Quantcast
Channel: Security
Viewing all 1881 articles
Browse latest View live

Issue with CRL checking: 403 13 2148081683

February 25, 2019, 8:08 am
$
0
0

Hello everyone,

I have problems with server-side CRL control:

I have some sites served by IIS on which access is made via digital certificate. On these sites is set anonymous authentication (the authentication is done by the application), so IIS is passing through the certificate, but at random intervals it happens that a number of users can not access through their certificate (they do not arrive at the application, they are blocked by the IIS).

On the client they receive a 403 Forbidden, in the IIS logs I find the error code "403 13 2148081683"

During these periods of "darkness" (which does not happen for all CA configured, so not all users are cut off, only some groups, sometimes not even all users of the same CA, which would make you to think about some problem on client side, but deactivating the CRL check on server side, all users pass), if I try to manually download the CRL through the CDP of the CA, I can always download the file, but users still can not access (of course I checked some spot certificate verifying that they were not actually revoked).

We have already verified any possible connectivity problem (no proxy, public dns, firewall, routing, everything ok)

Activating the CAPI2 log I find the most disparate errors, often I find the error "The revocation function was unable to check revocation because the revocation server was offline", but I don't understand the reason why, because if I try to manually download the CRL I can always download it

I hope someone can help me. Thank you.

Roberto

Search

IIS 10 with AAR and CRL

February 28, 2019, 2:53 pm
$
0
0

Hello,

We are trying to publish exchange OWA 2016 throught reverse proxy with IIS 10 AAR placed in DMZ.

This is working well.

Now we need to connect with client certificate and this does not work (error 403.13)

ISS 10 AAR in DMZ

CRL list is available from ldap and http, IIS AAR is not domain joined so i try to use http to join CRL.

I have tested CRL with certutil (on admin session and local system with psexec) and wfetch and it's working.

But on we i tried to connect to OWA, i m prompted for certificate and get 403.13 error. Revocation server is offline even i can join crls with internet explorer on this server.

I'm really stuck here. Any idea? I don't want to disable CRL verification

Problem Displaying Images on Web Page

March 1, 2019, 11:43 pm
$
0
0

Hi Everyone,

I'm new here. I'm having a weird problem in a new project. I'll spare you all the details and cut right to the chase.

At this point I'm testing with an extremely simple web page. It has one div, and inside that div is an image. Here's the code:

<!DOCTYPE html>
<html>
       <head>

       </head>
      <body>
                  <div class="ribbon">
                           Ribbon
                           <img src="C:/tmp/db78.png">
                  </div>
      </body>
</html>

Here's the issue. If I put this page in a Web directory and have IIS serve it, the image gets blocked. In the Network tab of Chrome's Developer Tools, it says "blocked:other" in the status column. But if I just right click on the html file and open it with Chrome, it displays the image fine.

I've granted Full control to Everyone and to Local System, but IIS still can't get the images.

Does anyone have any ideas I can try.

Thanks,

PToomey

IIS10 NDES

March 5, 2019, 4:29 pm
$
0
0

Hi, I managed to install the NDES role which takes care of installing all the IIS dependencies. 

Once completed I can load https://<FQDN>/certsrv/mscep/mscep.dll just fine but after a short while it just stops working with this error.... I'm following this guide to set this up. https://docs.microsoft.com/en-us/intune/certificates-scep-configure 

  • Error: 500.0 - Internal Server Error
  • Module: IIS Web Core
  • Notification: AuthenticateRequest
  • Handler: ISAPI-dll
  • Error Code: 0x80070542
  • Requested URL: https://<FQDN>:443/certsrv/mscep/mscep.dll
  • Physical Path: C:\Windows\system32\CertSrv\mscep\mscep.dll
  • Logon Method: Anonymous
  • Logon User: Anonymous

Did anyone manage to make this work on Windows Server 2019? I'm starting to think I might need to revert to Windows Server 2016...

Thank you,

Certificate Trust List on IIS 8.5

February 19, 2016, 3:53 pm
$
0
0

Can anyone provide a valid method for implementing a CTL on IIS 8.5 that doesn't require me to stand up a server that is EOL?

Scouring the interwebs keeps pointing me to posts that reference a tool from the Windows 2003 SDK that only runs on Windows 2003 or 2008 (nonR2).  There must be an updated method.

