I've viewed a few of the other IIS reverse proxy with windows authentication posts on here and they don't seem to be what I'm trying to do. Hopefully someone will be able to help or spot what I'm not doing or doing wrong.
I've got a server which has a website running on port 80 which I need to present a number of other web applications on. I cannot create new hostnames so I created a virtual directory in the site which pointed to my web apps, however the root site is using .net2.0 app pool which must stay as .net2.0 whereas my ASP.NET MVC apps all need 4.0 app pools. As per the web.config inheritance problem this is not working and I cannot change the web.config in the root to ignore propagation to child web.configs - with me so far? ;-)
To cut a long story short I've now got a virtual directory in my port 80 site which is acting as a reverse proxy to another site on port 81 and this is working fine for anonymous connections. I've tested it with a simple HTML page and I can access it and the url re-writing is working on links in the HTML page, all good so far.
Now I need to enable windows authentication on the port 81 site, so I followed the instructions similar to what is in these links on MSDN site to configure SPN's for the domain account I'm using (DOMAIN\testaccount) and other IIS config's:-
link 1
link 2
The problem is that all I get now is the good old error message:-
Access is denied. Description: An error occurred while accessing the
resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.34280
I've tried creating a test aspx page which just outputs the server variables to the response but even this is not working.
I can't find anything else to try, initially I thought I'd have to get Kerberos sorted to pass the details from virtual directory to site on port 81 but the MSDN posts say this is not needed, just the SPN's.
Anyone any ideas?
This turned out to be something very simple and me being dumb for not checking! :-)
I spent days trying to figure out why this wasn't working, not sure why I didn't try earlier but I changed the application pool it was running under to use .net2.0 and then my test aspx page worked!?!
Turns out in IIS manager if you click on the root server node itself that under 'ISAPI and CGI restrictions' feature settings that the .net4.0 DLL's were set to 'Not Allowed' but the .net2.0 DLL's were 'Allowed'! I just enabled the .net4.0 changed the application pool back and then voila it works.
Related
I have an issue accessing a .NET website that I have configured to use Windows authentication (Site works fine with forms authentication) . I get a 401 authorised message back every time I try accessing the site using a proper domain name or IP address but the site works as expected when accessed over localhost
I have made a few changes to the applicationhost.config but none has given me the desired results.
I have also tried to items mentioned in the below URLs, but without much luck.
https://support.microsoft.com/en-gb/help/896861/you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrate
https://support.microsoft.com/en-us/help/303650/intranet-site-is-identified-as-an-internet-site-when-you-use-an-fqdn-o
https://support.microsoft.com/en-us/help/258063/internet-explorer-may-prompt-you-for-a-password
If anyone of you have encountered this issue, please assist.
FYI,
I have hosted this site on AWS and for test purposes have enabled incoming https/https traffic from all IPs.
Server : Windows server 2016
IIS : IIS 10
I was finally able to get this to work by switching over to Kerberos from NTLM and by
creating appropriate SPN entries.
Also had to add the site to Local intranet sites
Below is the link that I referred.
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-
authentication-for-a-website-in-iis/
https://blogs.msdn.microsoft.com/askie/2012/06/05/how-to-configure-internet-explorer-
security-zone-sites-using-group-polices/
Had to additionally do this for Firefox
Enter about:config and modify a couple of entries.
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
network.automatic-ntlm-auth.trusted-uris
Enter my domain on these settings
This is my first project in asp.net MVC. Build works in Visual Studio. When I publish website to server I get this two errors:
HTTP 403.14 – Forbidden
I get this one if I visit server based on ip. It says I can probably fix it by setting default webpage. I know where to do it in IIS, but I dont know what to put there. I have only one controller Home, which has Product view. So I tried to set Home/Product, but nothing happend.
HTTP 404.0 – Not Found
This is happens when I try to access to controller, x.x.x.x/Home/Product for example.
Project runs on Windows Server 2012 + IIS. In IIS I use Default Web Site. I added permisson to users from outside by this command IIS APPPOOL\DefaultAppPool.
In Visual Studio I make build through Build > Build web to local drive and move all files to server.
Two things,
Check the app pool identity has permissions to the root folder of
the site.
Check that there is a default page configured in the root folder in
the site and that the default page is listed in the default
documents list for the site.
403 Forbidden The request was valid, but the server is refusing
action. The user might not have the necessary permissions for a
resource.
404 Not Found The requested resource could not be found but may be
available in the future. Subsequent requests by the client are
permissible.
Options:
Is Directory Browsing turns to Enabled?
Is Folder Project Directory User has Permitted?
Check application pool framework(IIS) VS Project Framework.
Always check in application pool > right click created website > advance settings > General tab (32bit or 64bit)
Fix it by this advice: stackoverflow.com/a/9239936/3246527. Thank you all.
