I currently allow access to a service on a Windows Server as follows:
http://<server_ip>:<port_number>
When the user enters this in the browser it takes them to a UI on the Windows Server
Note: the user machine are on a DHCP Server so ip addresses can change.
How can i restrict access only to certain users ?
Is there a way i can force them to enter a name or secret as a querystring parameter and resolve on the Server side ?
Related
My app is running locally without any issue but when I try to run it from Azure console I have the following error :
An error occurred while starting the application.
SqlException: Cannot open server 'Server-name' requested by the login. Client with IP address 'w.x.y.z' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
Microsoft.Data.ProviderBase.DbConnectionPool.CheckPoolBlockingPeriod(Exception e)
SqlException: Cannot open server 'server-name' requested by the login. Client with IP address 'ip' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule
I have added IP in firewall setting on azure portal still the issue is happening
This error was caused because your IP was not added in the SQL server tab(azure portal). So you must add the IP address of your SQL Server on Azure portal
You have to update the settings of the "Firewalls and virtual networks" of your SQL Server.
Browse to your SQL Server, add the IP address and allow other azure services and resources to access the server. Refresh and wait at least 5 minutes before trying again.
I also had my ubuntu server firewall blocking my request once, so be sure your webserver is not responsible.
Have you tried enabling this setting?
Normally when I want to connect through ftp, everything is provided such as the ftp name and username and password by my hosting service. But now I don't have all these details about a local server in my company office because the server is actually not hosting any sites. It's just a server where documents are stored.
But I need a way to connect to this server through my web application.
All I know are:
It is possible to connect through remote desktop to that server
There is an ip address for that server ( The server machine is in my company office)
I have a username and password that allows me to access network drive on that server (I can do this only by directly plugging the cat5 cable to my laptop)
When I configure my outlook email using microsoft exchange server, this is how my settings look like (example.net.au is just for example sake):
Server: server1.example.net.au
User name: jack#example.net.au
Does the ftp detail exist for this server? How do I find out?
I'm trying to connect and getting an error like:
Login failed. The login cannot be used with Windows Authentication
I'm using mirrored local accounts on SQL Server and web server because I'm simply trying to use a trusted connection between machines not on the same domain. It seems like something that would be fairly common, but after days of trying to find an answer that applied to my situation, I do not recognize that any of the answers were applicable... that or the fact that I'm only a .NET developer and not a sysadmin or DBA means I have it and just don't know it.
Here's what I can say:
CMS web server: ASP.NET 4.0 web app running on Windows Server 2008, IIS7, on corporate DMZ
CMS database server: SQL Server 2008 R2 on a domain server
For various reasons that I won't go in to, encrypting the credentials is not sufficient.
The database port that the application needs to connect on is not the standard port and is set up to listen on a different port.
Setting up DB mirroring isn't an option and doesn't really address the requirements (in my way of thinking)
Also, FYI if this is helpful to know:
Content entry happens on internal web server which publishes content to same DB that is accessed by the DMZ web server.
Content server is set up to have the website run the app pool in integrated mode with a windows domain user that has been set as a service account using the -ga switch and given all the appropriate rights and everything runs perfect.
External web server, without domain access, using mirrored accounts (same username and password set up on the SQL Server machine and web machine).
Local account on the web server set as a service account using -ga switch and running as the app pool identity for my app.
On the SQL Server box, created local user with identical creds and given same permissions that the domain user identity has
Connecting to SQL Server via MGMT studio installed on web server with the SQL Server user creds works fine.
Now, if I put in the username in to the connection strings, everything is perfect. As soon as I put the trusted_connection=yes in the connection string like I did with the domain server connection strings, I get the trust error.
So if my connection string is like this, it works fine:
Server=myServerAddress;Database=myDataBase;Username=MyUser; Password=MyPassword;
If I change my connection string to either of these, it fails:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;
or
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
I'm working with one of the client's network admins and he's not necessarily a DBA and doesn't have experience with configuring web apps. So it's possible that we're missing something and any advice or ideas would help. What am I missing?
If using SQL credentials are not an option, then you should use Active Directory and create a one-way trust (have DMZ server domain trust your internal domain), create a service account in your internal domain which your DMZ application can use, and grant that account access to the database. Then it will be able to generate SSPI context.
I have setup a test enviorment on server and there are few websites running on IIS.
Website security settings are set to 'integrated windows authentication' and anonymous access is unchecked.
When i access the website with the server name then it works fine but if i use an ip address instead then system prompting username password window.
Why system is prompting username password window?
How can i access a site with ip address and server name?
