I currently allow access to a service on a Windows Server as follows:
http://<server_ip>:<port_number>
When the user enters this in the browser it takes them to a UI on the Windows Server
Note: the user machine are on a DHCP Server so ip addresses can change.
How can i restrict access only to certain users ?
Is there a way i can force them to enter a name or secret as a querystring parameter and resolve on the Server side ?
I'm currently building a system where users can list Word and Excel files in an ASP.net webapp and click on files to edit which will open them up in Office from an IIS WebDAV server and allow the users to edit the files.
I have all of this working with Windows Authentication enabled and using the server's hostname to address the file on the WebDAV server:
ms-word:ofe|u|http://hostname/webdav/myfile.docx
However the client has a subdomain (resolved by internal dns on their network) and ssl cert they want to use for the site. When I address the file with this domain name:
ms-word:ofe|u|https://portal.domainname.com/webdav/myfile.docx
I get a windows authentication prompt when opening it in Word that will not accept my domain credentials.
If I switch the WebDAV server to Basic Authentication and set the domain Word will prompt for authentication and will accept my domain credentials, but it will prompt on every file I open.
Is there a way to address the file using this internal subdomain name that will open the files without prompting the user for authentication?
This will only be accessible on their internal network so I'm open to considering any authentication scheme that would achieve this goal.
Because of security reasons the client will not send credentials to hosts that are not recognized as local intranet.
When using a (sub)domain instead of a hostname every client has to add the (sub)domain to it's intranet zone:
Internet options > security > Local intranet > Websites > Advanced > Add.
This can also be done by using a Group Policy or setting a registry key.
HKEY_CURRENT_USER\software\microsoft\windows\current version\internet settings\zonemap\domains\[domain]\[subdomain (optional)]
DWORD name: http of https value: 1
I'm trying to connect and getting an error like:
Login failed. The login cannot be used with Windows Authentication
I'm using mirrored local accounts on SQL Server and web server because I'm simply trying to use a trusted connection between machines not on the same domain. It seems like something that would be fairly common, but after days of trying to find an answer that applied to my situation, I do not recognize that any of the answers were applicable... that or the fact that I'm only a .NET developer and not a sysadmin or DBA means I have it and just don't know it.
Here's what I can say:
CMS web server: ASP.NET 4.0 web app running on Windows Server 2008, IIS7, on corporate DMZ
CMS database server: SQL Server 2008 R2 on a domain server
For various reasons that I won't go in to, encrypting the credentials is not sufficient.
The database port that the application needs to connect on is not the standard port and is set up to listen on a different port.
Setting up DB mirroring isn't an option and doesn't really address the requirements (in my way of thinking)
Also, FYI if this is helpful to know:
Content entry happens on internal web server which publishes content to same DB that is accessed by the DMZ web server.
Content server is set up to have the website run the app pool in integrated mode with a windows domain user that has been set as a service account using the -ga switch and given all the appropriate rights and everything runs perfect.
External web server, without domain access, using mirrored accounts (same username and password set up on the SQL Server machine and web machine).
Local account on the web server set as a service account using -ga switch and running as the app pool identity for my app.
On the SQL Server box, created local user with identical creds and given same permissions that the domain user identity has
Connecting to SQL Server via MGMT studio installed on web server with the SQL Server user creds works fine.
Now, if I put in the username in to the connection strings, everything is perfect. As soon as I put the trusted_connection=yes in the connection string like I did with the domain server connection strings, I get the trust error.
So if my connection string is like this, it works fine:
Server=myServerAddress;Database=myDataBase;Username=MyUser; Password=MyPassword;
If I change my connection string to either of these, it fails:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;
or
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
I'm working with one of the client's network admins and he's not necessarily a DBA and doesn't have experience with configuring web apps. So it's possible that we're missing something and any advice or ideas would help. What am I missing?
If using SQL credentials are not an option, then you should use Active Directory and create a one-way trust (have DMZ server domain trust your internal domain), create a service account in your internal domain which your DMZ application can use, and grant that account access to the database. Then it will be able to generate SSPI context.
I am trying to remotely access a web application hosted on the office LAN.
I have setup LogMeIN Hamachi and I can connect to an office machine and see shared resources (folders and printers) on that machine.
I selected a Hub-and-spoke network and made the machine with the web app the hub.
While in the office I type http://192.168.1.6:8080/mituz_oc in my browser to get access to the web app.
However, when I try to do the same remotely I get the message "Firefox can't establish a connection to the server at 192.168.1.6:8080."
So I see that the IP address to the computer I have VPN-ed to is 5.14.212.196 and so I try to gain access to the web app by replacing the office LAN's IP with the Hamachi IP (I can only post one hyperlink hence the verbose alternative )
I get the same error message as before, only this time with the HAMACHI IP address.
I can access all the shared resources but can not access the web app.
Is it possible to do what am attempting - remotely access a web application on office server?
If so what am I doing wrong / not doing ?
TIA.
Clemens
1) Check if your Windows Personal Firewall setting blocks connections from Hamachi's 5.x.x.x IP address ranges.
2) Check if your Web Server listens on 5.x.x.x. You can find it out by this command:
netstat -na
Look for local address of "0.0.0.0:8080" which is in the state of "LISTENING".
3) Replace Hamachi with different VPN provider, like www.remobo.com
(Disclosure: I work for the Remobo team)
I have problems connecting to my database server. The database server is not local, I am connected via its IP address.
It works fine in my development machine. After publishing the website to my server, it can not connect to my database server.
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
Why can't my publish server connect to the database server, whereas it works fine through the development machine?
I often had that problem. Mostly it's because of two problems.
Open the SQL Server Configuration Manager.
Check if the SQL Server Network Configuration supports TCP/IP, if it's disabled, enable it.
e.g. SqlServer 2005 Network Configuration, Protocols for SQLEXPRESS
Open the SQL Server Management Studio
Click on the Sql Server Properties (right click on the server name and
select properties).
After that, select the page "Security" and switch the check to "SQL Server and Windows Authentication mode".
That's all.
I'll attempt to go two for two on the psychic debugging for today...
I will assume that you are not using integrated security? If so it might explain things as the account on your local machine probably has permissions, but the SYSTEM account that is running on the server does not. Just a shot in the dark though.
It sounds like your server can't make the network connection, rather than a security issue.
Ensure that any firewalls on both the DB and app servers allow traffic on the port (1433).
Ensure you're able to ping or tracert from both machines.
Is it your first time you publish your website on the web server ? if it is , Are you sure you have set your connection string properly ?
You need to create a login ( of curse a password for that too ) and the IP Address of that SQL on the web server .
So you need IP Address of the sql server host , Database Name , UId , Pwd .
I will agree that this sounds like a network issue and not a security issue.
Remote into the web server and ping the DB server by IP address. If this does not work, your server cannot see the DB server via that address (different subnet, incorrect firewall/proxy setup, etc). There may be a proxy address you must use to get to the DB server from the web server, or your web server may also be the gateway and IIS doesn't know to look for the DB server on the LAN. If it does work, the computers may not be talking on the same port, or the firewall may be blocking that port exiting the web server.
I have spent hours trying to connect to SQL server using sqlcmd. I disabled my firewall, checked all ip listed in "Protocols for SQLEXPRESS", edited my hosts file. I tried using different ips and machinename to connect to the server. But none of work worked. After hours of investigation, I found out that I made absolutely stupid blunder making me unable to connect.
I want to remind people that the connection string is not case sensitive. But the option is!!
what i did is I put
sqlcmd -s .\sqlserver
But the correct string is
sqlcmd -S .\sqlserver
so watch out, people