My web site is perfectly working on 8081 port in localhost, In order to provide host name I had to set IIS bindings,
Bindings are set correctly. Additionally I set the host name in host file as well. When I browse website via hostname I am getting below error
"Error Message - HTTP Error 401.0 - Unauthorized"
Please note that I am using IIS 10
You have to whitelist a domain specified in the hosts file in order for windows authentication to work. Try these steps:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
Type DisableStrictNameChecking and press ENTER.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the
sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.
I was able to resolve the issue by following this reference: Getting windows authentication to work through local IIS
Related
I have two keys
a .PEM-file and a .KEY file.
The pem key is in X509-format.
I have got the the pem-file from a provider (I have sent to the provider the .csr).
I am about to send a client certificate by using the HttpWebRequest and HttpWebResponse classes in Microsoft Visual C# .NET.
For that I have registret the pem-file at the 2003-windows-server by using the mmc-tool in windows:
1) Click Start, click Run, type mmc, and then click OK.
2) On the File menu, click Add/Remove Snap-in.
3) In the Add/Remove Snap-in dialog box, click Add.
4) In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
5) In the Certificates Snap-in dialog box, click Computer account, and then click Next
6) In the Select Computer dialog box, click Finish.
7) In the Add Standalone Snap-in dialog box, click Close, and then click OK.
8) Expand Certificates (Local Computer), expand Personal, and then click Certificates.
I have then imported the pem-file (also with mmc).
The Question is:
How do I give permission to the certificate?
I have tried this (WinHttpCertCfg.exe tool):
winhttpcertcfg -l -c LOCAL_MACHINE\Root -s NON-Production.pem
And what about the .key-file?
Download XCA. It is a n application built on top of openssl that will help you make a p12 file from your .key-file and .pem-file. It is simple. Import .key-file on Private Keys tab. Import .pem-file on Certificates tab. Then on Certificates tab export the certificate as PKCS#12 (combo box Export Format). Set a password if you wish or leave blank. Then you can import this .p12 file using mmc as you wrote.
Now you can use winhttpcertcfg to set permissions on private key. This documentation will help you. (parameter -s means subject. In mmc open the imported certificate and look for CN=something in the subject field. Then add this something with -s parameter).
I am trying to create a domain server and when I reach to specify the online certification Authority, the select button is grayed out.I wish to select the same computer as its the certification authority.Any help is appreciated.
My AD CS was running fine but my IIS server just wouldn't let me select it. To doublecheck that my Certificate Authority server is up I run certutil.exe from CMD and I could see my CA server up and running.
I fixed it in the most canon Windows troubleshooting way. IIS restart.
Refer to this page:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/e3e43894-30d5-4064-93d1-96d46ef3de14/
The answer from that thread:
note that you can enroll certificates from IIS only from default V1 WebServer template. This template must be added to your issuing CA server.
I had same problem and the answer "V1 WebServer template. This template must be added to your issuing CA server." did not resolve it.
But, after I ran the following in command prompt:
certreq -submit -attrib “CertificateTemplate:WebServer” request.req
my request was processes and I was issued my certificate.
In addition, I got Select button is worked fine.
Another way to resolve this problem, from here: https://www.experts-exchange.com/questions/27758425/Windows-2008R2-IIS-7-Domain-Certficate-problem-select-button-is-greyed-out.html
You could try enrolling the certificate through the certificates MMC
snap-in instead and see if you have better luck:
Start -> Run -> type 'mmc' -> Press enter
(MMC console should open)
File -> Add/Remove Snap-in -> Select 'Certificates' -> Add -> Computer
Account -> Local Computer -> Click OK out of the Add/Remove Snap-ins
window.
Expand certificates -> Expand Personal -> Right click in an empty
space in the main pane -> All tasks -> Request new certificate.
You should be able to run through that wizard and enroll based on your
CA enrollment policies. Any certs that you enroll here and are
applicable for securing websites will appear in IIS.
A couple more checks for those facing this issue:
Use a domain user and not a local user
Check if your CA is an enterprise CA
I'm building a simple internal application for my company, and it requires Windows Authentication for security. All other authentication modes are disabled. I'm stuck in a situation where internet explorer prompts for credentials 3 times, then fails with this error:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
I then created a bare-bones website to test this out. I created a new site in IIS, put it on its own port (:8111, chosen at random), put one static "default.htm" file in there, disabled anonymous authentication, then enabled windows authentication. Everything else was left at default settings. The port number was assigned because we have multiple sites on this machine all sharing the same IP.
Here are a few scenarios:
Browsing from the web server itself, to http://localhost:8111/ works
fine
Browsing from another computer, to http://ServerIPaddress:8111/
works fine
Browsing from another computer, to http://ServerName:8111/ FAILS
(asks for credentials 3 times, then gives 401 error)
I've been searching online and trying to find a solution with no luck thus far. Either I haven't found it, or I don't understand well enough what I'm reading. Any help would be greatly appreciated.
