Hello all, 

First post here.  I'm a software dev, so advanced IIS configuration is a bit outside my wheelhouse.  I'm not entirely sure how to word my question, but basically, it's:  "can you configure IIS as a reverse proxy that supports IWA, with the external domain name being different from the internal AD name?" 

More details:

I have a client who's internal AD domain name is different than their external domain, but they wish to support IWA for their enterprise users when accessing externally.  

For example, the internal AD domain name is "asdf.com", so their AD credentials are all ASDF\jdoe orjdoe@asdf.com.  Externally, they use the domain "asdfpub.com", and plan to configure a reverse proxy to route external http traffic to hosts available internally on the asdf.com domain, which are secured using IWA.   

So, does anyone know if it is possible to configure IWA in such a scenario, so traffic coming in from "asdfpub.com" is challenged to provide AD credentials for the "asdf.com" domain?  

Hope I've worded this correctly.  Thanks for any info you can provide!

Jon

Hi All,

I wanna get some confirmation. I am in the midst of getting a PCI DSS compliance and one of the requirement is to disable SSL and Early TLS on our servers. I have 2 ARR Servers and want to know if there are any major impact if I disable these 2 components. Is there any proper way available to disable them with less impact to my environment?

FYI, my environment is currently running Microsoft Azurepack with SCVMM, SCOM and SCSM.

Thanks and Regards,

Arieff Majid

I developed a WebService using WCF Data Services. Debugging it on my localhost using VS2017 (IIS 10) it works fine. Once deployed on the server,GET and POST work fine, PUT/PATCH/DELETE give a 401 error. IIS Logs say 401.3

I tried to switch from Anonymous Authentication to Windows Authentication, did not help.

I'm quite sure the problem relies in the IIS settings, but I'm not able to fix it.

Any hints?

I recently installed SolarWinds NPM on a prehardened Windows 2012r2 server.  In the process of installing this application it enables what it believes are the necessary IIS components needed in order to operate properly.  I've since been asked to go through the Web SRG DISA STIG checklist to ensure that the machine is still secure.  I've run into one particular finding that I don't know how to solve.  The particular finding is vulnerability v-56007.  Details can be found here: https://www.stigviewer.com/stig/web_server_security_requirements_guide/2015-08-28/finding/V-56007

This finding requires that I configure the web server to disallow client-side scripts the capability of reading cookie information. 

Does anyone know how to do this?  Is it a simple configuration adjustment in IIS?

EDIT: From what I understand, I need to set the HttpOnly flag in the cookie that gets created for the site.  I haven't figured out how to do this yet but I'm still researching.  If anyone knows exactly how to do that I'd appreciate your comments.

Using a WIndows Server 2016 VM

If I select Edit Permissions / Security from right mouse click on Default Web Site  - I seeIIS_IUSRS (MYVMNAME\IIS_IUSRS ) with

these 3  allow(checked) on Read & Execute, List folder contents & List folder

When I select Default web Site from the IIS manager and then browse *:80 (http)  or localhost

I get Access is denied.Description:An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\inetpub\wwwroot'.

I changed the web.config at wwroot to   <identity impersonate="false" />

but still nothing.

How can this be - that the  IIS_IUSRS can have permission and yet be denied. What other user can it be ??

Help please !!!  Thanks

We have a 3rd party .NET web application providing an application API. One of the web services takes a URL to a file hosted on an Apache web server as a parameter. The web service calls the URL, downloads the file and processes it. We now want to set up client/server mutual authentication. The Apache server has a SSL server certificate and we would like to enforce client certificates on the Apache server. This means that the IIS web service will need to send a client certificate to Apache. I've seen code examples for looking up a client certificate and attaching it to the request but we don't have access to the source. Our supplier is telling us that IIS can be configured to send the client certificate without a change to the code. I have not seen any examples of this online. Can someone tell me if this is possible please.

