https://game-ofthrones.org/blazersvsthunder/
https://game-ofthrones.org/blazersvsthunder/
https://game-ofthrones.org/blazersvsthunder/

https://game-ofthrones.org/raptorsvsmagic/
https://game-ofthrones.org/raptorsvsmagic/
https://game-ofthrones.org/raptorsvsmagic/

https://game-ofthrones.org/nbaplayoffs/
https://game-ofthrones.org/nbaplayoffs/
https://game-ofthrones.org/nbaplayoffs/

Hi All,

I have a web server (Windows Server 2008R2) have "IIS Missing Host Header Internal IP Address Disclosure" weakness,

detail info as below:

Insecure Deployment: Default Configuration (IIS Missing Host Header Internal IP Address Disclosure)

Description:

In certain configurations, IIS may disclose its internal IP address when a HTTP/1.0 request without a Host header.

Information disclosure vulnerabilities reveal sensitive information about a system or web application to an attacker.

An attacker can use this information to learn more about a system when attempting to gain unauthorized access.

Recommendation:

Apply the configuration changes described in Microsoft Knowledge Base article Q218180 or 967342

depending on your version of IIS.

And after survey, posts about this weakness were all with IIS7.0 or older version

https://support.microsoft.com/en-us/help/967342/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-htt

(Install the Hotfix and edit "alternateHostName" property )

Dose anybody know how I can fix this weakness in IIS7.5?

Thank you so much.

Hi Team,

Thanks for your support,

We are in trouble with windows 10 IIS Manager, Basically our network is in Active Directory, And such of our domain users developers or testers wants to access local IIS Manager to test the websites, Whenever Domain user are trying to open IIS Manager, it is giving a message "You must be an administrator to use IIS Manager" However we cannot provide local administrator rights to domain user, it's company policy.

Please help us to fix this issue.

OS version - Windows 10 or 8 users

IIS Version - 8.0

User type - Domain user

Regards,

Himanshu Saral

Hi,

We are experiencing some strange behavior from some of our IIS8.5 web servers regarding authentication mechanism. First, here is a resume of what are theses servers :

We have a farm of 10 IIS 8.5 Webserver with 407 appPools and 71 WebSites, 180Gb RAM and 8 vCPU on each of them.

The issue we are having is sometime some WebApplications stop sending their credentials during NTLM authentication to other webapps located on different webservers. The only solution we've found is to reboot the server. In the IIS logs, and after having ran an Wireshark trace, we see that the creds are never send and there is a continuous 401 errors sent back from thoses servers that indicate that there was no creds in the current POST.

The request I would have here is to where to start to look when theses issues are happening. What log should I review or enable. Do I have to enable hidden logs in Event Viewer that would give me an indication on why the NTLM that usually works fine stop working ? Do we have reach an NTLM limits that need to be address ? Can I enable NTLM tracing and get more info from it ?

As a complement of information, we have other IIS 8.5 Web servers that have less AppPools (around a hundred less) and website that never had this issue so we started believing that there is an indication here that there might be a NTLM limit regarding the number of webapps that authenticate themselves versus the protocol itself.

What would you look for in the first place ? Can you give some advice on how to start this investigation ?

Thank you very much for your help !

Hi

I seem to be getting mixed information, maybe in part because there are older versions of Windows Server.

I want to confirm that the absence of TLS registry settings for IIS https:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

means TLS is "on" in Windows Server 2016.

The settings are needed only if you want to disable TLS.

Maybe I can't use Google properly, but I can't seem to find a concrete answer.

Thanks a bunch!

Hi Guys,

We have been getting 4776 Events (status with 0xc0000064)on our IIS server stating that the account does not exists for multiple users.

But AD accounts is actually exists and not issues with AD accounts as well.

In Same server I can see Successful logon events for same users, don't understand why its happening

Please help me on this...

Successful logon event 4624 for same user account on same server

An account was successfully logged on.

Subject:

                Security ID:                            NULL SID

                Account Name:                     -

                Account Domain:                  -

                Logon ID:                               0x0

Logon Type:                                          3

New Logon:

                Security ID:                            xxxxxxxxxxx

                Account Name:                     xxxxxxxxxxx

                Account Domain:                  xxxxxxxxxxx

                Logon ID:                               0x2d7af6a6e

                Logon GUID:                          {00000000-0000-0000-0000-000000000000}

Process Information:

                Process ID:                             0x0

                Process Name:                      -

Network Information:

                Workstation Name:              xxxxxxxxxxxx

                Source Network Address:    xx.xx.xx.xx

                Source Port:                          58480

Detailed Authentication Information:

                Logon Process:                     NtLmSsp

                Authentication Package:     NTLM

                Transited Services:                -

                Package Name (NTLM only):              NTLM V2

                Key Length:                           0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

                - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

4776 Event screenshot

I run Windows 10 inside a VM running via kvm on debian Linux.

