Setup:

Server 1: ARR Reverse Proxy

Server 2: App Server

Server 3: Identity Server (Identity Server 3).

Both the App Server and Identity Server are behind DMZ and accessible only via Reverse Proxy.

App Server redirects unauthenticated requests to Identity Server for AuthN.

Identity Server uses Active Directory as Identity Provider. Application uses OpenIDConnect as the AuthN Middleware.

All the URL Rewrite rules are working properly and the redirections happen correctly.

Browser popup asks for credentials after redirection to Identity Server (401 challenge). After entering the credentials ARR returns 502.3 (Server returned invalid response) error. Response to 401 challenge is not even sent to the Identity Server. ARR throws the above error.

Error in ARR IIS Log: 502.3 sc-win32-status: 12018 (The type of handle supplied is incorrect for this operation).

Any pointers will really help.

Thank you

I am not as familiar with IIS so but how can I restrict access through IIS by AD Group. I was able to configure it so the deny all others but get my AD Group to only have access to the web enrollment site at https://hostname/certsrv. But I am able to get to the site https://hostname/certsrv/Default.asp no matter if what .net Authorization Rules I set, such as only deny "All Users". So the page Default.asp is available, how can I make all sites beloew certsrv restricted?

Used the follow site:

https://serverfault.com/questions/352647/restrict-access-to-iis-site-to-an-ad-group

https://forums.asp.net/t/2119967.aspx?Can+we+restrict+user+to+access+a+page+in+IIS

Hello,

We have an application deployed on IIS 8.5 on a W2K12R2 server in Domain A.  Domain B is where we have domain users that would access the application deployed on the IIS server in Domain A. 

When users visit the site (via HTTPS) - which has Windows Authentication configured for the site's authentication in IIS, it fails to load - unless the user's domain account (Domain B) are added to the Local Administrators group on the IIS server in Domain A. 

This is the first time the application is being deployed, so this may be an application design/development issue, or perhaps some other domain/trust issue...

Personally, from a sys admin standpoint, I have never seen this issue in the past. 

Thanks everyone! 

Hi all,

I don't want the world to know that I'm using IIS and therefore I'd like to masquerade some data for security reasons.

A port scan with nmap gave me this result:

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd

How can I suppress the string "Microsoft IIS httpd" (or change it) in IIS 10?

I already set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader to value 2, denied the HTTP verbs OPTIONS and TRACE and rewrote the variable RESPONSE_SERVER in HTTP headers. This helped to remove other exposure, but I have no clue how to remove the string mentioned above.

Any help would be greatly appreciated.

Thanks so much for your efforts in advance.

All the best,

Ben

So we are moving to a Managed Service Account used for a Website and that account is established on the Apppool for the web application. The problem is that the web page will not load unless the physical path is populated with specific credentials, so the application user setting is not working.

Any thoughts or a way to determine what credentials are being passed? Shouldn't the credentials from the apppool be passed if that option selected??

Hi,

I've tried changing every web.config and IIS setting I could find relating to this issue and none of the solutions that have worked for others seem to be resolving my issue.

Everything works fine when using Forms Auth, but when using Basic Auth, I can't upload anything larger than ~50kb.

I think I'm hitting that default 64kb limit, but I've got every setting maxed out, and I'm pretty sure I'm using my binding settings and not the default.

This is the web.config:

<?xml version="1.0" encoding="UTF-8"?><configuration><configSections><section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" /></configSections><system.web><customErrors mode="Off"></customErrors><compilation debug="true" targetFramework="4.7.2"><assemblies><add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /></assemblies></compilation><httpRuntime targetFramework="4.7.2" maxQueryStringLength="1204800" maxUrlLength="1409600" maxRequestLength="67108864" /><identity impersonate="true" /></system.web><system.webServer><validation validateIntegratedModeConfiguration="false" /><security><requestFiltering><requestLimits maxUrl="2147483647" maxQueryString="2147483647" maxAllowedContentLength="2147483647" /></requestFiltering><authentication><anonymousAuthentication enabled="false" /><basicAuthentication enabled="true" /></authentication></security><defaultDocument><files><add value="DataService.svc" /></files></defaultDocument><serverRuntime uploadReadAheadSize="2147483647" /></system.webServer><system.serviceModel><serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" /><bindings><basicHttpBinding><binding name="basicHttpBinding" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" closeTimeout="10:01:00" sendTimeout="10:01:00" openTimeout="10:01:00" receiveTimeout="10:10:00"><readerQuotas maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxDepth="2147483647" maxNameTableCharCount="2147483647" maxStringContentLength="2147483647" /><security mode="None"><transport clientCredentialType="Basic" /></security></binding><binding name="basicHttpsBinding" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" closeTimeout="10:01:00" sendTimeout="10:01:00" openTimeout="10:01:00" receiveTimeout="10:10:00"><readerQuotas maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxDepth="2147483647" maxNameTableCharCount="2147483647" maxStringContentLength="2147483647" /><security mode="Transport"><transport clientCredentialType="Basic" /></security></binding></basicHttpBinding></bindings><behaviors><serviceBehaviors><behavior><!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --><serviceMetadata httpsGetEnabled="true" /><!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information --><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors><protocolMapping><add scheme="http" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding" /><add scheme="https" binding="basicHttpBinding" bindingConfiguration="basicHttpsBinding" /></protocolMapping></system.serviceModel><connectionStrings></connectionStrings><entityFramework><defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" /><providers><provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" /></providers></entityFramework><appSettings><add key="Authentication" value="Windows" /><add key="SecureConnection" value="false" /><add key="UpperCaseUser" value="true" /><add key="UpperCaseDatabase" value="true" /><add key="ChooseServer" value="true" /><add key="SQLControledAdmin" value="false" /><add key="NTAuthIgnoreCase" value="false" /><add key="MinimumDatabaseVersion" value="v6.70.04.00" /><add key="EnableDocRepSize" value="1" /></appSettings><runtime><assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"><dependentAssembly><assemblyIdentity name="System.Spatial" publicKeyToken="31BF3856AD364E35" culture="neutral" /><bindingRedirect oldVersion="0.0.0.0-5.6.0.0" newVersion="5.6.0.0" /></dependentAssembly><dependentAssembly><assemblyIdentity name="Microsoft.Data.Services" publicKeyToken="31bf3856ad364e35" culture="neutral" /><bindingRedirect oldVersion="0.0.0.0-5.8.3.0" newVersion="5.8.3.0" /></dependentAssembly><dependentAssembly><assemblyIdentity name="Microsoft.Data.Services.Client" publicKeyToken="31bf3856ad364e35" culture="neutral" /><bindingRedirect oldVersion="0.0.0.0-5.8.3.0" newVersion="5.8.3.0" /></dependentAssembly><dependentAssembly><assemblyIdentity name="Microsoft.Data.Edm" publicKeyToken="31bf3856ad364e35" culture="neutral" /><bindingRedirect oldVersion="0.0.0.0-5.8.3.0" newVersion="5.8.3.0" /></dependentAssembly><dependentAssembly><assemblyIdentity name="System.Spatial" publicKeyToken="31bf3856ad364e35" culture="neutral" /><bindingRedirect oldVersion="0.0.0.0-5.8.3.0" newVersion="5.8.3.0" /></dependentAssembly></assemblyBinding></runtime></configuration>

I have also tried to set many of the "max" settings directly in IIS for the entire server but nothing is working.

Ideas?

Have an MVC web app where the client has the ability to drag and drop files onto html controls. No server code functionality currently, just visually seeing files populate HTML controls. Dragging and dropping files (EX. xlsx file onto html select) from inside the MVC project works 100%. Same file from outside the project throws a 404 error. If I host the client file only in apache WAMP drag and drop works 100% from anywhere. I would think this is an IIS permission but I have scoured the web and have checked permissions and lifted the file size restriction. Thank you in advance for any help with this issue.

Hi 

I want to add a virtual folder that comes from a network location/file share. e.g \\server\share

I also want users to have different types of access to it depending on their user name privileges set by the domain. 

This needs to happen when they open the webpage in the browser from their computer, so 

Can this be done?