Just worked out the solution with the help of a coworker after 2 days of fighting with this issue. Here is what he wrote:
There are 2 providers for Windows Authentication (Negotiate and NTLM).
When setting the Website Authentication to Windows Authentication,
while Windows Authentication is highlighted, click on the Providers
link on the right pane or IIS Manager and move NTLM to the top. By
default Negotiate is on top which is why you are getting an
authentication prompt.
Error 401.1 when you browse a Web site that uses Integrated Authentication.
Solution
Disable the loopback check
* In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
* Right-click Lsa, point to New, and then click DWORD Value.
* Type DisableLoopbackCheck, and then press ENTER.
* Right-click DisableLoopbackCheck, and then click Modify.
* In the Value data box, type 1, and then click OK.
http://support.microsoft.com/kb/896861
If it still does not work after moving NTML to top in the list of providers try to remove Negotiate completely so there is only NTML left.
That fixed it for me - moving NTML to top did not help on Windows Server 2012 and IIS 8.5. I found the solution in the following stackoverflow issue: IIS 7.5 Windows Authentication Not Working in Chrome
I personally recommend NOT disabling the loopbackcheck globally on your server (IE: Do NOT set DisableLoopbackCheck to a value of 1 in your registry). This is a security vulnerability. Please only disable for known hosts.
Here's a Powershell function to get you pointed in the right direction.
function Add-LoopbackFix
{
param(
[parameter(Mandatory=$true,position=0)] [string] $siteHostName
)
$ErrorActionPreference = "Stop"
Write-Host "Adding loopback fix for $siteHostName" -NoNewLine
$str = Get-ItemProperty -Name "BackConnectionHostNames" -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -erroraction silentlycontinue
if ($str) {
if($($str.BackConnectionHostNames) -like "*$siteHostName*")
{
Write-Host "`tAlready in place" -f Cyan
} else{
$str.BackConnectionHostNames += "`n$siteHostName"
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "BackConnectionHostNames" -Value $str.BackConnectionHostNames
Write-Host "`tDone" -f Green
}
} else {
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "BackConnectionHostNames" -Value $siteHostName -PropertyType "MultiString"
Write-Host "`tDone" -f Green
}
Write-Host "`tnote: we are not disabling the loopback check all together, we are simply adding $siteHostName to an allowed list." -f DarkGray
}
> Add-LoopbackFix "ServerName"
Source
It's been a while since this question was asked, but I know numerous people run into it a lot. A more proper fix for this is described here: Kernel-mode authentication. We implemented this several months back, and it works fine.
Another good explanation here: MORE 2008 AND KERBEROS: AUTHENTICATION DENIED, APP POOL ACCOUNT BEING INGNORED
To apply to a single site:
cd %windir%\system32\inetsrv
set SiteName=TheSiteName
appcmd.exe set config "%SiteName%" -section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:"True" /useAppPoolCredentials:"True" /commit:apphost
Or to apply to all sites:
%windir%\system32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useAppPoolCredentials:"True" /commit:apphost
Just installed BizTalk 2010 and the HL7 adaptor, trying to set up a proof of concept application through the admin console:
1)Created a new 'Demo Application'
2)Created a request/response receive port
3)Created a request/response receive location associated to the receive port
3.a) Set the Type to MLLP
3.b) The only options I see for the Recieve pipeline are:
PassThrueReceive
XMLRecieve
3.b) The only options I see for the send pipeline are:
PassThruTransmit
XmlTransmit
How do I get the BTAHL7X and BTAHL7XML receive/send pipeline components to appear as an option?
I've tried adding a reference to BTAHL2XMLPipeline.dll and BTAHL72XPipeline.dll but I get an error:
Failed to add resources to application.
For help, click:
http://go.microsoft.com/fwlink/?LinkId=47400&ProdName=Microsoft+BizTalk+Server+2010&ProdVer=3.9.469.0&EvtSrc=Microsoft.BizTalk.Administration.SnapIn.Properties.Errors&EvtID=AddFilesForm_AddFailed&EvtChain=Microsoft.BizTalk.ApplicationDeployment+%2cApplyMultipleResourcesAddError%3bMicrosoft.BizTalk.ApplicationDeployment+%2cSatEntryExists
------------------------------ ADDITIONAL INFORMATION:
Failed to add resource(s). (mscorlib)
For help, click:
http://go.microsoft.com/fwlink/?LinkId=47400&ProdName=Microsoft+BizTalk+Server+2010&ProdVer=3.9.469.0&EvtSrc=Microsoft.BizTalk.ApplicationDeployment&EvtID=ApplyMultipleResourcesAddError&EvtChain=Microsoft.BizTalk.ApplicationDeployment+%2cSatEntryExists
Resource (-Type="System.BizTalk:BizTalkAssembly"
-Luid="BTAHL72XPipelines, Version=1.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35") already in store. 1) Use BTSTask's
overwrite flag or 2) Set redeploy flag to true in BizTalk Project or
3) Click overwrite all checkbox in Admin MMC to update if the
resource exists in the specified target application
"DemoApplication1". Overwrite flag will be ignored if the resource is
associated with another application.
