I've just installed Redmine on Windows 2008 R2 through the setup realized by Bitnami.
All works fine. Also SSL is working excellent.
Since today Redmine is in my DMZ, and I reach it directly, from internal network.
I arrive on login page and go.
Now I've published it on public IP with Microsoft TMG.
On TMG I use a listener that require authentication through radius.
TMG permits to pass credential to the web application by some different way, one is basic auth, one is NTLM....
I've found a redmine plugin that permit to use basic auth in redmine, so at login I don't see the redmine page but the classic http popup for credentials.
In this situation, like other published web application, TMG is configured to pass credentials on http basic auth but only redmine fails.
TMG pass credentials and these are refused by redmine, so TMG propose again credentials request.
Does anyone has a solution?
It could be a problem in the basic auth plugin, but it's the only one I've founded.
Thanks,
Mirko
Related
I have IIS 8.5.9600.16384 running on Windows Server 2012R2 and a website configured as application with separate application pool.
In IIS Authentication only "Anonymous Authentication" is enabled. To perform authentication, my site uses it's own login prompt and calls a .net core backend with basic schema, something like
POST /mycorebackend/login
with http header
Authorization: Portal base64encoded_username_and_password_here
Everything works just fine if authentication is successful and backend responds with HTTP OK.
But if backend returns 401 Unauthorized I've got pop-up from IIS asking me to provide credentials, like I'm trying to access a folder with some content, but I'm not.
I just need to get my 401 error and continue my js execution without any prompts.
Can anyone help or at least give a me hint where to search for?
I think this may be related to IIS-kestrel integration or so... For some reason IIS tries other schemes or so...
Thank you
I think you are looking for these settings. that should resolve it
I have a ASP.Net WebAPI service that is used by my AngularJS front end and I am making use of Owin and bearer token.
Now there is a need that we need to install an agent on the few of the client machines (developed in .Net core mostly) that is able to connect to our application and make similar calls. I can create a separate controller for this need, but want to host it in the same website.
How can I create a secure connection between this agent and the ASP.Net server hosted on Azure?
Currently I am looking at generating a Token during the agent installation based on the client MAC address and giving it with each call, but I am checking if there are any better way to address this need.
Any help in this direction is welcome.
Regards
Kiran
It seems that you’d like to enable only valid “agents” that installed on the client machines to communicate with your server, if that is the case, Azure AD provides Native Application to Web API authentication scenario (a native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD), you could refer to it.
We are building our public facing website on Wordpress and on a Linux server. The user will be logging into the WordPress site with OAuth2. Our data and API is going to be built on an ASP.net MVC4 server. I have a couple of problems that I need to resolve and am trying to figure out the most secure way to Authenticate on the IIS server.
1. I need to authenticate with Wordpress.
2. I need to associate customer numbers to the login from 1 above.
3. Somehow I need to then be able to use that associated customer number and some for of Authentication to allow the IIS server to service the requested API.
Some thoughts were to store some kind of UUID for each customer number and store it on the WP and IIS server and then when the request comes in to IIS confirm that the passed UUID matches what was issued to the WP server in step 2 above. My concern is though that this UUID could be compromised/forged at a later time and that UUID could be used to make calls to the API on the IIS server.
What is the best way to implement security on the IIS server that allows the customer to login only on the Wordpress server?
I'm currently using a Custom Http Authentication Module in IIS, so when I need to consume the web api from WP, I follow this approach: I build petition with my custom authentication rules (example: you can use a custom http header, o something else to pass credentials), in web api side, I check credentials (using http authentication module, of course), if everything is fine, http authentication module allow requests, if not, It deny request.
Inside my ASP.NET application, I would like to add an iframe where I can display the emails from our exchange server for the logged in user. The web application uses forms authentication with custom authentication (passwords are hashed and stored in db).
Is there a way to show OWA within my web app without prompting the user for password (OWA uses windows authentication)? Can I use impersonation in some fashion or establish a trust between my IIS server and the server running OWA?
Has anyone tried this before?
If you are using an iframe for that, then it is a separate process in terms of authentication. Requests from the iframe are sent to OWA server just as you had opened the page in full screen.
However, it is possible to configure your Exchange server to allow windows authentication, see here: http://support.microsoft.com/kb/300656
This way you will authenticate with windows forms authentication to your web application and with windows auth to the OWA server.
I think you would have to have the Windows authentication be the authentication source for the website - or at least map accounts in the website to accounts in OWA
DNN does something a little like this with its Active Directory security provider. Might look at the source of that for some ideas - http://dnnauthad.codeplex.com/
I have a web service running in IIS 6.0 on Windows 2003. It's authentication mode is Integrated Windows security (anonymous disabled), and authorization is done with Authorization Manager and an XML authorization store. My test user is a domain user (admin, actually) with membership in an authorized role.
I am testing this (for now) on the web server (localhost), and using (for now) Internet Explorer to access the web service (.asmx).
I can successfully open the web service (wsdl) page through localhost, like this:
http://localhost:8080/MyService/MyService.asmx
Using this url, integrated windows authentication succeeds (silently), and I am sucessfully authorized by AzMan to access the service. The same goes for the server name:
http://myserver:8080/MyService/MyService.asmx
Now I need to use the external host name (www.mysite.no) to access the service (this in order to get ssl to work with a certificate issued to that sitename). To do this, I add the host name to my HOSTS file, like this:
127.0.0.1 www.mysite.no
...then type this into IE:
http://www.mysite.no:8080/MyService/MyService.asmx
What happens then is that authorization fails. I get the IE/Windows login box and enter my correct credentials three times. Then I get a 401.1:
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)
How is authorization through AzMan influenced by the host name?
Edit: I have reason to believe AzMan has nothing to do with it - it seems to be the authentication that fails.
I have reproduced the problem on another server. The essence seems to be that accessing localhost via an entry in the local host file somehow messes up the integrated windows authentication between the browser and IIS.
I have worked around the problem, now my curiosity is all that's left...
Enable audit login failure auditing & check the security event log on the host.
1) On the webserver, go to Control Panel, Administrative Tools, Local Security Policy.
2) Go to local policies, audit policy. Add failure for 'audit logon events'.
3) Close the MMC. Open a command prompt and type gpupdate.
4) browse to http://www.mysite.no. You will get the error again.
5) Launch event viewer (control panel, admin tools, event viewer). Navigate to the security event log and look for the login failure(s).They shoudl tell you something descriptive, like 'the user has not been granted the specified logon type'. Unfortunately the login type itself is not descriptive; logon type 2 is interactive (locally), 3 is 'access this computer over the network', 5 is 'logon as a service' (NT service, not WCF service). The rights required can be granted in the local security policy.
Also, check to see if you have a proxy enabled in IE. If your traffic is being routed to the proxy, it is possible that the proxy does not support NTLM. Add the host as a proxy exception while you test using IE.
My first guess is that it's not the host name.
The first thing to do is narrow down the problem as there are a couple things that could be going wrong.
First set the IIS site to anonymous access, and make sure you can pull up the web service. That will verify that you're accessing the right IIS web site and it's truly narrowed down to an authorization problem.
Also, check the Application Pool credentials, and the security settings on the file folder containing the web service as these could be contributors.