Thanks

IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=false

May 9, 2017, 5:02 pm
$
0
0

This refers to IIS 8.5. "authPersistSingleResponse" is set to false.

The site has a default landing page, written in ColdFusion, but doesn't do anything more than print HTML and basic JS to move around the site.  The site root has Anonymous access and Windows Authentication enabled.  Inside is a secure folder which has Anonymous access disabled, and Windows Authentication Enabled.  This works as expected.  The user is challenged for AD credentials, and when authenticated, the user is allowed in.

<location path="cfreports"><system.webServer><security><authentication><windowsAuthentication enabled="true" /></authentication></security></system.webServer></location><location path="cfreports/reports/"><system.webServer><security><authentication><anonymousAuthentication enabled="false" /></authentication></security></system.webServer></location>

As expected, when a user clicks on a link to any page (e.g. "/reports/create/default.cfm"), the user is allowed in without being prompted again.  Note that authPersistSingleRequest is set to FALSE. 

If they click a link on THAT page, they're prompted for credentials again.  If the user enters credentials, it works properly.  If the user hits Cancel, the user is still allowed access to that default.cfm page.  No matter what you do, ColdFusion sees the credentials are present on that page too.  From that point, if you hit refresh, you get challenged again, and then if you hit cancel, you get a 401.

(401 - Unauthorized: Access is denied due to invalid credentials.)

Then it becomes inconsistent.  Every time you access a different page, even ones you've authenticated before, sometimes you're prompted, sometimes you're not.  Sometimes entering credentials works, sometimes it doesn't.  

Digging into the security settings, I found that authPersistSingleRequest is not set, which means it's false.  Configuration Editor showed the same thing.

<security><access sslFlags="None" /><applicationDependencies /><authentication><anonymousAuthentication enabled="true" userName="IUSR" /><basicAuthentication enabled="false" /><clientCertificateMappingAuthentication /><digestAuthentication /><iisClientCertificateMappingAuthentication /><windowsAuthentication enabled="false" authPersistNonNTLM="true"><providers><add value="Negotiate" /><add value="NTLM" /></providers></windowsAuthentication></authentication><authorization />

I'm out of ideas, and I am unable to figure out the correct terms to search on.

ISAPI Extension cannot write temp files

March 10, 2019, 3:05 am
$
0
0

I have two Windows 10 Home computers. On my laptop I developed an ISAPI Extension (in regular C) which among other things writes data to a temp file.

Everything works fine on the laptop. In fact it worked the first time. Now I am trying to get it setup on the other computer and the file write feature isn't working.

I have a custom Application Pool using ApplicationPoolIdentity. I have tried writing the file to several different locations and have given permissions to IUSR but I still can't write the file. I've tried the system temp folder, C:\Temp, and others.

Set permissions for IIS 7.5

March 10, 2019, 9:21 pm
$
0
0

I'd like to find out how to set permissions for IIS 7.5 via the command line.  This is what I have tried:

Set "MachineName=Docfxit"

Set "UserName=IISUser"

CD \Program Files\fileacl

FILEACL "C:\HostingSpaces\Docfxit" /S "%MachineName%\ASPNET":RrRaRepWwAWaWeX /S "CREATOR OWNER":U/RrRaRepWwAWaWePXDDcO/RrRaRepWwAWaWePXDDcO /S "%MachineName%\IUSR_%MachineName%":RrRaRepWwAWaWeX /S "%MachineName%\IUSR":RrRaRepWwAWaWeX /S "%MachineName%\%UserName%":RrRaRepWwAWaWePXDDcO /S "NT AUTHORITY\NETWORK SERVICE":RrRaRepWwAWaWe /PROTECT

ICACLS C:\HostingSpaces\Docfxit /grant "IIS AppPool\DefaultAppPool:F"

cmd

This is the output I get:

C:\Dnload\9xAddons>Set "MachineName=Docfxit" C:\Dnload\9xAddons>Set "UserName=IISUser" C:\Dnload\9xAddons>CD \Program Files\fileacl