Hi All,

 Is there any option to create a self signed certificate with extended warranty or never expires ? Am not sure if  I can use SelfSSL.exe (is this tool from Microsoft can we trust this ? )  file seems to be quite old am on IIS 8.5. Need some suggestions on this .

Thanks,

Prat

Hello

windows authentication is enabled. the webconfig refers to AD group that i am a member of but it does not take my creds.

the app pool has read/execute, list and read permissions

Request information:
Request URL: https://site.com:443/
Request path: /
User host address: 192.199.80.12
User: BNL\username
Is authenticated: True
Authentication Type: Negotiate
Thread account name: IIS APPPOOL\site.com

Has anyone managed to get this working? I have numerous Group Managed Service Accounts (gMSA) all working well on the server - except when trying to use it as the account for one of my IIS Client Certificate Mappings.

I get Logon failure:

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: myaccount$
Account Domain: mydomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

I've tried Service Accounts that I know work on this machine (for example scheduled tasks and app pools) so it's not a permission to access the gMSA password from machine issue. I've tried setting the username as domain\gMSA$ (as it should be), domain\gMSA, gMSA$ all in a vain hope that Microsoft did something different. If I use a plain old standard service account (so not gMSA..username and password setup) then it works. I've tried changing the logon type from networkplain to batch but nothing seems to have an affect. For gMSA I leave the password field blank (as it should be for a gMSA). The error codes would suggest Bad Password, and in the domain the bad password count would suggest that is the case.

Any ideas?

I need to create a 443 https site with SSL certificate for a piece of software. We have a Certificate Authority (which I have little experience) and I've tested creating various machine certificates. On the server in question I can see the machine certificate in MMC but not under IIS. I have tried exporting this key to .PFX file but the radio button to export private key is always greyed out. Therefore I can't export import into IIS. How can I get round this?

Hi all,

I am trying to connect to AD using LADP over SSL. I have following code, but I am getting exception (The LDAP server is unavailable). I can able to connect using LDAP test application on both 636 and 389 ports. I can able to connect using389 port but not from 636 port from below code.

Please suggest me if I am doing something wrong in my code.

Dim ldapErrorInvalidCredentials As Integer = &H31

        Dim activeDirectoryServer As String = "xyz.test.com:636"

        Dim activeDirectpryDomain As String = "test.com"

        Dim ldapConnection As LdapConnection = Nothing

        Dim user As String = "testUser"

        Dim ldapPort As String = "636"

        Dim Success As Boolean = False

        Try

            ldapConnection = New System.DirectoryServices.Protocols.LdapConnection(activeDirectoryServer)

            ldapConnection.SessionOptions.SecureSocketLayer = True

            ldapConnection.SessionOptions.ProtocolVersion = 3

            ldapConnection.AuthType = AuthType.Negotiate

            ' ldapConnection.SessionOptions.VerifyServerCertificate = New VerifyServerCertificateCallback(ldapConnection, cert)

            ldapConnection.AutoBind = False

            'ldapConnection.Credential = New NetworkCredential(username, password, activeDirectpryDomain)

            Dim cert As X509Certificate = New X509Certificate()

            cert.Import("C:\LDAP\cert.cer")

            ldapConnection.ClientCertificates.Add(cert)

            ldapConnection.Bind(New NetworkCredential(user , "testpassword", activeDirectpryDomain))

            Console.WriteLine(("Successfully authenticated to ldap server " & activeDirectoryServer))

        Catch ex As Exception

            Console.WriteLine("Failed")

        End Try

We are considering removing local admin rights for all domain users but would like to keep IIS Admin permissions for developers group. Is there a way to provide IIS Admin without local admin using AD or Group Policy ?

Recently I installed an ssl certificate for a customer and after a while noticed that Google has got all other sites on the server mixed up.

Site A had the SSL cert applied. Site B started getting Google listings with the URL from site A.

