HTTP Strict Transport Security header configuration in iis 7.x ?
When enabling the HSTS header in IIS 7.x, is it ok to do this in the web.config for one or more virtual apps or must this be done at the IIS root web site level?
View ArticleHSTS shows as invalid
hellothe hsts setting shows as invalid on ssllabs.com but if i look at the headers using Chrome i can see the Strict-Transport-Security: 'max-age=31536000'could it be loadbalancers F5 need something too?
View Articleseeing string not int
hsts is displaying as 'max-age=31536000' not as max-age=31536000.if ($Site.HSTS) { if ($Site.HSTSAge -lt 31536000) { } cIisCustomHeaders ($FQDN + '_HSTS') { Name = 'Strict-Transport-Security' Value =...
View ArticleFiltering and Bad header in the http response
Hi,In the filtering I deny the following verbs: OPTIONS, TRACE etc...Then I perform a request with a dummy verb like 'asd'.Then the server returns a 405 error, but in the response,I have the following...
View ArticleCertificate Based Authentication Across Domain Trust
HelloNot entirely sure whether this is an IIS issue or a Windows authentication issue.We have a web server in one domain, and users in another. There is a two-way domain trust between the two and...
View ArticleKerberos Double Hop Issue
We have the infamous Kerberos double hop issue.This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to...
View ArticleSecurity for the path different than if explicitly specified default document
I had a previous post - https://forums.iis.net/t/1238417.aspxSolution there was great, worked fine.But then I noticed one odd side effect.When I look at Server Variable "auth_user" when I access the...
View ArticleRequest for the permission of type...
I'm writing a HTTPModule for Microsoft IIS. As part of the initalization callback function, it reads in a configuration file from disk. This has worked fine on one of our development environments, but...
View ArticleDisabling TLS 1.0 Crashing my website
Hay I have a server 2008 with iis 7.5 When I disable TLS 1.0 The website is crashed.Any Ideas ?Thanks,Elad
View ArticleChange Authorization Rules using script
Hello :) I’m trying to change authorization rules using A powershell script (It doesn’t really matter to me the way of doing it, as long as it done from the command line and not throw the GUI...
View ArticleWindows authentication iis 8.5 windows server 2012 r2
I have anasp.net intranet application that needs windows authentication enabled on Windows Server 2012 R2 (iis 8.5), but I cannot get it to work.When I try to access the page from either a client...
View ArticleClik here to view.
IP Restrictions On FTP Folders In IIS Not Working
Hello. I've exhaustively searched for an answer to this IP Restrictions issue without success. Any guidance provided is greatly appreciated.The environment is FTP running in IIS on Windows Server 2016...
View ArticleHost Intranet websites on secured URL (HTTPS)
Hello Team,We are currently in the process to move the the HTTP protocol hosted Intranet websites to the secured HTTPS intranet protocol.The current websites are accessible like:...
View ArticleClik here to view.
Can't use a domain username as a specified user in IIS 10.0
Hi, i having a problem when i tried to use a domain user as a specified user name in basic settings-> connect as. I want to access a shared folder that located in another server. The web server...
View ArticleReverse Proxy IIS to Apache Tomcat 8.0 with NTLM Authentication (SSO)
Dear Team,We are currently using NTLM for SSO authentication in our application using IIS as our web server, but with the new upgrade in the application we now has to use Apache Tomcat as our primary...
View ArticleGetting a 401 making calls to localhost
Setup:2 Windows 2016 web servers using IIS 10 in a load balance poolApplication and API is using Windows Authenticationhost file entry directs API calls from the application back to localhost...
View ArticleSite files on a file server VS in the root of site?
Hello All,We have a site that is very file heavy, PDF to be exact. A while ago the IT department wanted to move the files to a file server because the initial server could not have any more space added...
View ArticleInstallating IIS 10 on a harden Windows Server 2016
Hello everyone,I have to install IIS on a hardened Windows Server 2016. Is there any document out here listing what IIS' security requirements are ? What I mean by that is, for instance: what local...
View ArticleURL Path does not load at first, until browser loads root directory.
I installed a new certificate on IIS 8.0 and added SAN attributes in the certificate so Chrome, IE reports the cert as secure, everything on the surface is working fine. However, after a server reboot,...
View ArticleClik here to view.
Option to restrict via IP range as well as via AD User Group?
Hi all,I have an IIS project, for which I'd like the following to be restricted for access, together if possible:1) Two or three specific IP address ranges (I've done this part already). This is due to...
View Article