I could fix everything, share the clipboard, mount a shared folder in a shell via cifs-tools. I use the spice-guest-tools that installed a certain number of drivers (network, I/O, etc).

BuT I am stuck to access an IIS webserver running in development inside the VM.

I enabled the port 43306 that I need in the windows firewall incoming TCP trafic.

In the Internect Information Manager, I could change the config for ipSecurity to enable the IP of my host. I added many variants.

I reached a state for which the host linux can access the server in the VM but it causes a 403 error.

If I add a binding to the IP of my VM in IIS manager, I then get a 401 error, the same error I get from both inside the VM and outside the VM.

I also had played with HTTP redirect and I could not removve it properly even though it looks removed. SO I may need to reinstall WIndows but it should be fast. And then I wil reach the error 401 step above. I also played with the anonymous authentication and then it started to show a default IIS page that I could not remove to reac h the old state.

BUt let us assume I reinstall windows,

If I am  inside the VM, on windows, the IIS server is run, and it only allows an url of the form localhost:44306. If I put the IP of the VM (the IP of windows not of linux), then I get an error not authorized with a large page. THis happens only in WIndows in a pure WIndows and IIS world. Not really caused by being in a VM.

I created a binding for the VM IP, it changed the error page but I am still not authorized with the login information I have.

STuck on that. A binding was not enough, it still blocks the authentication. ALso I have registered the certificate of IIS inside firefox.. ANd somwehre in the IIS manager I think I could pick the righ certificate set up from and towards localhost.

https://pgachampionshippgachampionship.com/
https://pgachampionshippgachampionship.com/
https://pgachampionshippgachampionship.com/

https://pgachampionshippga.org/
https://pgachampionshippga.org/
https://pgachampionshippga.org/

https://the-pgachampionship.com/
https://the-pgachampionship.com/
https://the-pgachampionship.com/

<div class="post-text" itemprop="text">

I have an application deployed to IIS that needs to invoke a SOAP service. It's using WCF from .NET Framework. That SOAP service requires that requests made be authenticated with a client-side certificate which is given at runtime. Admin users of the application can update the used certificate in a back-office. The goal is for autonomy and the certificate lifecycle management be independent from IIS or the underlying system so using the machine certificate store is not an option. Here's the initial code:

var binding =newBasicHttpBinding(BasicHttpSecurityMode.Transport);var client =newServiceReference1.myClient(binding,newEndpointAddress(serviceUrl));
binding.Security.Transport.ClientCredentialType=HttpClientCredentialType.Certificate;var certificate =new X509Certificate2(certificateBinary, certificatePassword);
client.ClientCredentials.ClientCertificate.Certificate= certificate;//use the clientvar result = client.myMethod(newServiceReference1.MethodRequest());

certificateBinary is the result of loading a PFX file containing the full certificate chain (client certificate, intermediate and root CAs) andcertificatePassword the password used to create that file. But the request is rejected by the server. From looking at Wireshark, it seems only the client-certificate is sent. This is different from what happens if we install the PFX on the machine store which works fine.

So the next step I tried was to install the certificates at runtime. First load them:

X509Certificate2Collection collection =new X509Certificate2Collection();try{
    collection.Import(ssCertificateFile, ssPassword, X509KeyStorageFlags.UserKeySet| X509KeyStorageFlags.PersistKeySet);}

Then identify what kind of certificates they are and finally installing them on the current user store:

privatestaticvoidInstallCertificates(X509Certificate2Collection clientCerts, X509Certificate2Collection intermediateCAs, X509Certificate2Collection RootCAs){
    using (X509Store personalStore =new X509Store(StoreName.My,StoreLocation.CurrentUser)){
        personalStore.Open(OpenFlags.ReadWrite);
        personalStore.AddRange(clientCerts);}

    using (X509Store intermediateStore =new X509Store(StoreName.CertificateAuthority,StoreLocation.CurrentUser)){
        intermediateStore.Open(OpenFlags.ReadWrite);
        intermediateStore.AddRange(intermediateCAs);}

    using (X509Store trustedCAsStore =new X509Store(StoreName.Root,StoreLocation.CurrentUser)){
        trustedCAsStore.Open(OpenFlags.ReadWrite);
        trustedCAsStore.AddRange(rootCAs);}}

This fails when installing the root CAs in trusted root certificate authorities (StoreName.Root) with:

System.Security.Cryptography.CryptographicException: The request is not supported.
    at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
    at System.Security.Cryptography.X509Certificates.X509Store.AddRange(X509Certificate2Collection certificates)
    at OutSystems.NssCertificationExtremeXP.CssCertificationExtremeXP.InstallCertificates(CertificatesClassifier certificates)

so only the client certificate and the intermediate CAs get installed and at runtime apparently this is not enough.

