An application I have developed use Windows Authentication and I want to pass through Windows Logon credentials to Application Pool Identity. I did try Network Service but no respite.
Any help would be appreciated.
↧
Application pool identity to use Windows Authentication
↧
How to enable TLS session resumption or Optimize TLS handshake on Windows 2016
Hi,
We are facing issue on windows 2016. The issue is when more than 15-20 users request token the W3wp (IIS 10) and lsass.exe using 100% CPU. By monitoring using WPA and Network Monitor we saw TLS handshake happening for each request.
I have checked numerous articles which mentioned about getting better performance with TLS session resumption. I don't get clear answer how to do enable TLS session resumption in IIS 10 on Windows 2016.
Is TLS session resumption related to high CPU? What I mean to say is if we implement TLS session resumption will it affect CPU usage?
Thanks
↧
↧
Windows authentication & Application pool identity
Dear All,
I'm a little bit confused to understand the application pool identity configurations for Windows authentication. I have below two scenarios. In both scenarios, we have file uploading features in the web applications.
Scenario 1:
- IIS web application server OS: Windows Server 2012 R2
- Server name: IISCluster1A.contoso.com
- Application URL: http://192.168.1.1/WebApp1
- Application physical path: C:\inetpub\wwwroot\WebApp1 on the IIS
- Application pool name: AppPool1
- Application pool identity: ApplicationPoolIdentity (IIS default)
- Authentication: Windows authentication
- File uploading feature 1 - Temporary file uploading path: C:\inetpub\wwwroot\WebApp1\TemporaryUploadedFiles (local folder)
- File uploading feature 2 - Attachment uploading path: \\FileServerCluster\WebApp1\UploadedAttachments (shared folder)
- Testing user who is going to access WebApp1 and upload files from IE: CONTOSO\User1
My questions of scenario 1 are in the below.
- File uploading feature 1 - In the security settings (ACL) of the local folderC:\inetpub\wwwroot\WebApp1\TemporaryUploadedFiles, I should grant Write/Modify access toCONTOSO\User1 or IIS AppPool\AppPool1?
- File uploading feature 1 - In the security settings (ACL) of the shared folder \\FileServerCluster\WebApp1\UploadedAttachments, I should grant Write/Modify access toCONTOSO\User1 or CONTOSO\IISCluster1A$?
Scenario 2:
- IIS web application server OS: Windows Server 2012 R2
- Server name: IISCluster2A.contoso.com
- Application URL: http://192.168.2.1/WebApp2
- Application physical path: C:\inetpub\wwwroot\WebApp2 on the IIS
- Application pool name: AppPool2
- Application pool identity: CONTOSO\IISServiceAccount2
- Authentication: Windows authentication
- File uploading feature 1 - Temporary file uploading path: C:\inetpub\wwwroot\WebApp2\TemporaryUploadedFiles (local folder)
- File uploading feature 2 - Attachment uploading path: \\FileServerCluster\WebApp2\UploadedAttachments (shared folder)
- Testing user who is going to access WebApp2 and upload files from IE: CONTOSO\User2
My questions of scenario 2 are in the below.
- File uploading feature 1 - In the security settings (ACL) of the local folderC:\inetpub\wwwroot\WebApp2\TemporaryUploadedFiles, I should grant Write/Modify access toCONTOSO\User2 or CONTOSO\IISServiceAccount2?
- File uploading feature 1 - In the security settings (ACL) of the shared folder \\FileServerCluster\WebApp2\UploadedAttachments, I should grant Write/Modify access toCONTOSO\User1 or CONTOSO\IISServiceAccount2?
Thanks,
高麻雀
↧
IIS not using Windows Identity in app pool
Hi Folks,
I have a web site in IIS 10 that is configured with an application pool set to use a service account for its identity (domain/xyz).
In the application there is a connection string for SQL Server configured for Integrated Security=SSPI. Normally, this means that when the web application connects to SQL Server it uses the above identity.
I have configured my web site to require windows authentication (Negotiate/NTLM), and now I am seeing an error connecting to SQL Server Login failed for user Domain\machinename$ Client: local machine. (where machinename$ is the hostname of the machine).
Does anyone know how I can set the website to correctly use the identity (domain/xyz).
↧
IIS10 Digest authentication keeps asking for credentials on page reload
We are using IIS10 with digest authentication.
Login works fine but when i reload a page with key F5 i am getting a login prompt again on
Chromium 69.0.XX
Firefox 62.0
On Edge 42.171.334.XX it's not working at all and i keep getting the credentials dialog without a login.
It is only working flawless in IE11
Is this a browser issue or IIS issue? Any clue?
If this cannot be resolved i'll have to use basic authentication over tls...
Thanks in advance!
↧
↧
How hide "Server:Microsoft-IIS/8.5"
I am trying hide the reponse header "Server:Microsoft-IIS/8.5" it only appear when i get answer 5xx or 4xx.
In normal flow the tag is hidden.