For example, Site A has the URL "/sign-up", site B doesn't. After the SSL certificate was applied Google started indexing "/sign-up" on Site B.

What I have done to try to fix the issue:

1 - Give sie A a unique IP

2 - Used Google's "Remove outdated content" tool, this is only temporarly

3 - Updated the Robots.txt so Google shouldn't crawl the domains

Is anyone familiar with this issue and what can I do to stop Google indexing Site A's URLs on Site B/C/D/...?

Thanks in advance

Hi,

Apologies in advance for the length, but I wanted to thoroughly document my analysis of this issue.

I have spent an inordinate amount of time (weeks and weeks) Googling/researching/testing/debugging the IIS Client Certificate Authentication security scenario for WCF Web Services. And, in short, while acknowledging that I could very well be mistaken, based on my results, I have come to the conclusion that there is either a bug in either IIS Web Site/Application Authentication; .Net Web Client Authentication configuration, or both.

The problem in short appears to be that there is currently no way for a web client to authenticate to IIS via X.509 certificate, without enabling "Anonymous Authentication" in IIS. I believe this to be a bug because in addition to the reasons laid out below, in my opinion, this behavior is completely inconsistent with the other IIS Authentication schemes, and there is no logical reason for such a requirement. Depending on the configuration settings, attempts to implement client certificate authentication, without enabling Anonymous Authentication in IIS, result in one of the following errors, which I believe indicate an issue with how certificate authentication is implemented in .Net and/or IIS:

#1 Exception: System.ServiceModel.ServiceActivationException: The service 'MyService.svc' cannot be activated due to an exception during compilation. The exception message is:Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.. ---> System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

#2 System.ServiceModel.ServiceActivationException: The service 'MyService.svc' cannot be activated due to an exception during compilation. The exception message is:The authentication schemes cannot be inherited from the host for binding 'CustomBinding'. No AuthenticationScheme was specified on the ServiceHost or in the virtual application in IIS. This may be resolved by enabling at least one authentication scheme for this virtual application in IIS, through the ServiceHost.Authentication.AuthenticationSchemes property or in the configuration at the <serviceAuthenticationManager> element.. --->

#3 System.ServiceModel.ServiceActivationException: The service '/SecureWCFSvc/EmployeeGetSvc.svc' cannot be activated due to an exception during compilation. The exception message is:The value of the property 'authenticationScheme' cannot be parsed. The error is: The enumeration value must be one of the following: None, Digest, Negotiate, Ntlm, IntegratedWindowsAuthentication, Basic, Anonymous.. --->

The first error CLEARLY indicates that A. Anonymous Authentication is disabled for the IIS web app. And B. The web client/service configuration settings (Transport.clientCredentialType="Certificate") dictate thatAnonymous Authentication be enabled in IIS for the web app.

In the second error, the web app (IIS) configuration is indicating that NO authentication scheme has been specified, when in fact the iisClientCertificateMappingAuthentication scheme has been enabled for the web app in IIS.

Finally, when attempting to use a custom binding with authenticationScheme="Certificate", the response is basically that there is no such authentication scheme, and that one must be selected from the enumerated values that are helpfully provided in the exception message. Which of course begs the question: Where is the value that maps to the IIS "iisClientCertificatMappingAuthentication" Authentication Scheme?

Here are the pertinent settings/configuration/setup steps:

IIS
1. Configured web site/app for SSL with valid self-signed Cert
2. IIS Certificate Mapping correctly configured and enabled in applicationHost/web site/web app config files:

     <iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="true"

     defaultLogonDomain="myDomainName">
          <oneToOneMappings>
               <clear />
               <add userName="wcfUser" password="[enc:IISCngProvider:iEncoded Value=:enc]" certificate="Encoded Cert String" />
          </oneToOneMappings>
          <manyToOneMappings />
     </iisClientCertificateMappingAuthentication>

