I have had a site that fell prey to the spam user registrations that was found in the summer. I have stopped the registration but now I am getting these users requestion their profile pages and as a result there are errors being logged in the event viewer. These events are clogging the event viewer in 24 hrs to the point where it affects site performance and the event viewer can not load.
the following is one of the errors that gets logged.
ERROR:
UserName:ActiveTabID:61ActiveTabName:My ProfileRawURL:/Activity-Feed/My-Profile/userId/285AbsoluteURL:/Default.aspxAbsoluteURLReferrer:http://www.aSitePortal.com/UserAgent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNukeExceptionGUID:6eff0116-bc77-4394-849b-0f5b67ba040fInnerException:Not FoundFileName:FileLineNumber:0FileColumnNumber:0Method:DotNetNuke.Modules.Admin.Users.ViewProfile.OnInitStackTrace:Message:System.Web.HttpException (0x80004005): Not Found
at DotNetNuke.Modules.Admin.Users.ViewProfile.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.AddedControl(Control control, Int32 index)
at System.Web.UI.ControlCollection.Add(Control child)
at DotNetNuke.UI.Modules.ModuleHost.InjectModuleContent(Control content)
at DotNetNuke.UI.Modules.ModuleHost.CreateChildControls()
at System.Web.UI.Control.EnsureChildControls()
at DotNetNuke.UI.Containers.Container.get_ModuleControl()
at DotNetNuke.UI.Containers.Container.ProcessModule()
at DotNetNuke.UI.Skins.Pane.InjectModule(ModuleInfo module)Source:Server Name: RD00155D50E2D9
This happens right after a search index scheduled event throws an error. So it might be related.
NOTE: this site suffered from the robot spam user registrations. But since then this site has been moved to a new server and instance of DNN and the user registration is set to none right now.
QUESTION:
How can I reject these requests specifically for one portal (as only one portal is affected) and stop them being logged?
Thanks in advance.
Jordan
EDIT 1:
so this outlines the spam user issue: http://www.dnnsoftware.com/community-blog/cid/154984/spammer-registrations#Comment634
EDIT 2
I have set the permission of the activity and profile page to admin only, this has not removed the erros
EDIT 3:
I also tried to disable and rename the My Profile page and that did not remove the errors either.
I have a workaround which is based on the solution found in this DNN wiki page
In the end I needed to set up a request filter. This problem only affected one of the portals in my installation so I could set up a request filter regex with that specific domain and the profile pages the spam users were trying to access.
The following is a picture of the request filters I set up, they are not portal specific , you would have to change the regex for yourself.
I hope this can help someone else
Related
I have a PL/SQL application which has a log out button with following code being executed when log out button is clicked:
-- Open the HTTP header
owa_util.mime_header('text/html', FALSE, NULL);
-- Send a cookie to logout
owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
-- Close the HTTP header
owa_util.http_header_close;
-- Generate the page
htp.p('You have been logged off from the WEBSITE');
htp.p('click here to log in');
htp.p('<BR>bye');
It works perfect when using internet explorer, however when I use mozzila when I log back in I am still logged in as previous user. Has anyone else been in this situation? How can I make this work for mozilla as well?
I got this code from oracle documentation page:
https://docs.oracle.com/cd/B13789_01/server.101/b12303/secure.htm
Thanks in advance!
I've found it best to set and unset your own session cookie. Then use owa_custom to verify the cookie.
In the dad.config file add:
PlsqlAuthenticationMode CustomOwa
Then create a package in your schema: called owa_custom and add one function inside: owa_custom.authorize
owa_custom.authorize will be called before each web invocation. You can check your session cookie and if you want to allow the web call return true. To block, return false and the user will get a 403 forbidden.
Then if you like you can write a custom 403 forbidden page and redirect to your login page.
Just know that in 12C, mod_plsql is going away and you'll need to use the Oracle Rest Listener. The same functionality exists there. Things just have different names.
