IIS / Server misconfiguration ASP.Net Web API - asp.net

I have IIS 8.5 on a server and a simple http GET ASP.NET Web API service hosted there which returns JSON object. When I access this service from localhost or any other server in my network (using browser, Postman, code) the service works. But when I try to access the same url from one specific server (again using browser, Postman, code) I am getting http error code 403 and html response with text:
"Access Denied. You are attempting to access a forbidden site. Consult your system administrator for details.".
The service does not have any kind of authentication and it never returns error 403. Has anybody ever met such a strange behavior?

Related

why IIS prompts for credentials after backend returns http 401 code (unauthorized)

I have IIS 8.5.9600.16384 running on Windows Server 2012R2 and a website configured as application with separate application pool.
In IIS Authentication only "Anonymous Authentication" is enabled. To perform authentication, my site uses it's own login prompt and calls a .net core backend with basic schema, something like
POST /mycorebackend/login
with http header
Authorization: Portal base64encoded_username_and_password_here
Everything works just fine if authentication is successful and backend responds with HTTP OK.
But if backend returns 401 Unauthorized I've got pop-up from IIS asking me to provide credentials, like I'm trying to access a folder with some content, but I'm not.
I just need to get my 401 error and continue my js execution without any prompts.
Can anyone help or at least give a me hint where to search for?
I think this may be related to IIS-kestrel integration or so... For some reason IIS tries other schemes or so...
Thank you
I think you are looking for these settings. that should resolve it

Azure ASP.NET Core web api returns 404 for proxied multipart/form-data request

I'm new to Azure and trying to set up my nextjs client app and my ASP.NET Core backend app. Everything seems to play well now, except for file uploads. It's working on localhost, but in production the backend returns a 404 web page (attached image) before reaching the actual API endpoint. I've also successfully tested to make a multipart/form-data POST request in Postman from my computer.
The way I implemented this is that I'm proxying the upload from the browser through an api route (client's server side) to the backend. I have to go via the client server side to append a Bearer token from a httpOnly cookie.
I've enabled CORS in Startup.cs:
app.UseCors(builder => { builder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod(); });
The frontend and backend apps are running in individual services and I've tried to enable CORS in the Azure portal as well, but there I could only allow origins, not headers and methods? The error message doesn't indicate CORS problems, but I just wanted make sure..
As far as I can see the requests look good, with correct URLs and origins. I suspect I'm missing some config in azure, but I didn't get any further by following the hints in the error message.
Any suggestions to what may cause this? Or where I can start looking. I'm not quite sure where to look for log output for this issue.
I finally got this working. I figured the host header in the proxy http request was unchanged. I only changed the URL for the proxy request, but I solved it by setting the host manually as well. This also explains why it was working at localhost, since both the client and backend was running at the same host.

403 error accessing HTTPS web service (restful)

Our security team recently change the service to become HTTPS (from http).
We can hit the main svc page, but accessing methods gives a 403 error now.
We tested it using Postman - do we need to configure the request differently now that it is HTTPS?
thanks.

Access MVC web application from other computer

I just published my mvc application on IIS server and its working correctly and i can access it through webbrowser. The problem is within same network i canlt access it from other host for which the server is visible. Error i receive when trying to access is saying:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
P.S How to check what port was assigned to my web application and eventually how to change it?

Can access asp.net pages and wcf services remotely, though not locally

We've deployed an asp.net site and WCF services in IIS, and can access the site and services remotely with no issues. We have site bindings set up in order that for remote calls we're using https, and we use the URL Rewrite IIS add-in to redirect requests to https if they are http requests. All requests are working remotely, however when we actually log onto the Windows 2008 Server, open up IIS 7.5 and try to browse the content locally on the server we get a credential challenge Title: "Windows Security" Message: "Connecting to {server name}" with ok/cancel buttons.
I'm logged into the server with the same credentials that I'm accessing the web site on from my local machine.
Any ideas?
The error message that come is as below:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'.
The authentication header received from the server was 'NTLM,Negotiate'.
As mentioned this error does not come when the service is accessed remotely. This only happens while calling the service from the server where it is hosted. Probably some setting in IIS?
As the Exception says, the authentication schemes do not match. Your client does not offer NTLM. Please check the internet explorer enhanced security configuration and see if it is active or see if it is restricted otherwise to use NTLM.

Resources