Assuming that you are using Internet explorer, when there is a period in the URL it thinks that its an external address and will not pass on the credentials. So an IP address such as '10.1.1.1' will be treated as an external address, and as for an address like 'myhost' it thinks its an internal address and pass on credentials
Have a look at this KB:
http://support.microsoft.com/kb/258063
http://msdn.microsoft.com/en-us/library/bb250483(VS.85).aspx
Reposting my unanswered in technet.microsoft question?
MSDN "ASP.NET Delegation" article tells:
1) "When you configure to use a particular account as the process identity, ASP.NET attempts to delegate that account. If it is a local account that is identical (including password) to a local account on a remote machine, delegation is possible. If such an account does not exist on the remote machine, to the network it appears as the Windows anonymous account (NT AUTHORITY\ANONYMOUS LOGON). In addition, delegation is also possible if the account is a domain account that has access to the remote machine, in which case it uses the domain network identity of that account."
The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?
If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created,
does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?
Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?
The same MSDN "ASP.NET Delegation" article tells:
"NetworkService account. It behaves the same as the System account. This account possesses the network credentials associated with the machine account (domainname\machinename) in the domain of which it is a member"
Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)?
as well as many other common pre-built accounts?
Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?
And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?
My related questions:
domained LocalSystem vs. non-domained LocalSystem account in Windows-es ?
how to check group membership of an “NT AUTHORITY\” account ?
Is client LocalSystem (SYSTEM) identified by target/server machine? and in which context?
Window workgroup LocalSystem vs. domain (AD) LocalSystem [closed]
how to better set up machine for development both in workgroup and Windows domain? [closed]
interoperating with Windows domain computer from workrgroup Windows [closed]
the context of local user of AD-joined machine? Is it of domain machine account or of local machine account?
RunAs under domain account from non-AD Windows [closed]
how to better set up machine for development both in workgroup and Windows domain? [closed]
how to share the same domain machine account with multi-boot workgroup Windows setup?
Q1: The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?
A1: Yes. See A3 below.
Q2: If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created, does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?
A2: Yes - all access by processes on System1 to resources on System2 must be authenticated - except in the rare cases when someone has configured one or more resources (and system policies) on System2 to allow anonymous (i.e. unauthenticated) access. Further, Server2 can only authenticate network requests that present credentials that System2 can verify - either from the local user accounts and passwords on System2, or by contacting a trusted domain controller (if System2 is joined to a domain). System2 doesn't know anything about user accounts or "user contexts" (those special 'accounts' like LocalSystem, Interactive, LocalService which are only ever represented by special hard-coded SIDs) that are only relevant on System1 - which includes any local user account defined on System1, and any of those special SIDs.
Q3: Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?
A3: The only exception (and it's not an exception, it's a designed-in use case) is when System1 authenticates using a username + password that are the same on System2. What you'll see in the network traffic is that System1's process (currently running e.g. as System1\UserX) will make a request over the network for a resource on System2 (e.g. file share, database object, web page). In that request from System1, is included "the credentials that System1 is trying to use to authenticate" (this is an abstract generalization to get away from describing things specific to any one authentication protocol - just bear with it). Under other circumstances, the account UserX doesn't exist on System2, or it has a different password, so that the authentication attempt fails on System2, and System1's request fails. That is, System2 assumes that UserX must be System2\UserX, and either the account doesn't exist or the password doesn't match.
Under the circumstance where there are matching local accounts, System2 "thinks" that System1 is logging on not with account "System1\UserX" but with "System2\UserX", and since the password matches, the authentication attempt succeeds.
Q4: Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)?
as well as many other common pre-built accounts?
Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?
A4: Remember, NETWORK SERVICE isn't a defined account (you won't find it listed in Local Users and Groups applet) but simply a SID - and if any process includes that SID in its token (depending on the circumstances of how the process with that token is created), then any resource that allows "Network Service" (which really means "any resource that allows the Network Service SID") to access the resource will allow it to pass. Otherwise, Network Service is just a user-friendly abstraction, and unfortunately user friendly usually makes things harder to get to the bottom of how it really works.
You might be able to assign permissions or Privileges to the Network Service SID before the system is joined to the domain, but requests to remote systems will respond very differently for a service running as Network Service depending on if the machine is joined to a domain or not. If joined to a domain, the remote request will usually (on modern Windows versions) attempt the remote authentication using the Domain Computer account for the local system. If not joined to a domain, there will be no credentials sent with the remote request, and the remote system will have to treat it as an anonymous (i.e. unauthenticated) request.
Q5: And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?
A5: As implied in A4, there is no identity that the remote server sees in this scenario.