Is it acceptable to add (domain) users to the IIS_IUSRS group? Is it best practice? Thanks!

What is the object EVERYONE in ACLs? It really means EVERYONE? Even IIS App Pools?

I have a folder, full of files, in my IIS 8 WebServer and an ASP app running, uploading file to the folder

Current ACL of the folder is: "Everyone:FullControl", it´s a requirement of the Web App, so Uploads can be done

Now, developers, are requesting a change: to add the IIS AppPool\AppName be added to the ACL, again, with FullControl, so APp could upload files.

But considering that the ACL already have Everyone:F as permission, why bother to add IIS AppPool\AppName to the ACL, if "everyone" (at least theoretically speaking) includes the IIS App Pools, and all other objects?

I know, by default, "Authenticated Users" and "Everyone" has some sort of equivalence, where "everyone" is "reduced" to not include anonymous users, but in my thinking, the IIS AppPool is an "authenticated" users, isn´t it? 

IN mind, i think that the developer request is useless, becuase if the ACL of the file/folder already has "Everyone:Full permission, does adding IIS Appool it will be helpful?

Hello all,

Does iis cash the windows authentication use name or any other AD attributes?

I am using iis 7.0 on windows 2008 R2, I enabled windows authentication on my iis website, when the AD admin changes the windows login name for any user (say the username is “JohnSmith” changed to be Smith.John) I still receive the old username in my ASP.NET application. This is the code:

Dim userId As String = Threading.Thread.CurrentPrincipal.Identity.Name.ToString()

userId here for the changed user Smith.John returned as it was before the change “JohnSmith” although the user can login to his machine using the new login name. after a few days, the userId starts returning the new formatted username “Smith.John”.

To me looks like IIS is cashing some AD attributes for some time, any thought or ideas?   

p.s. I mean by the user name: the login name that is used to login to windows

Read a lot of articles. Have blocked several IP addresses using Windows firewall advanced security on the server and set  IP restrictions on IIS.

There were bots trying to access on existent files during the night now they are crawling during the day too. After repeated pings  our IIS stop without any notification. 

How do i stop this?

We have a load balancer in front of these IIS-based WebAdapters. Disabling "Extended Protection" under Windows authentication, advanced settings, will allow Kerberos to authenticate and pass credentials. 

Theoretically, setting this value to "Allow" should work as well, but no luck.

Any suggestions as to why this is the case? We need double-hop to pass credentials from the load-balancer's to the services behind the Web Adapters.

Hi,

Apologies in advance for the length, but I wanted to thoroughly document my analysis of this issue.

I have spent an inordinate amount of time (weeks and weeks) Googling/researching/testing/debugging the IIS Client Certificate Authentication security scenario for WCF Web Services. And, in short, while acknowledging that I could very well be mistaken, based on my results, I have come to the conclusion that there is either a bug in either IIS Web Site/Application Authentication; .Net Web Client Authentication configuration, or both.

The problem in short appears to be that there is currently no way for a web client to authenticate to IIS via X.509 certificate, without enabling "Anonymous Authentication" in IIS. I believe this to be a bug because in addition to the reasons laid out below, in my opinion, this behavior is completely inconsistent with the other IIS Authentication schemes, and there is no logical reason for such a requirement. Depending on the configuration settings, attempts to implement client certificate authentication, without enabling Anonymous Authentication in IIS, result in one of the following errors, which I believe indicate an issue with how certificate authentication is implemented in .Net and/or IIS:

#1 Exception: System.ServiceModel.ServiceActivationException: The service 'MyService.svc' cannot be activated due to an exception during compilation. The exception message is:Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.. ---> System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

#2 System.ServiceModel.ServiceActivationException: The service 'MyService.svc' cannot be activated due to an exception during compilation. The exception message is:The authentication schemes cannot be inherited from the host for binding 'CustomBinding'. No AuthenticationScheme was specified on the ServiceHost or in the virtual application in IIS. This may be resolved by enabling at least one authentication scheme for this virtual application in IIS, through the ServiceHost.Authentication.AuthenticationSchemes property or in the configuration at the <serviceAuthenticationManager> element.. --->

#3 System.ServiceModel.ServiceActivationException: The service '/SecureWCFSvc/EmployeeGetSvc.svc' cannot be activated due to an exception during compilation. The exception message is:The value of the property 'authenticationScheme' cannot be parsed. The error is: The enumeration value must be one of the following: None, Digest, Negotiate, Ntlm, IntegratedWindowsAuthentication, Basic, Anonymous.. --->

The first error CLEARLY indicates that A. Anonymous Authentication is disabled for the IIS web app. And B. The web client/service configuration settings (Transport.clientCredentialType="Certificate") dictate thatAnonymous Authentication be enabled in IIS for the web app.

