Clik here to view.
IIS 8.5 vs 7.5 FederationHttpBinding tokenRequestParameters Namespace Error
Hello and sorry for the cryptic subject,The issue is quickly explained:The tokenrequestparameters (see:...
View ArticleCentral Certificate Store - DFS and AzureFiles
Hey,I am trying to demo the usage of Central Certificate Store for our certificate automation. I am looking to use AD Integrated Azure Files as the backend, and have setup a Private Link to this share....
View Articlehttp.sys response header
The IIS http.sys kernel driver intervenes to block possible malicious URLs, for example this URL https://domain.ext/%2E%2E%2fconsole.portal is blocked with issuing a 403 error (Forbidden URL).Is it...
View Articleauthentication to internal IIS site
hi, a bit random but at a complete loss. We've had microsoft identity manager installed and that has a web front end that users can administer their user account. However, when the user navigates to...
View ArticleQuestion about SSL renewal on IIS
I have a SSL on an IIS server. It expires soon. The cert from the commercial SSL provider got auto renewed and has a new validation date. To update the cert on my IIS server, since it hasn’t expired...
View ArticleDocumentation for additional Windows authentication providers ?
Hi,Noticed the addition of Negotiate:Kerberos, Negotiate:PKU2U and Negotiate:CloudAP providers for Windows authentication.Is there some official documentation somewhere for that? Can't find for now....
View Articlehow to manage / generate pfx files when using centralized certificate management
So i've been playing around with IIS Centralized certificate management by creating some test certificates using powershell.Powershell commandlets (Export-pfxcertifcate) usually create a certificate...
View ArticleClik here to view.
Site on UNC Physical Path Authentication
I try to create a site that can access the network drive via UNC path. When I run the site locally on server 127.0.0.1:84 it works and gets a list of folders in the browser. When trying to get site on...
View ArticleClik here to view.
Windows Server 2019 disable legacy TLS in IIS via certificate binding is...
When we read about "TLS version enforcement capabilities now available per certificate binding on Windows Server 2019", it sounded perfect. However we cannot get it to work? We are using IIS10 on...
View ArticleIIS brute force and password spray detection with WebsiteFailedLogins
Surprisingly I wasn't able to find techniques in this forum to detect brute force logins and password spraying. That being said, I just finished a significant rewrite of the PowerShell module...
View ArticleDynamic IP Restrictions by file type?
Hi, I've tried using WebKnight, which is similar to Dynamic IP Restrictions, but some pages on my sites have tons of images and js and css and so a single page request would result in potentially a...
View ArticleFTP write/delete not working
I have a Windows 2016 server with IIS 10. I am having problems setting up the NTFP permissions to allow FTP write/delete to my Users' virtual web folders. My users have write problems when they are...
View ArticleBroken Cert at Website but not in IIS
I have a CA Root-signed certificate that is bound to 443 for my website. Using Chrome, When I access the site I still get a "this is not private" warning. I click the "Not Secure" warning and select...
View ArticleDetecting brute force logins & password spraying
What programs/scripts/techniques/etc. are used to detect the following on an IIS website.Brute Force Logins Password Spraying The above techniques from distributed IP addresses SIEM and Enterprise log...
View Articleis IIS password authentification secure?
Hi everybody,I need to publish a company website for our workers.I am somehow extremely over-cautious ( also because of Exchange ProxyLogon issue).If I only publish the SSL site to Internet and prevent...
View ArticleResponse headers from http.sys
Some requests are not handled by IIS, but instead by http.sys. For example the path shown below:❯ curl -sv http://localhost/..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5Cwindows%5C%5Cwin.ini > GET...
View ArticleIIS 7.5 Dynamic IP Restrictions download not working
Hi,I need to download the "Dynamic Ip Restrictions" module for IIS 7.5 but the link on iis.net gives me a 404 and so does the Web Platform Installer in the IIS Manager.Here is the page:...
View ArticleIIS10 Max file upload size
Hi, reading a lot of conflicting information regarding this, but trying to upload file sizes larger than 2GB using IIS with PHP. ALL of the PHP side has been configured appropriately, with the...
View ArticleBlind SQL Injection
I am currently working on resolving a Blind SQL vulnerability found on an IIS server hosting a web applicationFound blind SQL injection on...
View ArticleSite rendering issue
Hello,I an posting this issue here as I think it is permissions related.I have site, running on application pool with identity - account1.If I access the site from my laptop, I have next:- As myself...
View Article