I have only recently been looking into ACS, AAL, WAAD and I would like to avoid redirecting users to the login page of their IDP. I want to keep my users within my site and present them with a dropdown to choose who they wish to authenticate with and an area to request a username and password, then acquire token via code. Is this possible?
I have been reviewing some sample applications and produce a quick mock-up, but cant seem to get things working e.g.
_authContext = new AuthenticationContext("https://littledeadbunny.accesscontrol.windows.net");
string enteredEmailDomain = UserNameTextbox.Text.Substring(UserNameTextbox.Text.IndexOf('#') + 1);
IList<IdentityProviderDescriptor> idpdList = _authContext.GetProviders("http://littledeadbunny.com/NonInteractive");
foreach (IdentityProviderDescriptor idpd in idpdList)
{
if (String.Compare(ServiceRealmDropDownList.SelectedValue, idpd.Name, StringComparison.OrdinalIgnoreCase) == 0)
{
Credential credential;
credential = new UsernamePasswordCredential(enteredEmailDomain, UserNameTextbox.Text, PasswordTextbox.Text);
_assertionCredential = _authContext.AcquireToken("http://littledeadbunny.com/NonInteractive", idpd, credential);
return;
}
}
Using the code above, when I try to use the Windows Azure Active Directory User (admin), i get the error "Data at the root level is invalid. Line 1, position 1." where I attempt to acquiretoken.
When I use Google, I get an error "0x8010000C: No identity provider matches the requested protocol".
If there is a working sample? if I am doing something obviously wrong, I would appreciate the correction.
This is not supported for passive identity providers. IdPs like Google, Facebook, etc. don't want other people collecting credentials for them, as this leads to security issues and possible phishing attacks. They also don't support it because they need to be able to show a permission dialog (that screen that asks the user if they want to release data to you) which they can't do without the browser redirecting to them. Furthermore, Google in particular supports two-factor auth, which you couldn't replicate, and generally collecting credentials opens up whole cans of worms around other UI problems such as incorrect or forgotten passwords.
This is also generally a bad user experience, because your users are fairly likely to already be logged in to Google and have cookies there. If so, and if they've already consented to your app, they would just be silently redirected back to you. In your scenario, even if the user is already logged in they'd still have to provide a username/password.
The correct way to do these sorts of logins is to render a browser control in your app that allows the user to log in at their IdP, which is what AAL helps with.
I had the same error, executing a powerscript solved that error
PS C:\windows\system32> $replyUrl = New-MsolServicePrincipalAddresses
-Address https://mydomain.accesscontrol.windows.net/
PS C:\windows\system32> New-MsolServicePrincipal -ServicePrincipalNames
#("https://mydomain.accesscontrol.windows.net/") -DisplayName
"MyDomain Namespace" -Addresses $replyUrl
But i'm stuck anyway with a 403 permission error
If you get any further i would like to know how :)
I'm getting an error when accessing the /image view of an Image object. The weird part is that I'm logged in as an administrator, and the Error log shows "Anonymous User (None)" as the user trying to access the image.
How is this possible? What should be the things I should be looking for in this case?
I think it would be a lot weirder if the error log showed "admin" as the user. The fact that it shows "Anonymous" is evidence that it is failing to find your credentials at some point, as you would expect an administrator to never have Unauthorized errors .
Is this a stock Plone image type? I have often seen this sort of error concealing a programming error in my own custom code.
I'm trying to make a app that integrates into the WHMCS that will allows admins to set posts that will be put on their FB page's wall at a certain time.
I am using a piece of code that allows me to post to the page ok but when trying to run the PHP script from a CLI (Shell):
root#golf [~]# php -q /home/host/public_html/modules/addons/social/cron.php
I receive the following message:
Please check Facebook API settings, OAuthException: (#803) Some of the
aliases you requested do not exist: 0
Could someone please tell me what this message means and how I can get this working.
Also if I have not access the app from the web interface for a while the following message is displayed:
Exception: 102: parameters uid or session key required
A popup then appears on that page and it refreshes, the message is no longer there (until I come back a little later)
Would be great for as much help as I can get.
Daniel Collins.
asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.