In the second error, the web app (IIS) configuration is indicating that NO authentication scheme has been specified, when in fact the iisClientCertificateMappingAuthentication scheme has been enabled for the web app in IIS.

Finally, when attempting to use a custom binding with authenticationScheme="Certificate", the response is basically that there is no such authentication scheme, and that one must be selected from the enumerated values that are helpfully provided in the exception message. Which of course begs the question: Where is the value that maps to the IIS "iisClientCertificatMappingAuthentication" Authentication Scheme?

Here are the pertinent settings/configuration/setup steps:

IIS
1. Configured web site/app for SSL with valid self-signed Cert
2. IIS Certificate Mapping correctly configured and enabled in applicationHost/web site/web app config files:

     <iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="true"

     defaultLogonDomain="myDomainName">
          <oneToOneMappings>
               <clear />
               <add userName="wcfUser" password="[enc:IISCngProvider:iEncoded Value=:enc]" certificate="Encoded Cert String" />
          </oneToOneMappings>
          <manyToOneMappings />
     </iisClientCertificateMappingAuthentication>

3. All Authentication modes disabled in IIS Manager/Authentication settings UI

Web Service/Client App:
1. Specify Transport Client Credential Type = "Certificate" in both service and app bindings:

<wsHttpBinding>
     <binding name="wsHttpTransportCertBinding" >
          <security mode="Transport/TransportWithMessageCredential" >
               <transport clientCredentialType="Certificate" />
               <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
          </security>
     </binding>
</wsHttpBinding>

2. Delete or specify same binding for Mex endpoint
3. Specify valid self-signed Client Cert in client app.config <clientCredentials> section

Test Cases/Results
1. Using above settings/configuration

Result: Exception #1 above: "Security settings for this service require 'Anonymous' Authentication"

Huh?????
Why is enabling Anonymous Authentication in IIS required for a Client Credential Type of "Certificate", while when I specify a Client Credential Type of "Basic", I can enable ONLY Basic Authentication in IIS, and the service works as expected?

2. Enable "Anonymous Authentication" for site/application

Result: Service method successfully called with mapped certificate user account shown in IIS logs!!! 

***Now here's the kicker***
3. Set binding to INHERIT the authentication scheme from host

Result: - Exception #2 above: "No AuthenticationScheme was specified on the ServiceHost or in the virtual application in IIS"

Say what?????

How can this be when the iisClientCertificatMappingAuthentication Scheme is CLEARLY enabled for the web site/application??? Why does the exception indicate that no authentication scheme has been specified, when clearly it has?

4. Configure Custom Binding with CertificateOverTransport

Result: - Exceptions comparable to above wsHttpsBinding errors.

5. Implement various IIS/.Net configuration steps outlined in numerous posts, blogs, and forum answers.

Result: - My early experience was that on several occasions, the posted "solution" actually appeared to work...Initially. But what I found, was that when I re-published my web service app to IIS, the Anonymous Authentication scheme was "silently" re-enabled on the web app. Once I discovered this, and again disabled it, I was back to receiving the usual exceptions. Because of that, I added code explicitly disabling Anonymous Authentication to my service's web.config file, to prevent that behavior going forward. I suspect that this same behavior may have occurred with others, and that the "false positives" were not discovered (if then) until after the purported "solutions" were publicly posted.

The error conditions I've documented above are why it appears that there is a bug, but it's not clear which side is the culprit. In other words, is IIS indicating to the .Net client that NO authentication scheme has been enabled, even though it has? OR, is it that IIS actually indicates to the client app that the iisClientCertificateMappingAuthentication scheme is indeed enabled, but for whatever reason, .Net either doesn't map the IIS scheme to "Certificate"; erroneously maps "Certificate" to the "Anonymous" authentication scheme, or falls back to that Anonymous because the enumeration mapping to the IIS iisClientCertificateMappingAuthentication scheme is missing/invalid/not implemented on the .Net side? Or some combination of both, or other? Whichever is the case, in my mind, there clearly appears to be an issue here.

Obvious Questions:

1. At this point, why is there STILL no "Certificate Authentication" option in IIS Manager UI available for Web Site/Applications' Authentication settings?
2. In .Net web.config, why is there no authenticationSchemes enumeration value that corresponds to the IIS iisClientCertificateMappingAuthentication scheme? 
3. If this is indeed an issue of "lack of guidance" rather than a bug, why has Microsoft provided such extensive documentation (and examples) for IIS and WCF configuration, but has glaringly omitted guidance for implementing one of the most common, asked-about, and apparently most difficult to implement business use-cases?