3. All Authentication modes disabled in IIS Manager/Authentication settings UI

Web Service/Client App:
1. Specify Transport Client Credential Type = "Certificate" in both service and app bindings:

<wsHttpBinding>
     <binding name="wsHttpTransportCertBinding" >
          <security mode="Transport/TransportWithMessageCredential" >
               <transport clientCredentialType="Certificate" />
               <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
          </security>
     </binding>
</wsHttpBinding>

2. Delete or specify same binding for Mex endpoint
3. Specify valid self-signed Client Cert in client app.config <clientCredentials> section

Test Cases/Results
1. Using above settings/configuration

Result: Exception #1 above: "Security settings for this service require 'Anonymous' Authentication"

Huh?????
Why is enabling Anonymous Authentication in IIS required for a Client Credential Type of "Certificate", while when I specify a Client Credential Type of "Basic", I can enable ONLY Basic Authentication in IIS, and the service works as expected?

2. Enable "Anonymous Authentication" for site/application

Result: Service method successfully called with mapped certificate user account shown in IIS logs!!! 

***Now here's the kicker***
3. Set binding to INHERIT the authentication scheme from host

Result: - Exception #2 above: "No AuthenticationScheme was specified on the ServiceHost or in the virtual application in IIS"

Say what?????

How can this be when the iisClientCertificatMappingAuthentication Scheme is CLEARLY enabled for the web site/application??? Why does the exception indicate that no authentication scheme has been specified, when clearly it has?

4. Configure Custom Binding with CertificateOverTransport

Result: - Exceptions comparable to above wsHttpsBinding errors.

5. Implement various IIS/.Net configuration steps outlined in numerous posts, blogs, and forum answers.

Result: - My early experience was that on several occasions, the posted "solution" actually appeared to work...Initially. But what I found, was that when I re-published my web service app to IIS, the Anonymous Authentication scheme was "silently" re-enabled on the web app. Once I discovered this, and again disabled it, I was back to receiving the usual exceptions. Because of that, I added code explicitly disabling Anonymous Authentication to my service's web.config file, to prevent that behavior going forward. I suspect that this same behavior may have occurred with others, and that the "false positives" were not discovered (if then) until after the purported "solutions" were publicly posted.

The error conditions I've documented above are why it appears that there is a bug, but it's not clear which side is the culprit. In other words, is IIS indicating to the .Net client that NO authentication scheme has been enabled, even though it has? OR, is it that IIS actually indicates to the client app that the iisClientCertificateMappingAuthentication scheme is indeed enabled, but for whatever reason, .Net either doesn't map the IIS scheme to "Certificate"; erroneously maps "Certificate" to the "Anonymous" authentication scheme, or falls back to that Anonymous because the enumeration mapping to the IIS iisClientCertificateMappingAuthentication scheme is missing/invalid/not implemented on the .Net side? Or some combination of both, or other? Whichever is the case, in my mind, there clearly appears to be an issue here.

Obvious Questions:

1. At this point, why is there STILL no "Certificate Authentication" option in IIS Manager UI available for Web Site/Applications' Authentication settings?
2. In .Net web.config, why is there no authenticationSchemes enumeration value that corresponds to the IIS iisClientCertificateMappingAuthentication scheme? 
3. If this is indeed an issue of "lack of guidance" rather than a bug, why has Microsoft provided such extensive documentation (and examples) for IIS and WCF configuration, but has glaringly omitted guidance for implementing one of the most common, asked-about, and apparently most difficult to implement business use-cases?

In my humble opinion, Microsoft should do one (or more) of the following:
1. Acknowledge that this is a bug. Commit to fixing it, and then do #3. 
2. Acknowledge that this is a bug and that they are NOT going to fix it (and why), and CLEARLY indicate that developers must enable Anonymous Authentication in IIS in order to implement Client Certificate Authentication, instead of requiring developers to spend hours/days/weeks googling Stackoverflow and blogs for the answer...Which, because any developer worth his salt, isn't going to take at face value, results in frustration and wasted time spent trying to verify what seems to be an inexplicable requirement.