I am creating FTP Site and it is published over the internet and it is working fine as plain text . I need to make it secure and i tried to make FTP Over TLS and I use self signed certificate and Godaddy certificate but when the client is connected from the internet it gives that handshake failed . Please help urgently 

Hi. 

Our current set-up for web server (host) and database server (sql) are different servers.

(ie. host = ptywebtestsvr1, database = ptydevsvr) with different  log-in accounts (ie. host = webaccount,  database = windows authentication) 

In IIS7 Application Pools, by default ASP.Net v4.0, DefaultAppPool Identity is NetworkService and we specified domain\webaccount for our specific web applications.  

We're able to display our web applications and have no problem so far.

Now, we're trying to set-up IIS in existing database server. (web and database server is the same).

IIS is successfully installed but we're not able to display our web applications. (only display IIS7 default page upon accessing web application URL then error when refreshed/F5).

The difference we noticed is in IIS7 Application Pools, by default it's .Net v4.5 and DefaultAppPool Identity isApplicationPoolIdentity.

We tried to have the DefaultAppPool identity either NetworkService or ApplicationPoolIdentity and specified domain\webaccount for our specific web applications. 

But encountered server error.

Server Error in '/webappname' Application

Login Failed for user 'domain\servername$'. 

Exception Details: System.Data.SQLClient.SQLException. Login failed for user 'domain\servername$'. 

Our database admin insist that same with current set-up (different servers) they've only given access to'domain\account' and not  'domain\servername$'. 

Had tried to read forums on similar error, check possible causes (ie. wrong bindings, cache etc.) yet same error occur.

Had also assigned different host name. 

It would be very much appreciated if you could help me.

Thanks.

I have a test and prod server running Server 2008 R2. Both have an IIS/FTP site setup. both are using the same credentials, on the same ports, talking to the same destination.

For some unknown reason I can connect to test without issue, but if I use the same credentials in prod it instantly bounces back with error 530 login.

The difficulty is that from a permissions standpoint its the same account being used against the same destination.

I've looked as much as I can and I can't find any reference to the account in question of having extra access on test vs prod, nor can I find anything related to credentials used through the FTP/IIS site.

So my question here is where should I be looking to find out what why an account is kicking back a error 530 in prod, but not in test as I can't find anything related to actual accounts in the configuration.

Hi Team,

  I have been developing gsx project in deploying IIS Server, Apple Team sent one pem certificate file,

how to install pem files in IIS Server

Afternoon!

     I have a web site under iis 10 that has a standard InCommon certificate but when I browse to it a pop up comes up from windows security asking to select a certificate saying the site needs your credentials than gives me the option of two different certificates local to my workstation.  If I hit cancel or x out of the pop up the site works as expected, but if I hit ok and select one of the certificates I get access denied.  In IIS manager the only authentication that is enabled is Anonymous (I looked for active directory client certificate authentication and it is installed but it is disabled)  I have a development server which looks to be setup the same way, and I don't get this pop up.   Any advice on what I should check to see what is forcing this pop up to pop?

Thank you in advance!

We have a Windows Server 2008 R2 Service Pack 1. We use Active Directory for authentication/authorization.

IIS is being used on this server to serve some internal apps (that are virtual applications under a root website). These apps require Windows Authentication. Authorization to these apps is set to specific AD security groups.

Recently we have noticed the authorization gets changed to "All Users" in addition to the specific security groups. This is obviously a security lapse.

To capture who might be doing this and when, we turned on the Microsoft-Windows-IIS-Configuration/Operational log using Event Viewer. To test this we made some changes to one of the IIS apps and about 16 events got logged in the event log.

We removed "All Users" from authorization, and waited to see if it changes. Sure enough few days later "All Users" have been added back to few (not all) apps. But unfortunately nothing got logged in that log.

Is there another way to capture these changes?

I have OS Windows Server 2008 Standard SP2 with IIS 7.0 on which portal application is setup which has a Url Rewrite rules, as per the Web Pen Test report we have to disable weak ciphers and protocols so we disabled SSL3.0 and TLS1.0 and installed the support patch and enabled registry for TLS 1.1 and TLS 1.2. But immediately after this steps I am getting error "502 - Web server received an invalid response while acting as a gateway or proxy server." while communicating with rest service. 