In my humble opinion, Microsoft should do one (or more) of the following:
1. Acknowledge that this is a bug. Commit to fixing it, and then do #3. 
2. Acknowledge that this is a bug and that they are NOT going to fix it (and why), and CLEARLY indicate that developers must enable Anonymous Authentication in IIS in order to implement Client Certificate Authentication, instead of requiring developers to spend hours/days/weeks googling Stackoverflow and blogs for the answer...Which, because any developer worth his salt, isn't going to take at face value, results in frustration and wasted time spent trying to verify what seems to be an inexplicable requirement.

Also, by making such a public acknowledgement, Microsoft will not only save untold man-hours in wasted effort, it will also allow developers to point at official Microsoft guidance, when explaining (justifying) to internal sysadmins, clients, and third-parties why they must enable Anonymous Authentication on their web site(s)/app(s) if they want clients authenticated by X.509 certs.

3. Provide clear guidance (documentation and examples) in Microsoft Docs on both the server and client configurations for correctly implementingClient Certificate Authentication in IIS WITHOUT enabling Anonymous Authentication.

Again, I acknowledge that I am NOT an expert, and could very well be mistaken in my analysis of this issue, and would welcome any guidance and/or references to successful implementations of this use case.

Any and all responses welcomed.

Thanks!

TWebby1763

I tried to download the setup MSI file for UrlScan 3.1 from one of following URL but failed.

• x86: https://www.microsoft.com/downloads/details.aspx?FamilyID=ee41818f-3363-4e24-9940-321603531989
• x64: https://www.microsoft.com/downloads/details.aspx?FamilyID=361e5598-c1bd-46b8-b3e7-3980e8bdf0de

Who can tell the available link? Thanks.

Hello, I have a problem.
When I use IIS, Log files save default path that %SystemDrive%\inetpub\logs\LogFiles.
So, I move the path(%SystemDrive%\inetpub\logs\LogFiles) and see W3SVC1 folder.
Double click this folder, I meet the 'You don't currently have permission to access this folder.'
Sure, I can click Continue button and solve this problem.
However, this folder makes continually. (If IIS site is running)
For examples, When IIS makes new folder W3SVC2, I meet same message.
But I don't want meet this message. When IIS makes new folder, I want to access this folder automatically not using script.
I think that change IIS setting is solve this problem. But I don't know method.
Please Help me~

I have used URLRewrite tool to remove "Server", "X-Powered-By", "X-AspNet-Version" from response headers. However, consider about deploying automatically, can I do the same thing by scripts or command lines?

Hi,

I'm having a up and running web based system which authenticats users from the active directory. IIS hosted in a server pc and AD is in a normal PC which runs server OS. This works fine for past 4 years. Since few months I'm having issues of authentication. When user enters user name and password it prompts again and again. Restarting IIS server computer solves this issue at times, but not always. This has been a headache for me. Waiting for any comment which helps to solve this issue.

Thanks in advance.

Chamara

Hi,

I'm using FTPS to protect access to IIS FTP services, with self signed certificates. Starting from version 3.24, filezilla reports that "Key usage violation in certificate has been detected." because there is some restriction on the certificate key usage parameters. It seems that the IIS certificate is not full RFC 5280 4.2.1.3 compliant.

Any idea to create a compliant certificate on IIS?

thanks

Good afternoon,
I have a 2016 server that is hosting a ton of sites.
One of the sites have multiple site bindings with each its own SSL certificate.
But 3 of these sitebindings will always share the same certificate. If I change one bindings certificate. The other 2 are also automatically changed to the new certificate.
If I add a new binding this binding will also share that same certificate. And changing its cert will also change it for the other bindings.
Every binding needs its own certificate

Thank you in advance for your time

Hi all

I have been seaching for days and hours to find an answer that I can understand without getting confused :D

My sites are running perfectly and no errors but however, i'm a little worried about the security on each site.

Im really getting confused about all the informations about IIS_IUSRS and IUSR and its security.

I think its because of my bad english lol :)

I will try to explain the best way I can:

One of my sites need to have several of folder read- and writeable so I gave the IUSR all right except Full control, otherwise the installer wan't run and get alot of warnings about folders not writeable!

Then I gave IIS_IUSRS_machinename list only.

The site is now running with no problem except a curl problem I write in another post.

But im worried about the security now that the IUSR has all these rights and all visitors can upload/hack ect..?
Should I be worried or is there anything else I should do?

Thanks in advance

Hi

I set up a new IIS server and a website, I can browse the website using the localhost from any domain joined PC, as long as I am logged on with my AD credentials it passes me through without prompting me for username and password. I setup a DNS FQDN for the target host, now when i set the binding for the website and point it to the new FQDN it starts prompting for username and password, instead of passing me through like it did when using the localhost url.