I probably followed some bad tutorial which missed this part.
As the title suggests, I am unable to properly log in to my web app whilst it is hosted on IIS 8. It works as expected using IIS Express locally.
The Provider returns an "Unexpected Error".
I have checked that the OWIN middleware is loading, as I am able to register a new user just fine. I can also see using FireBug that the AspNet.ApplicationCookie is being set for the session.
The problem seems to be that when logging in, I am being redirected back to the login page, as opposed to the page I requested. Is there something under IIS 8 Specifically that might be causing this? As i said, It works as expected using IIS Express locally.
I have root access to the server, and so can make any IIS changes necessary.
It seems the problem was related to my SQL server connection string in the Web.Config.
Apparently it would seem that I cannot connect to my instance of SQL server using a connection string where the host address is the local servers public interface. Switching the host to "localhost" did the trick.
What's interesting is how suppressed this error was. I only managed to find it after installing Elmah.
http://www.raboof.com/projects/elmah/
I have an ASP.NET application which I am testing on the ASP.NET Development server. The application is meant to download a file from an intranet sharepoint site. I am using WebClient.DownloadFile() for this purpose. But I am getting the following exception-
"The remote server returned an error: (401) Unauthorized."
The account with which I am logged into Windows while running the application has access to the resource which I want to download.
I tried ro run the application on IIS 7.5 as well, giving the application pool the required identity to download the file. But still got the same error.
Any idea what exactly is the problem and how to overcome it? Thanks in advance!
It's a problem with double hop delegation. Look at this: http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
Assuming normal Windows (NTLM) authentication on SharePoint site.
Most likley you are hitting by design behavior "double hop delegation" sometimes called "one hop NTLM hell" - credentials passed from client (browser) to server (your ASP.Net application) can't be used outside of the box. As result your ASP.Net application autorizes as more or less anonymous user and can't authorize on SharePoint site.
Common way to solve it - have some sort of trusted account and run your site's code under that account. Than when accessing the site you run code under process' account (not impersonating the user). You'll need to review code to have reasonable security measures as bugs will allow anyone use your site to access SharePoint/other resources under that special account.
Problem got resolved by setting UseDefaultCredentials property of the WebClient to true
This is a Kerberos issue, as Kirill mentioned. Before you start setting SPNs and the like, please follow the advice on this link first.
I recently had a frustrating week of trying to get Kerberos to work on a locked down domain and at the end of it all I found all I had to do was set useAppPoolCredentials to true.
If that doesn't help, this link provided quite useful to me as well.
Good luck!
we developped an ASP.NET application that runs fine on our development server and in our network computers. But in production, the application works when accessing it directly from the web server but not on the clients (code behind is not executing).
Any hints?
TY
Framework is 3.5
the application works when accessing it directly from the web server but not on the clients (code behind is not executing).
This sounds like a security permissions issue.
Check to see where the website is installed. C:\inetpub\wwwroot has the proper execute permissions by default. For security reasons, many corporations like to set a policy that websites have to be installed elsewhere [1]. When setting up websites outside of the default folder, add "read & execute", "read" and "list folder contents" permissions to IIS_WPG, IWAM_server_name, IUSR_server_name and ASPNET accounts. Sometime NETWORK SERVICE needs to be added to the collection.
When you run logged in locally, the application is running with the logged in user's credentials. When hitting the website remotely, the application is trying to run with the account showned in the Authentications dialog (in IIS manager, right click the web site/application, then properties, then directory security tab, then click "edit" on the "authentication and access control" bit. Usually, "enable anonymous access" is clicked and the "user name" is IUSR_server_name.
Notes:
1 - So that when some hacker uploads malevolant code to C:\inetpub\wwwroot, the code does nothing because the websites aren't there.
hmm, "static web site" + button click = no code behind + hyperlinks
check the hyperlink paths as [Wim Hollebrandse] mentioned UNC!!
is the application correctly configured in the iis manager?
application has to be created and the .net framework has to be enabled and set to the right version.
That doesn't make any sense. Please don't tell me your clients are browsing to your website over a UNC network path/share instead of over HTTP...
Another reason could be that the clients (assuming they're on a different subnet than the working ones) end up on a different box because of some DNS or NAT issues, whilst you assume they end up on the correct server. Try connecting to the IP address instead of the DNS hostname.
Here's a list of questions that may help narrow down where the problem is:
Have you checked using Fiddler or other network tools to ensure that a request is going to the server when a button is clicked on a client's machine?
Are you sure there isn't a firewall or JavaScript issue here? If the client is using NoScript, this could cause the problem, I think.
Is the same browser being used on the server and client's computers?
Is there anything fancy about the button on the page,e.g. is an AJAX callback?