELLING' -AsPlainText -Force)
#RUN dism /online /enable-feature /featurename:IIS-BasicAuthentication

RUN Import-Module ServerManager; Add-WindowsFeature Web-Basic-Auth
RUN Net user client NOTELLING /add /fullname:"client" /expires:never
RUN c:\\windows\\system32\\inetsrv\\appcmd.exe unlock config \"Default Web Site\" /section:system.webServer/security/authentication/anonymousAuthentication /commit:apphost
RUN c:\\windows\\system32\\inetsrv\\appcmd.exe unlock config \"Default Web Site\" /section:system.webServer/security/authentication/windowsAuthentication /commit:apphost
RUN c:\\windows\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\" /section:system.webServer/security/authentication/windowsAuthentication /enabled:\"False\" /commit:apphost
RUN c:\\windows\\system32\\inetsrv\\appcmd.exe unlock config \"Default Web Site\" /section:system.webServer/security/authentication/basicAuthentication /commit:apphost
RUN c:\\windows\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\" /section:system.webServer/security/authentication/basicAuthentication /enabled:\"True\" /commit:apphost

And this is in my Web.Debug.config

<security><authentication><anonymousAuthentication enabled="false" /><basicAuthentication enabled="true" /></authentication></security>

The result is that the browser indeed things build ok, but the browser opens to the site, with no Basic Auth prompt.

I've also tried a few other things in the web.config that of netted out with successfully getting the BA prompt but when I enter the password for the 'client' user above... it gets rejected.

What I'm trying to do here should be very straight forward. What works on native IIS will work on a dockerized version, I just don't even know what I'm doing with the native one. 

Help appreciated!

how to setup the custom error page for IIS Max Connection reached or exceeded

July 16, 2018, 1:40 am
$
0
0

Hi Support Team,

I would like to know more about, how to setup custom page for  IIS (website) Max Connection reached or exceeded. 

By default it showing the http error 503.  Is it possible to show the custom error page instead.

Please let us know or reply this email id shivareddy_a@hotmail.com.

Thank you.

Siva Reddy A.

Kerberos UPN vs bare username with Web Application Proxy vs IE

February 2, 2016, 10:36 pm
$
0
0

I'm having an issue with Kerberos authentication behaving differently for external Web Application Proxy users than for internal Internet Explorer users. I originally asked about this on the Windows Server forums, but it was suggested that I might find more relevant expertise here on the IIS forums.

I have a third-party web application (non-claims-aware) that runs in IIS using Windows Authentication. The only authentication provider enabled in IIS is "Negotiate." IIS box is Server 2012 R2.

Internal domain clients access the IIS box directly from Internet Explorer (automatic signin). External clients access it via Web Application Proxy with Kerberos delegation (after signing in to ADFS).

In both cases, users get authenticated properly. But the application ends up seeing a different username depending on which method the user came in on.

For internal users, the application sees the username as being just the bare username with no prefix or suffix (e.g. "someguy"). For external users, the application sees the username as being the full UPN (e.g. "someguy@example.com"). Unfortunately, this results in the application's internal logic treating each scenario as a separate user. The third-party developer does not want to change their application. They insist that they just take whatever username string IIS provides them.

How can I configure WAP and/or IE and/or IIS so that the application receives the username in the same format for both WAP users and internal IE users?

Configure IIS under different Domain user than the current logged in User domain

July 18, 2018, 9:59 am
$
0
0

Hi,

We have to configure IIS 1o.o for web application/services which requires windows authentications to connect with backend DB and other services for application to work. We have machines in which user has Admin access in Domain1 (i.e. Domain1/User1). But the application needs Domain2 (i.e. Domain2/User2) to access database/backend services (hosted in Domain2 network). As developer we need to configure IIS for this scenario. Can someone please share some details how we can do this?

Thanks.

Report slow in IIS

July 22, 2018, 3:29 am
$
0
0

We migrated from Windows Server 2008 (R2) to Windows Server 2016. We got new version of IIS that come with it (don't thing it matters in my issue). IIS version is 10.0.14393.0.

We have a report that is very slow want running in IIS. We have identified where it happens. It is in the report's Render method.

it takes less than 30 second calling the Render() in a standalone Windows App.

but it takes more than 3 minutes for the same thing.

Note, we design the report using SSRS but we only use the .rdlc in C#. using Microsoft.Reporting.WinForms' LocalReport class.

Anyone idea what can be the problem.

Thanks,

John

Viewing all 1881 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>