Can't use HTTP only within enclave - http

I have on-prem TFS within a small domain that we RDP into. Development machines are in this domain/enclave as well. Prior to the most recent TFS upgrade, we were able to connect Visual Studio to TFS and browse the TFS web UI using HTTP only within the enclave. We could also use HTTPS from outside the enclave (no http) to access the web UI. With the latest upgrade, I have mirrored the IIS authentication, SSL and binding configurations but now pointing a browser or Visual Studio at the HTTP only address always redirects to the HTTPS address and forces the SSL login. This is a problem for us because we use a large enterprise PKI infrastructure (access cards, non-local services, etc) that is very flaky: constantly dropping the Visual Studio connection to TFS and asking for PIN re-entry every 2 - 3 minutes. How can I stop the http address from re-directing to https all the time in our enclave? Is TFS doing this now? or IIS?

Since TFS2017 server changed the Authentication from NTLM to KERBEROS by default. You could use the following command to use NTLM back:
TFSConfig Authentication /provider:NTLM
And please try to create a new DNS, then check the result again.
If you want to remove Https, you should change the "Public URL" to http in TFS administration console, removed the HTTPS bindings from IIS.
If above is not work, try to uninstall and re-install the Application Tire and choose the http only option.
For more details take a look at this similar question: TFS 2018 - remove HTTPS

Got it. Found this article describing the redirect behavior from the URL. Long story short-> In IIS, select the TFS under Sites, then Application Settings, setting name sslOnly was set to true. Changed to false. Now I can access the TFS portal from inside the enclave using http OR https and from outside using https only. This means that VS can also connect to TFS via http only.

Related

Use https for specific application under IIS 6 website

We have an intranet server that hosts many web applications / web services in various virtual directories all located under the default web site in IIS6. These all just use http connections on port 80 e.g. "http://ourintranetsite/applicationname" or "http://ourintranetsite/servicename" etc.
We have a new web service that we have deployed to a virtual directory under the default web site and it works fine using an http connection. One issue has arisen now that we are starting to use SharePoint Online. We want to be able to call this web service from some client site script on a SP Online page, but it is causing an issue because the SP Online page is using https, so it doesn't like calling a web service over http (IE just puts a warning message in the browser console, but Chrome refuses to make the call at all).
Is it possible to configure just the virtual directory hosting this web service to require an SSL connection rather than setting it at the web site level? We really don't want everything under the default web site to start requiring https, just this particular service. Obviously I could just tick the "Require secure channel (SSL)" option in the properties of the virtual directory, but from what I understand (I've not had to use SSL before), the default port for that will be 443 while the website is using port 80. Ideally we'd just like to be able to get to the service with something like "https://ourintranetsite/secureservice/..." while not impacting any of the existing http applications and services.
No it's not possible to assign a certificate to virtual directory, however when you add a cert to the website all it does makes the site brow sable over https but that doesn't mean that it has to be browsed only over https.
What I meant is you can have site to be brow sable over http and https. Add the necessary cert to the site and make sure you do not check "Require secure channel (SSL)" and it should be good to go.

How necessary is DNS Server to run an ASP.NET web app on IIS?

Assuming a Windows Server 2012 VPS:
It seems that many tutorials include the setting up of DNS Server (setup of forward lookup zones, and A record) as part of the basic steps to deploy and run an ASP.NET web application on IIS.
I'm slightly confused, because within IIS manager you can set the bindings ( IP address, URL, SSL, port) of a web application. Wouldn't this alone not suffice to correctly route incoming requests to the correct web application?
What would be the advantage to running DNS Server?
IIS Manager can only manage IIS related Windows settings, but to make a site work you need much more settings than that.
DNS settings are critical to direct web browsers to your side. Nobody uses IP addresses to access a site, so a typical URL uses domain name. That requires DNS to translate the domain name to an IP address so that browsers can send HTTP packets to the proper location.
IIS Manager could not manage that for you, as which DNS product to use or how to configure it is usually vendor specific and out of IIS's scope.

MSMQ virtual directory not created under Default Web Site

On the application server (windows 2008 r2) we have our site (XYZ) hosted in IIS. Our site XYZ uses port 80 and 443. We had removed Default Web Site from IIS since we didnt need it. Now we want to use MSMQ with Internet Messaging.
I Googled and found that MSMQ setup is designed in such a way that "MSMQ" virtual directory will always be created under default web site. So I added Default Web Site manually and set hostname for it (without hostname it wouldn't start as XYZ also uses port 80) and did IIS reset. Then enabled MSMQ HTTP feature, however, "MSMQ" virtual directory still gets created under our site XYZ.
Note: XYZ was created before enabling MSMQ HTTP support. I am not sure if the sequence matters!
May have to change the website ID.
This Blog post should help.
Looks like setting host-name for default web site did a mess. I removed host-name and set site (default) to work on port 8080. Then referred it like http://server:8080/MSMQ and internet explorer returned HTTP 501 error which is what I wanted. Tried posting actual message too and yes it worked.