But if I take the exact same code as it is and run it with in a separate C# project, when installing the root CAs there's a confirmation dialog and if I click OK the certificate is installed.

From here and here, it looks like every time we want to install something in the user Trusted Root Certificate Authorities, that prompt happens and itprobably is not supported on the context of a non-GUI usage.

The problem is that even if I don't install the root CA in the store, I can successfully call the SOAP service when running this stand-alone app, only when running under IIS this fails.

Does anyone know why this happens and how to solve it?

Is possible configure a website running IIS (windows 2016) with PHP to authenticate the users on AD without asking for credentials? Like, an intranet page running on internal network, and all users using domain joined computers?

I think Sharepoint does that right? Is it possible achieve this?

As per organization policy, Software should be installed by IT team only so in order to implement this, We have disabled the Admin rights to All users everything is working fine except the .net developers, they have to work VS and IIS.

IIS would work only when users are provided with Admin rights.

How can i resolve this situation without providing local admin / special privileges to developers. 

Hello.  I have specified a RejectResponseUrl in URLScan (latest version) with UseFastPathReject=0, and I know URLScan is working when I test it, but instead of going to the specified RejectResponseUrl I'm getting the standard IIS403 Fobidden page.  I can't figure out why.  This is problematic for my security scans because it echoes the dirty URL.  Any ideas?  By the way, there is nothing funky going on with my web.config or how my IIS errors are set up for this site, everything is default.  This is on IIS 7.5 Win2008.  Thanks.

Hi,

I am new to IIS webserver and my requirement is I need to configure SSL in my aplication, in My applicationn we are usinng IIS as webserver and Websphere as applicationn server could you please suggest me how  to configure SSL in IIS

Thanks

Praveen

I have a multihomed server running 5 sites. some run SSL certs and some don't. All of the sites seem to work fine and can be accessed correctly HTTP or HTTPS via binding to the hostname.  However, the server is responding to generic https: <IP address> requests with a self-signed cert.  I only have a binding to HTTP and a hostname on the default website.   No sites have bindings without a hostname..   

I am looking for ideas on where else to look to stop this generic HTTPS: response.?   

Thank you. 

Just an update, and it may be a coincidence. but it is getting a response from one of the first website in the list that does have an SSL Cert. 

I have iis 10.0 installed on a member server running 2016. I have windows authentication http 401 challenge set to allow only users in a certain security group access to the iis website. When any user opens the intranet website, the username and password interface opens up, but if the user clicks the cancel button twice, it allows that user access to the web page. It bypasses the 401 authentication. I don't think it's supposed to do that. How can I troubleshoot this problem. I will send any additional information if needed.

Thank you.

I am kind of scratching my head over the last week.

Objective:  Configure IIS to authenticate with Smart card only and not have it rely on Active Directory/Username and Password

How I configured IIS so far

Server Certificate selected under Bindings

IIS Client Certificate Mapping Authentication Role installed

SSL Settings - Enabled

Certificate Required

Authentication - All set to disable

SSL Bind shows CTLSTORENAME set to ClientAuthIssuer

Under Certificate store I imported all my root and intermediate certificates from trusted root to Client Authenticated Issuer

My understanding would be that once a client authenticated via their pin it should check against the store confirm root/intermediate CA is there and then authenticate.  I am getting 401.2 consistently and feel like I am missing something rather simple at this point.

Hi Microsoft Expert,

We had taking out 'weak' ciphers and intend to use the stronger ciphers like TLS_ECDHE_ECDSA* and TLS_DHE_DSS*, but server doesn’t seems to support.

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

#removed TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

#removed TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

#removed TLS_RSA_WITH_AES_256_GCM_SHA384

#removed TLS_RSA_WITH_AES_128_GCM_SHA256

#removed TLS_RSA_WITH_AES_256_CBC_SHA256

#removed TLS_RSA_WITH_AES_128_CBC_SHA256

#removed TLS_RSA_WITH_AES_256_CBC_SHA

#removed TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Tested using openssl shows not supported:

openssl s_client -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -connect xxx.xxx.xxx.xxx:443

Anybody have any comments do feedback.

Thank you!

Regards,

Shiro

We are using IIS 8 on Windows Server 2012 R2 Standard
we want to block some file extension to download from client side,
so we are currently using webDev like below:

<requestFiltering>
<fileExtensions applyToWebDAV="false">
<add fileExtension=".exe" allowed="false" />
</fileExtensions>
</requestFiltering>

Is there any other best method for this?

webDev will support in future version of IIS also?

we have been using local user accounts on our local IIS web servers, but for a few sites we have had to use an Active Directory account, but now when we use Context.User.Identity.Name.ToString to log the user that is on the site, we always get the name of the Active Directory user that the site is running as.

how can we fix this, and we need the active directory account as it has permissions to access a network share that the local account doesn't.

thanks