C:\Program Files\fileacl>FILEACL "C:\HostingSpaces\Docfxit" /S "Docfxit\ASPNET": RrRaRepWwAWaWeX /S "CREATOR OWNER":U/RrRaRepWwAWaWePXDDcO/RrRaRepWwAWaWePXDDcO / S "Docfxit\IUSR_Docfxit":RrRaRepWwAWaWeX /S "Docfxit\IUSR":RrRaRepWwAWaWeX /S " Docfxit\IISUser":RrRaRepWwAWaWePXDDcO /S "NT AUTHORITY\NETWORK SERVICE":RrRaRepW wAWaWe /PROTECT no SID for trustee Docfxit\ASPNET C:\Program Files\fileacl>ICACLS C:\HostingSpaces\Docfxit /grant "IIS AppPool\Def aultAppPool:F" processed file: C:\HostingSpaces\Docfxit

Successfully processed 1 files; Failed processing 0 files

  1. I get an error No SID for trustee.
  2. 2. The users aren't set in settings.
  3. 3. I don't know if these are the correct users for IIS 7.5.
  4. Thanks, Docfxit
Search

Certificate Based Authentication Across Domain Trust

April 27, 2018, 4:06 pm
$
0
0

Hello

Not entirely sure whether this is an IIS issue or a Windows authentication issue.

We have a web server in one domain, and users in another.  There is a two-way domain trust between the two and using Negotiate or NTLM authentication in IIS, this works absolutely fine.

However we now have some Android smartphones that are using SCEP/NDES to gain client certificates to avoid people having to enter username and passwords when they access internal resources, and for some reason AD Certificate Based Authentication Mapping is not able to authenticate these users, so they are receiving authentication prompts when accessing sites hosted on this web server. 
On other web servers which are in the same domain as the users, this works successfully, so I know the basics work, but there is some problem when it comes to authenticating users in another domain.

It appears that the certificate is being accepted quite happily, as A) I am prompted to choose a client cert and B) If I use one of the test .asp pages you can find the code for on the internet and enter your credentials you can see the certificate details appearing as expected, but I suspect that certificates are not being successfully mapped to AD users by the DS Mapper due to the user being in a different domain to the server.

I have ensured that DS Mapper Usage and Negotiate Client Certificate are both enabled on the SSL Certificate Binding.

Has anyone managed to get a similar setup working?  Or have any ideas as to how I can debug the certificate mapping process?  Nothing useful appears in Failed Request Tracing or the IIS or Windows logs, so far as I can tell.

Thanks

Ralf

Client Cert Restriction by OID

March 13, 2019, 4:08 pm
$
0
0

Looking for a way to restrict IIS client cert requests to a particular certificate policy.  Basically, I want to determine that the certificate has the enhanced usage OID of Smart Card Logon or Client Auth.  

Is there a native way to do this? 

Thx
Mark

Server hacked via IIS

March 15, 2019, 2:42 am
$
0
0

We had several web servers hacked this week, on March 10-11, 2019. The intruders added dangerous asp/aspx/php files in numerous wwwroot directories, and they also gave "everyone" full control permission on files in these directories. (Based on logs, I think at least some of the hacking was done via ASP and PHP files on IIS.)

It looks like Microsoft has patched some major vulnerabilities this week, and I wonder if there is any way to determine if the hacking that I observed is related to those vulnerabilities?
https://www.darkreading.com/threat-intelligence/microsoft-patch-tuesday-64-vulnerabilities-patched-2-under-attack/d/d-id/1334141

Windows Authentication Question

March 15, 2019, 7:40 pm
$
0
0

I have a web site which is set to Anon Authentication. 

I plan to expose this web site an external service where it manifests as an IFrame.  This external service is Dynamics 365.

I want to ensure that only Domain Users can access the web site.  We have AD integrated with Dynamics.

I presume I disable everything except Windows Authentication and the web page will show seemlessly and only prompt if someone hits it from a non networked PC.

Am I correct?

I have tested and it is not prompting me on the network, not through the IFrame from Dynamics.  I wanted to check that I have done the right thing.