I did try follow the links:
https://forums.iis.net/t/1230211.aspx EnableVersionHeader="false" or
https://www.admin-enclave.com/en/articles/skypeforbusiness/285-sfb-windows-os-hardening-disable-the-x-aspnet-version-header.html
using urlRewrite "https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/"
Any suggestion what's could be?
↧
PHP Vulnerabilities WebPI 09/14/2018
US-CERT reported PHP vulnerabilities 09/14/2018. The product list in WebPI does not have PHP versions that are safe. Are there any plans to take care of this?
↧
IIS admin without local server adminstrator
I would like to grant the access to non server admin user to create sites ,application modify site or application configuration and to be done remotely from windows 10 client
↧
EDMS Problem with IIS - Unknown error (0x80041455)
Hi,
We have C# code deployed on IIS 7.5 in Windows 2008 R2. The code add/remove/search users in active directory using edms. The ARS has been upgraded to 7.0 from 6.0 so we upgraded the .net version to 4.5. The URL has been changed in settings file that's the only change we did. Ever since we changed the url we are getting the below error.
User not added with exception so return 1System.Runtime.InteropServices.COMException (0x80041455): Unknown error (0x80041455)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
its failing at
DirectoryEntry groupDE = newDirectoryEntry("EDMS://"+ server + "/"+ groupName, userID, password, auth);
This code was running for 3 years with old url. I tried all the options available on google related to authentication and no way out from this error. But the same code with new ars url works if I run it through windows job scheduler. Only on IIS it gives the below issue. Can someone please suggest a solution?
↧
↧
Still Able to Browse to Page Protected by Windows Authentication and Explicit Deny NTFS Permission
I have a file named "deny.asp" inside a subdirectory ("authtest") that has Windows Authentication turned on and anonymous access disabled. I set the NTFS permission on this file to explicity Deny everything. I can confirm the deny permissions are working because I cannot open the ASP file anymore in Notepad++.
However, if I type in the URL (http://example.com/authtest/deny.asp), it comes right up in my browser! When I output the value of request.serverVariables("LOGON_USER"), it prints my domain and username to the screen, so the server knows it is me, but the NTFS permissions don't seem to take any effect!
- Windows Server 2008 R2
- IIS 7.5
↧
limitting usernames to be used just by one person to login
hello dears
is there any way to be used to limit a website - that is configured for directory browsing - usernames (windows basic authentication) to be used by just one person simultaneously, means that any other persons can not login by the username that someone is using it.
↧
IP Restriction Question
Hello, i am having trouble with hackers trying to hack my website. They seem to use VPN / Proxys i have a huge list of IP Address's i need to ban which are listed below. What would be the most simplest easiest way to ban all these ip address's??
Link 1 - https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
Link 2 - https://www.dan.me.uk/torlist/
↧
Kerberos delegation suddenly stops working
I have a pretty standard iis (v8.5) site setup with windows authentication (negotiate) and delegation to another web-service on our network. At first everything works as expected and the users can perform the double hop to the web-service. However, after a few days – up to a week or two, the delegation stops working and users get a 401 from the web-service.
When looking at the kerberos and iis logs I see that the users tries the access the webservice anonymously, hence the 401 status. The kerberos logs at iis server is non-conclusive and sporadic, in fact it seems like don’t get a log entry at all for these requests.
It seems like the passing of credentials to the web-service just stops happening after some time. The first hop still works the users can still access the primary site.
What has me really baffled is that an iisreset resolves the problem and all works as expected for a week or two again.
I haven’t seen anyone with similar issues (but perhaps my google-fu is just not good enough) so any insight on this would be greatly appreciated.
↧
↧
Configuring IIS 10 on Windows Server 2016 To use Integrated Authentication
I have published an aspnet core 2.x application to a windows server 2016 running IIS 10. The application was published using Visual Studio 2017, and the application was just a basic AspNet Core template configured to use Windows Authentication.
The IIS Server is configured to use Integrated Authentication, ( Windows Authentication=enabled, Anonymous Authentication=Disabled)
When I try to access the web application in this configuration from a remote browser I get the following error page
This site can’t be reached
The webpage at http://devportal/CoreTest might be temporarily down or it may have moved permanently to a new web address.