Windows Azure VM SSL and Cloudapp.net

I installed an ASP.net application on a windows Azure VM (IIS 7). SSL certificate is installed, configured and the application works correctly. I have removed Http binding and http endpoints.
The issue I am having is that if I use the cloudapp.net link (using https), the application still opens with a mismatched certificate.
What can I do to deny any user from opening my application using https://xx.cloudapp.net/x?
It seems really silly that people are saying this isn't the right place for this question, since some of the solutions could be code related. ie: In your application, check the host and if it's cloudapp.net, do a URL redirect.
There's a few different options here but it sounds like what you're looking for is just the ability to prevent someone from viewing the application using that URL.
What I would do is set up a site in IIS that uses Host Header resolution to look for xx.cloudapp.net. If that URL is recognized, do a redirect using the HTTP redirect settings to the https version of your app. Don't bind the SSL port to this site or you'll run into SSL errors like you showed above.
The other option is to leave it out entirely and simply use the Host Header resolution to filter out requests for your site. I suspect what you've done is assign all incoming requests to the only IP address on the system, which is why the xx.cloudapp.net is showing your app and the cert is failing.
This would cause xx.cloudapp.net to fail to show any site at all but I think that might be what you want to do anyway.

AX 2012 http inbound port activate error – deployment web site was not found for port

I am new to AX and a beginner to IIS (and first post on stackoverflow). I need some assistance with AX 2012 AIF Web Services and configuring an http AX Inbound Port.
My issue is in trying to activate an Inbound Port within AX using HTTP. I receive the following two errors:
The deployment web site was not found for port: TestOrdImport
The port ‘TestOrdImport’ could not be deployed.\nError: The deployment web site was not found for port: TestOrdImport
This is in a test environment using the Microsoft issued AX 2012 FP1 hyper-v image. Someone else installed the web services using the instructions found here: https://msdn.microsoft.com/EN-US/library/gg731848.aspx
Based on the person who did the install for the web services I created a new entry in the web sites screen using a virtual directory share path of “C:\Program Files\Microsoft Dynamics AX\60\AifWebServices\” and URL "http://AX2012-A:85/MicrosoftDynamicsAXAif60"
I am not sure if these are correct the but the web site validates without error. The web services appeared to be installed into site “AIF” rather than the “Default Web Site”
Does anyone see any issues with the IIS configuration of sites? Should the web services been installed into the default web site rather than AIF site?
When creating the Inbound port it needs to be http as I am setting this up per someone’s request but again I cannot get the inbound port to activate and could use some guidance.
https://i.imgur.com/cl8jGVJ.png
I was able to get someone with AX experience to resolve the issue using the HTTP inbound port adapter with AX and the AIF Web Services.
Some key points related to my issue and setting up the inbound port in AIF with the configured AX AIF web sites that might be helpful to others in a similar situation:
Notes on setting up the AIF web sites within AX:
To get the correct folder (virtual directory) for the actual IIS
server setup, you must use IIS to find the association (Virtual
server -> physical disk path).
The URL must be a valid reference to a real HTTP server that will be servicing this service (port 85 in my case; not port 8101). The AOS hosted WCF services is configured for port 8101.
Notes on setting up the HTTP Inbound Port within AX:
The site path in the URI for the Inbound port did not match any path
defined in the “Web sites” configured. The text string must exactly
match from the “http://...” beginning through to the inbound port
name (“TestOrdImport/xppservice.svc” portion), using port 85 in my
example and no “/Services/” in the path since that was for the basic
inbound ports and “Services” sub-folder is not configured for the IIS
virtual server. In fact, if you attempt to setup the web site
configuration with the “Services” sub-folder so that it matches
correctly there, the web sites form will give you an errors since
“Services” sub-folder does not exist and if you create it, it does
not have all the other support files that were installed (the “bin”
folder and such).
When deployed successfully and when I use the WSDL URI in the web
browser, I get back a page stating “You have created a service….” And
tell you some basics on how to use it (this shows it is installed
correctly). For HTTP services you always add “?wsdl” to the URI to
get the actual WSDL document so this URI/URL works correctly for
that: http://ax2012-a.contoso.com:85/MicrosoftDynamicsAXAif60/TestOrdImport/xppservice.svc?wsdl
It is not much but I hope this helps someone else. Much of the above was written by the person who helped solve my issue.
This may also be caused by a trailing slash character (/) in the website URL field.
Removing it may resolve this error message.
Source: https://community.dynamics.com/ax/b/axdilip/archive/2015/06/23/troubleshoot-dynamics-ax-2012-aif-error-the-deployment-web-site-was-not-found-for-the-port

Resources