(Microsoft.BizTalk.ApplicationDeployment.Engine)
For help, click:
http://go.microsoft.com/fwlink/?LinkId=47400&ProdName=Microsoft+BizTalk+Server+2010&ProdVer=3.9.469.0&EvtSrc=Microsoft.BizTalk.ApplicationDeployment&EvtID=SatEntryExists
In your new application, do you have a reference to the default application?
From the BizTalk Administration Console, Right-Click on the application and choose Properties.... In the Properties screen, choose References. You will want to add a reference to the default application here.
If you do have a reference to the default application, has the adapter been registered?
From the BizTalk Administration Console, expand Platform Settings and then right-click on Adapters. Select the New > Adapter... option and then look for MLLP in the dropdown. Select MLLP and give it a name of MLLP and then select OK. At this point, you should have the MLLP adapter available for use.
I've developed a multi-culture app in mvc3. I have a table that holds a domain list (currently 2 records):
www.mydomain.com -> en-US
www.mydomain.pl -> pl-PL
My app dynamically checks which domain you're coming from and then sets the CurrentCultureUI depending on the domain. This works fine on my localhost as I've also added these domains to my host file, however i'm not sure how I would handle this on the live envirenment?? (yes i did purchase both domains already) any ideas?
EDIT:
I've purchased a '.com' domain AND Hosting from godaddy AND another '.pl' domain from a different registrar (home.pl). I've uploaded my site to the godaddy but the 'pl' version doesn't work. Now, when i go to my domain mngr for '.pl' domain i have an option to "use other host" and text boxes for "DNS" and "IP". Is this what i need to do? what would i need to get from godaddy? to 'home.pl' domain configuration??
I'm not see any problem if it's work locally with hosts file.
In real life no difference because host file replace DNS records in real world.
Point your real domains to same IP address.
Easy for support future domains point .com to IP address and in other domains add CNAME to .com domain. In this case if your IP address was changed you need change only DNS records in .com domain.
First, you need to get the public IP address of your hosted GoDaddy server. Next, you need to select 'Use other host' and enter that public IP address as the IP address for your 'pl' domain name.
After you have done this, you must go into your hosted GoDaddy server, and run IIS Manager. How you proceed will depend on whether the hosted server is running IIS 6, or IIS 7+.
For IIS6, you would select your site, right-click and choose 'Properties', make sure the 'Web Site' tab is selected, then you would click the 'Advanced' button next to the 'IP address' box. In the 'Advanced Web Site Identification' window, in the 'Multiple identities for this Web site' section, you would click 'Add', enter 80 for the TCP port, and enter your .pl domain name in the 'Host header value' box. Click 'OK' to close each window, until you are back at the main IIS Manager window.
For IIS7+, you can follow the directions at http://technet.microsoft.com/en-us/library/cc731692(WS.10).aspx
Once you have added the binding for your 'pl' domain name on the hosted server, and after the DNS change to point your 'pl' domain name to the hosted server propagates, everything should work as it did on your development server.
counsellorben
You need to point the .pl name to your site at .com.
You do this with a CNAME record at www.mydomain.pl pointing to www.mydomain.com.
Don't forget the period at the end. It's important in CNAME-records.
Ok, finally got it working. this is my solution (counsellorben pointed me in the right direction to get this solved)
Solution:
1) Log on to your godaddy account -> my products -> domain manager -> DNS manager ->
you will get a list of your domains.
On top you will notice 3 buttons: "Renew", "Upgrade", "Offsite". Click "Offsite" -> Add new Off-site -> for domain name enter your domain name purchased at third party domain service (in my case it was: "myawesomedomain.pl"). DO NOT check off "This domain will be transferred if you do not want it transferred (currently godaddy doesn't support European domains).
In the popup box you will also notice two nameservers listed. Write these down for later step.
Nameservers:
mns01.domaincontrol.com
mns02.domaincontrol.com
Once you've created an off-site domain click on "Edit zone" link below it. Once there enter the following info:
A (Host): Host: # | Points to: IP address of your .COM domain/hosted by godaddy (myawesomedomain.com)
CNAME (Alias): Host: www | Points to: #
2) While still on godaddys website go to "My products" -> Hosting -> click on your '.COM' hosting service -> Launch -> You should be in "Hosting dashboard":
Click on "settings" -> Domain Management -> click "Add Domain" and enter your european domain name (in my case it was "myawesomedomain.pl"). So now in domain manager I would see two domains listed:
myawesomedomain.com
myawesomedomain.pl (newly added domain)
3) Now log in to your third party domain service and point your domain (in
my case 'myawesomedomain.pl') to godaddy's default hosting nameservers. In my case
I had to log in to home.pl -> configure domain -> "Use external DNS
server". Enter the following for DNS1 and DNS2:
a. mns01.domaincontrol.com
b. mns02.domaincontrol.com
The change should propagate within 24 hours.
Thanks