<div class="error-code" jscontent="errorCode" jstcache="7">ERR_UNEXPECTED</div>When I browse to the site from IIS Manager, the browser prompts for credentials ( 3 times if provided ) and then displays a 401.1-Unauthorized page. If I enable Anonymous Authentication, the web application page is displayed but the domain identity is empty ( not a surprise since there are no auth headers in the request forwarded to the Kestral server )
I used wireshark to collect the HTTP traffic to the server, and the initial request comes in with no auth header, and sends a response 401
Hypertext Transfer Protocol
GET /CoreTest HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /CoreTest HTTP/1.1\r\n]
[GET /CoreTest HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /CoreTest
Request Version: HTTP/1.1
Host: devportal\r\n
Connection: keep-alive\r\n
Cache-Control: max-age=0\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.9\r\n
Cookie: .AspNet.Consent=yes\r\n
Cookie pair: .AspNet.Consent=yes
\r\n
[Full request URI: http://devportal/CoreTest]
[HTTP request 1/1]
Hypertext Transfer Protocol
HTTP/1.1 401 Unauthorized\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 401 Unauthorized\r\n]
[HTTP/1.1 401 Unauthorized\r\n]
[Severity level: Chat]
[Group: Sequence]
Response Version: HTTP/1.1
Status Code: 401
[Status Code Description: Unauthorized]
Response Phrase: Unauthorized
Content-Type: text/html\r\n
Server: Microsoft-IIS/10.0\r\n
WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: NTLM\r\n
X-Powered-By: ASP.NET\r\n
Date: Thu, 04 Oct 2018 18:44:01 GMT\r\n
Content-Length: 1293\r\n
[Content length: 1293]
\r\n
[HTTP response 1/1]
[Time since request: 0.000842000 seconds]
[Request in frame: 46]
File Data: 1293 bytes
Line-based text data: text/html (29 lines)
Does anybody have any idea how to trouble-shoot this issue? It does not appear that the negotiation is happening.
Thanks
↧
IIS Integrated authentication
Sorry I'm not a developer and have little experience with IIS.
Short question, is there a way in IIS to see what credentials are being passed via integrated authentication, even just the user ID?
I have an IIS web app running on windows 2016. Windows integrated authentication works fine for IE and Chrome so I know it works properly.
There is some client software that authenticates to the windows domain via IIS windows integrated authentication. This application lets me log in by "using windows credentials". If I connect to the app using the FQDN of the server all is fine, if I use any other FQDN it works also...EXCEPT when I use specicically one domain.
Let me explain this way.
The server name is MyServer001.MyBank.local
If I connect to that address it authenticates.
If I add DNS entires for hte following I can also authenticate
MyServer001.MyBank1231.com
ThisSucks.MyBank123123.com
ThisSucks.anything.123123com
Whatever.whatever.whatever.com
BUT
If I use the name MyBank.us.MyOtherPublicDomain.com it fails to log in. I can address anything at MyOtherPublicDomain.com
Thanks
↧
ASP.NET Authentication Problem Kerberos / Negotiate / NTLM
Hello,
we have a problem with our ASP.NET Application. If we open it in the Webbrowser, always a login dialog is shown, although e.g. the url is set as local intranet etc. In similar environments we don't have this problem. We checked now the traffic with fiddler and came to this output.
The first response of the server is that it returns Negotiate and NTL as WWW-Authentication.
Now our service returns Authorization: Negotiate TOKEN1 (TOKEN1 stands for a long kerberos token)
Server answers with 401 and WWW-Authenticate: Negotiate TOKEN2
The Client now ansers with Authorization: Negotiate TOKEN3
Again the Server returns 401 with WWW-Authenticate: Negotiate TOKEN4
Then the communication is finished.
We use Windows 2012R2 with built in IIS.
Can anybody help us with this problem. If you need further information I will send everything what is necessary.
Kind regards
Peter
↧
PKI Authentication, prompt for one certification only
We are using PKI for authentication and have no problems.
When the user is prompted for their certificate, they have to select either their email certificate or identity certificate. Does anybody know how to make IIS prompt the user for just their identity certificate (or email if we decide to use that). I see some sites that do this, but I've never figured out how to do it with IIS.
↧
↧
Disable DES and 3-DES Ciphers from IIS Webservers
Hi,
We are looking for how to disable Disable DES and 3-DES Ciphers from IIS Webservers?
Regards,
Lokesh
↧
local dev. Trusted self signed certificat does not work
Hello,
I locally develop a https website for tests.
I created a self signed certificate from IIS following the below video and it works well but I get the warning DLG_FLAGS_SEC_CERT_CN_INVALID - Edge and the same with Chrome.
https://www.youtube.com/watch?v=MFikeLC-Ed4
So I do the same than in that video to trust my local certificate.
https://www.youtube.com/watch?v=R59Lx3nE_to
But no change. Nothing working!
May you help, please?
Regards
↧
Disable weak ciphers in iis 7.5 windows 7 batch file
Does anyone know where I can find a way to Disable weak ciphers in IIS 7.5?
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) INSECURE | 128 |
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) INSECURE | 128 |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) WEAK | 112 |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) WEAK | 112 |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) WEAK | 112 |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) WEAK | 112 |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK | 256 |
TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1) WEAK | 256 |
TLS_RSA_WITH_AES_256_CCM (0xc09d) WEAK | 256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK | 128 |
TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0) WEAK | 128 |
TLS_RSA_WITH_AES_128_CCM (0xc09c) WEAK | 128 |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK | 256 |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0xc0) WEAK | 256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK | 128 |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xba) WEAK | 128 |
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK | 256 |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK | 256 |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK | 128 |
TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK | 128 |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK | 128 |
TLS_RSA_WITH_IDEA_CBC_SHA (0x7) WEAK | 128 |
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE | 128 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK | 112 |
Thanks,
Docfxit
↧