Windows Authentication not working in IIS7

March 18, 2019, 1:18 am
$
0
0

Hi All,

I need your brilliant advise on my problem below:

Our client was transferring from 1 old vendor to us (new vendor), we do support everything that is related to IT and now we have encountered a problem accessing a specific sites in IIS. Everytime the user is trying to access it it will ask for a credentials, i have enabled Windows authentication and used our windows credentials but still wont work. I have also tried enabling anonymous authentication but still did not work.

my question is, is the authentication hardcoded? i have seen IIS_ISUSRS in group and added my domain admin account and also created a local admin account in the same server but still does not work?

i do not know what else i can do on this.

your wonderful ideas is really a big help and much appreciated.

Thanks

HNGS.

Deny user account permissions to start an Application Pool

March 27, 2019, 1:50 pm
$
0
0

We have a vendor that when they have an issue with our IIS server, they reset their IIS application pool and use their login account instead of the dedicated service account, without telling us.  This causes havoc since we reset passwords every 90 days.  

Is there a way to prevent a user account with local admin privileges from being able to start an application pool?  

website asks for login information when using https instead of http

April 7, 2019, 7:22 pm
$
0
0

I have just installed an SSL certificate on my AWS-EC2 instance (running IIS 10) and would like to run the site over https.

http works fine but when using https I always get a login prompt instead of the site.

AWS has all ports open, SSL certificate checker says all is good. on IIS 10 the bindings are for http port 80 and https port 443 for all unassigned ip's. i am using anonymous authentication - all other methods are disabled.

is there something else i need to configure?

thanks!!!

Search

IIS SSO stopped working, asking for Authentication repetitively

April 9, 2019, 8:54 am
$
0
0

 I have set up our website on IIS 7.5, out of the blue single sign stopped working at all.Users are getting continuous popup for username/password. I tried every thing I could find on internet, following items have been checked: 1. Anonymous authentication is disabled. Windows authentication is enabled. 2. My identity account in app pool is having access to the files and folders of web site, it is added as an admin in the server as well. 3. I cross checked the settings in internet explorer -> internet options, they are in proper shape.

My website was working properly till yesterday, can anyone suggest what might have gone wrong? When I was setting it up for the first time, I faced the similar issue. I suspected because of my application pool it was happening, I tried/experimented with the pool, (selecting default app pool then again selecting my newly created app pool) and it worked after few tries. This is really important for me, I would appreciate if any one can suggest something. I might be missing something in app pool.

I went through the log files as suggested by @LexLi: sc-status - 401 and sc-substatus 2, I dont know if I am referring to the information in this link correctly -https://support.microsoft.com/en-ca/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0 I says 401.2 - Logon failed due to server configuration, but I have not made any changes on the server.

IIS cannot serve a PDF file when containing folder has serveral files

April 9, 2019, 1:20 pm
$
0
0

Hello,

This is very strange. I developed an ASP.NET web site that in some part of the code, it validates if a file exists, by mean of the following method:

File.Exists(Server.MapPath(archivo))


That method returns false even when the file exists.

When I point the browser directly to the PDF, I got a 403 forbidden error.

Containing folder has about 81,000 files.

If I copy that PDF file to other directory, where that file is the only file there, I can point the browser there and the PDF is shown.

What may be happening here?

Thanks
Jaime

IIS Security rights

April 10, 2019, 9:38 am
$
0
0

Hi, 

Long story short...

I have webApp implemented via IIS. 

I've set permissions on security for my web for 'everyone', admins of my VM,  VM users, my admin account which I use to logging in to my Virtual Machine where web is configured.  All are defined as read/write access (full control)

My web application is trying to save excel file on VM disk in folder defined as my webapp folder on IIS. It can access webapp folder, then create folder for file which is trying to save, but can't save this file and I don't know why. Does anybody had similar problem? 

What permissions can I change?

Anybody have any ideas? 

Best,

Armin

IIS changes certificate

April 11, 2019, 8:45 am

IIS 10 - PHP v7.2.2 installed via Web Platform Installer - how to update to 7.3

April 11, 2019, 4:54 pm
$
0
0

Hi,

we installed the PHP via WebPI tool in 2018/04/09 which was the version 7.2 for IIS, today the PHP is already in 7.3.4 accordingly towww.php.net website but if we open the WebPI is offers only PHP v7.2.7.

>>>> So, is there a way to install the latest one?

We are asking since our wordpress v5.1 was hacked in the last week and we used cWatch from Comodo for cleanup process. 

Viewing all 1881 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>