Windows authentication is enabled, with negotiate being the provider.

the web.conf authentication mode is windows.

the pass through authentication is set to application user.

I am running server 2016, IIS 10

I ran out of ideas, any help would be appreciated. I just need to be able to browse using the FQDN and pass through based on the AD credentials i am logged on with.

Edit: fiddler shows the result below:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge
Date: Tue, 30 Jul 2019 16:09:48 GMT
Content-Length: 0
Proxy-Support: Session-Based-Authentication

Thanks

Hi,

Any advises how to troubleshoot the authentication issue on the IIS (W2012R2). In my mind I have two servers with equal setup, but one server does handle the windows authentication (?) correctly. When going to URL:

workingServerA.domain.com/folder/app.svc

Then I have another server with the same URL:

failingServerB.domain.com/folder/app.svc

It is asking the user ID and password.

Wish to learn how I could troubleshoot this.

Browsers: Chrome, Edge, and IE tested: same behaviour.

Servers are domain memembers. Workstation is domain member, and my account is domain account.

I have been trying to make web API requests to my asp.net core 2.2 web API that is hosted in IIS. I can get back results when I use 'example.com:50056/api/Vehicle/GetCarpaint' from my browser. However I get 'This site can't be reached' when I make the same request from my mobile phone's browser. Even when I use the IP address of my the machine where the website is hosted. My PC and phone are both on the same network.

Below, I wrote down my finding to this whole situation.

BROWSER

• example.com --OK

• example.com:50056/api/Vehicle/GetCarpaint --OK (getting back data)

• 192.168.8.X:50056 --Error 400 Bad Request -Invalid Hostname

• 192.168.8.X:50056/api/Vehicle/GetCarpaint --Error 400 Bad Request -Invalid Hostname

PHONE'S BROWSER

• 192.168.8.X --OK

• 192.168.8.X/api/Vehicle/GetCarpaint --Error 404 File or directory not found

• 192.168.8.X:50056 --Error 400 Bad Request -Invalid Hostname
• 192.168.8.X:50056/api/Vehicle/GetCarpaint --Error 400 Bad Request -Invalid Hostname
• example.com --This site can't be reached, drsmashservices.com's server IP address could not be found
• example.com/api/Vehicle/GetCarpaint --This site can't be reached, example.com's server IP address could not be found

I expected to type the IP address of the site with my port followed by my route however my phone's browser can't seem to find the DNS of my website, additionally, I added an inbound rule with port 50056 and I still can't get it to work, am I missing something?

Hi Microsoft Expert,

We had taking out 'weak' ciphers and intend to use the stronger ciphers like TLS_ECDHE_ECDSA* and TLS_DHE_DSS*, but server doesn’t seems to support.

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

#removed TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

#removed TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

#removed TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

#removed TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

#removed TLS_RSA_WITH_AES_256_GCM_SHA384

#removed TLS_RSA_WITH_AES_128_GCM_SHA256

#removed TLS_RSA_WITH_AES_256_CBC_SHA256

#removed TLS_RSA_WITH_AES_128_CBC_SHA256

#removed TLS_RSA_WITH_AES_256_CBC_SHA

#removed TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Tested using openssl shows not supported:

openssl s_client -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -connect xxx.xxx.xxx.xxx:443

Anybody have any comments do feedback.

Thank you!

Regards,

Shiro

Our company synchronizes IIS logs with other intrusion control systems.

I try to figure out how to recognize all bad login attempts from IIS logs. I tried to parse them out manually with grep throught regulars. But I found out many values i do not understand.

I tried to google meaning of values in fields cs-status and cs-substatus. Bad login attempt should be marked with cs-status code 401 and different cs-substatus. But I found cs-substatus values that arent described in microsoft pages. Like cs-substatus values  111 or 0. (There is no description what means codes 401.0 and 401.111)

Here are 2 examples of log inputs (with header with field order description):

#Software: Microsoft Internet Information Services 10.0
#Fields: s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

127.0.0.1 GET /PowerShell/ &CorrelationID=<empty>; 443 - 127.0.0.1 AMProbe/Local/ClientAccess - 401 111 0 5

10.10.10.10 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=2f43ba86-1f69-4116-82ca-e909e4e3edf7; 443 - 172.172.172.172 AppleExchangeWebServices/309+AddressBookSourceSync/1894 - 401 0 0 15



I found some pages on microsoft.com but these substatus codes are not explained there.

https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0

Can someone explain these subsatus codes? Any ideas?

Thank you for any suggestions