Also, by making such a public acknowledgement, Microsoft will not only save untold man-hours in wasted effort, it will also allow developers to point at official Microsoft guidance, when explaining (justifying) to internal sysadmins, clients, and third-parties why they must enable Anonymous Authentication on their web site(s)/app(s) if they want clients authenticated by X.509 certs.

3. Provide clear guidance (documentation and examples) in Microsoft Docs on both the server and client configurations for correctly implementingClient Certificate Authentication in IIS WITHOUT enabling Anonymous Authentication.

Again, I acknowledge that I am NOT an expert, and could very well be mistaken in my analysis of this issue, and would welcome any guidance and/or references to successful implementations of this use case.

Any and all responses welcomed.

Thanks!

TWebby1763

I have a web sites in which I need to ssl enable cookies.   I looked up how to enable it and it seems straight foward.  add the statement <httpcookies httponlycookies="true" requiressl="true" /> to system web.  

I checked out the web.conf of one of the sites, and it's a really simple web.conf:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="redacted.html" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

So I added a system web section: 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>

<system.web>
<httpcookies httponlycookies="true" requiressl="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="redacted.html" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

Restarted IIS and tested the website and when I tested I received the following message

Config source:

<system.web>
<httpcookies httponlycookies="true" requiressl="true" />
</system.web>

Config error The configuration section 'httpcookies' cannot be read because it is missing a section declaration.   

Can anyone advise?  The examples I've seen have not show any more section declaration then system.web is required to enable this and I'm not an IIS guy so I'm not sure where to look for a solution.

Thanks,

Hello,

We're running into an issue in IIS where we have 1 site started (http), with a binding of * on 10.xx.x.28:8082 (http).  We have a second site, but this one is https with a different IP, binding is * on 10.xx.x.35:8082 (https).  When we try to start the https site, we are getting "This website cannot be started.  Another website may be using the same port."  Any ideas?

Thanks in advance!

I have a peculiar scenario. We have .net framework 4.6.1 installed with IIS 7.

How do we force only one web application to use TLS 1.2 without making registry changes which would affect the whole server?

This one web application should not fallback to TLS 1.0 or 1.1 even though the server supports it.

What options do we have? Thanks.

Hi All,

Initially, i posted this question to windows general forum but i was told to post here as this is related with IIS/FTP. 

Have one query on FTP over SSL on windows 2012 R2. Everything is set and configured with certificate, However, have one small query on below screen.

If i select "Allow SSL" then user can still connect to FTP without SSL...correct ?

How can we make sure that FTP over SSL is actually being used ?

is the client need to make sure to use the FTP client which support the SSL to use FTPS ? 

Also what port this will use ? 990 ? 

Thanks in Advance

suhag

I recently received a Qualsys report which listed - SLOW HTTP POST as a vulnerability with my application.

I have checked the various countermeasures, and configuring - MinBytesPerSecond, in the <webLimits> section of applicationhost.config, has been suggested. However, setting this field, does not seem to have any effect. The documentation of this setting states :

"Specifies the minimum throughput rate, in bytes, that HTTP.sys enforces when it sends aresponse to the client."

Does this mean the setting only applies to responses and not to requests? If so, how can one implement any minimum speed on a Slow HTTP POST Request?

What would be the difference between

(A) Setting an individual app pool idletimeout = 0
(B) Changing the root application config  as mentioned here
http://docs.hangfire.io/en/latest/deployment-to-production/making-aspnet-app-always-running.html

eg.

<applicationPools><addname="MyAppWorkerProcess"managedRuntimeVersion="v4.0"startMode="AlwaysRunning"/></applicationPools>

Is it just me, or does it appear that they are suggesting to modify the applicationHost.config file, but in a way that would only apply to an individual app?  Why not just set the idletimeout property for the app pool?