We also did registry settings as per the post https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in and Enable the SchUseStrongCrypto property in the Windows registry to use as the default protocols: TLS 1.1 and TLS 1.2 for below registry keys,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319

But still I am getting same error. What else I am missing or is Windows Server 2008 standard SP2 and IIS 7.0 do not completely support TLS1.1 and TLS1.2. I feel this is something related to ARR and WinHttp but I am not getting any thing from web, any help on this is really an appreciable.

Thanks,

Prohharish

I've been using IIS since 1.0 and I've never had a problem with it but IIS 8.0 takes even the most trivial tasks and turns it into a nightmare.  Whoever came up with the new GUI they introduced should be promptly fired.

All that I'm trying to do is password protect a directory.  So I click on the directory, select Authentication, disable anonymous and enable basic authentication.  The file/folder permissions already give my user full permissions to the content.  However, the second I do this, I get this error:

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

It is "redirecting to  /Account/Login?ReturnUrl=%2Ftest

You can actually see this for yourself by going to www dot accurateimageinc dot com slash test

Does anyone know what is going on because I have searched and everyone makes this sound as easy as it always has been but the behavior is completely unpredictable.

[url=http://www.nguoiduatin.vn/]Thanks[/url]

Using SQL Server 2014, Visual Studio 2015 and IIS 8.0.9

Application works perfectly when launched in VS, but fails when deployed to IIS with the above error. The web page contains a drop down box and a start and end date textboxes. User selects hospital from drop down and enter start and end date criteria, clicks on a button and the results are returned in a gridview control. As I said, this functions perfectly in VS.

When I login to my IIS server, open IIS navigate to my application and select 'browse' from the options and try to navigate to this particular web page, the error is generated. All other functionality works as expected.

What I've tried:

1. Have checked spelling of stored procedure and it's correct
2. Have checked login credentials of database user in my connection string by logging in to SSMS using same credentials and executing stored procedure. Can do both both.
3. Checked user permissions to stored procedure. User is a member of 'db_execute' role, which I think is OK
4. Have checked that login credentials match those in IIS. They do as all other functionality is working and they all use the same login credentials
5. Have run a SQL Profiler trace. It doesn't find any issues that I can see
6. Have deleted and re-created the stored procedure a number of times. No change
7. Have removed the application from IIS and recreated. No change
8. Have installed on a server running a different version of IIS (6). I get the same error

I'm not sure but I think the the logon credentials to the database used in VS and those in IIS must be different. How do I find out what credentials IIS is using and how to do I configure the App on my IIS server so that the database accepts these credentials?

Of course, it could be something entirely different, but I'm shooting in the dark here. Can anyone help?

• We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.

  I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it's working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y. But in the Server X if I pass invalid certificate it's throwing 401 Unauthorized but if I pass SYST Client Certificate it's working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response. I verified both the server configurations everything appears same and I don't see any difference. I identified this issue by stopping the site alternatively in both the servers.

  We are using "iisClientCertificateAuthenticationMapping" and in that we have set the "manyToOneCertificateMappingsEnabled" as False and "oneToOneCertificateMapingsEnabled" as True and for "oneToOneMappings" I have set the userName, password and certificate(base64string).

  Can you guys please let me know what are the possible reasons for the X server's incorrect behavior.

  INTG SERVERS:

  Server XServer Y

We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.

I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it's working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y.

But in the Server X if I pass invalid certificate it's throwing 401 Unauthorized but if I pass SYST Client Certificate it's working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response.

I verified both the server configurations everything appears same and I don't see any difference.

I identified this issue by stopping the site alternatively in both the servers.

We are using "iisClientCertificateAuthenticationMapping" and in that we have set the "manyToOneCertificateMappingsEnabled" as False and "oneToOneCertificateMapingsEnabled" as True and for "oneToOneMappings" I have set the userName, password and certificate(base64string).

Can you guys please let me know what are the possible reasons for the X server's incorrect behavior.

INTG SERVERS:

Server XServer Y