On one of our intranet pages, I'm using cffileupload to upload multiple photos:
<cffileupload extensionfilter=".jpg,.jpeg,.png,.gif"
url="/submissions/photo_gallery.cfm"
onerror="errorissue"
width="600"
addbuttonlabel="Browse..."
maxuploadsize="100">
The url for this tag points back to the same page where I process the images:
<!--- Define the upload path --->
<cfset upload_path = "C:\websites\images\photo_gallery\">
<!--- Upload all the files --->
<cffile action="upload"
destination="#upload_path#"
nameconflict="makeunique"
result="uploaded_file">
In IE and Chrome, this works. In Firefox, I get a 401 error. It appears to be related to how the browsers authenticate. IE and Chrome use Windows authentication while Firefox prompts when entering the site for username/password. Nothing shows up in the Coldfusion logs, but the IIS logs show this (with the IP x'd out):
2013-05-09 19:16:07 xxx.xxx.xxx.xxx POST
/submissions/photo_gallery.cfm CFID=5546&CFTOKEN=75080018 80 - 172.28.30.99 Shockwave+Flash 401 2 5 0
The previous line in the log is from loading the page. As you can see, my username is showing up in this line (edited for security):
2013-05-09 19:16:07 xxx.xxx.xxx.xxx GET /includes/js/shared.js - 80
DOMAIN\username xxx.xxx.xxx.xxx
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:20.0)+Gecko/20100101+Firefox/20.0
304 0 0 218
So, cffileupload seems to be losing my username. However, the session.urltoken in the cffileupload url is the same as it is in on the page with the multiple file uploader (the calling page). So, you'd think the authentication would stick.
Also, I can get it to work in Firefox when I go into IIS7 and enable Anonymous Authentication on the Jakarta virtual directory (and disable Windows Authentication on the same). But, this is not a usable solution.
Can anyone suggest another solution?
Have you tried enabling "Anonymous Authentication" just for the /submissions folder?
See here
You can tell Firefox to work with Windows Authentication as well. It is not turned on by default (reference).
Open Firefox
In the address bar type: "about:config"
Firefox3.x and later requires you to agree that you will proceed with caution.
After the config page loads, in the filter box type: "network.automatic"
Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter http://www.replacewithyoursite.com or http://your-intranet-server-nameMultiple sites can be added by comma delimiting them such as http://www.replacewithyoursite.com, http://www.replacewithyourintranetsite.com
To specify all subdomains use .replacewithyoursite.com instead of www.replacewithyoursite.com, help.replacewithyoursite.com, pictures.replacewithyoursite.com
If your intranet does not use a fully qualified domain name you can set the following in Firefox to avoid the prompting (reference)
Go to "about:config"
Filter the keys down to "network.automatic"
Edit network.automatic-ntlm-auth.allow-non-fqdn value to true
Related
My requirement is display files and folders without hostname/ip address as header as this can be vulnerable. And existing code working on IIS 7 and new one IIS 10.
I successfully achieved file/folder display by enabling 'Directory browsing' but unsuccessful with 'without hostname/ip address as header'. So looking for help on this configuration part.
The hight lighted text(localhost in this case) must not display
I got single sign in working but I don't know how to configure single sign out.
Here is what I've tried so far (without any success):
[My Service provider] -> Inbound Authentication Configuration -> [my issuer] -> Enable Single Logout is Checked (custom URL is not given)
What I try is to simply redirect the browser to the URL where login is configured with the following parameter:
https://localhost:9443/passivests?wa=wsignout1.0
So the login works perfectly with this URL: https://localhost:9443/passivests
As I understand there is nothing else I should do but WSO2IS does not remove the cookie and when I try with my other webapp it logs me in as if nothing happened.
I omitted wreply (as it is optional) so I expect that the browser is not redirected back to my application or login screen. This is the reason I try it with a different application. Also the other app is opened FIRST after logout and it still gets the claims. (I always test with a new incognito mode chrome window to avoid false negatives because of leftover cookies)
So is there anything else I should do or is it perhaps a known bug?
This is a known bug. I can't find the particular class right now but the logout function called when using WS-Fed is an auto-generated //TODO stub.
https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.sts.passive/4.2.0/src/main/java/org/wso2/carbon/identity/sts/passive/processors/SignoutRequestProcessor.java
I am trying to get the twitter module (7.x-5.4) running on my local drupal 7.19 website. Already installed Oauth and registered a twitter app. I am using the keys of that twitter app.
Callback URL
http://localhost/drupal-7.19/twitter/oauth
twitter host
http://twitter.com
Twitter API
https://api.twitter.com
Twitter search
http://search.twitter.com
TinyURL
http://tinyurl.com
when I want to add at least my own twitter account so that the site can display my tweets. when I want to add this account, an error occurs:
Notice: Undefined property: stdClass::$data in Twitter->request() (line 131 of root\modules\twitter\twitter.lib.php).
Could not obtain a valid token from the Twitter API. Please review the configuration.
any ideas? thanks in advance.
In my case, uncommenting the line
extension=php_openssl.dll
in php.ini resolved the error.
I'm not sure this will work for you, but this worked for me. I had the same exact error, even though I had followed the documentation. Here's the test: go to admin/reports/status. If you see the following warning: "HTTP request status Fails" this means your drupal/LAMP stack is unable to use DNS to callback to itself. In my case I used my machines's IP to access my Drupal instance. So, rather that use "localhost" use your machine's IP address (you can use ipconfig on MSWin or ifconfig on Mac/Linux) and use that for finishing the twitter account setup process.
Again, not
http://localhost/drupal-7.19/twitter/oauth
but
http://10.0.1.9/drupal-7.19/twitter/oauth
(substituting your machine's IP address)
I was getting the exact same error which i fixed by adding appropriate proxy server details.
Notice: Undefined property: stdClass::$data in Twitter->request() (line 131 of C:\wamp\www\test_twitter\sites\all\modules\twitter\twitter.lib.php
The problem was due to proxy-settings. I added values for $conf['proxy_server'] and $conf['proxy_port'] in settings.php and this error vanished.
I also verified that if i remove the proxy settings, this error is reproduced again.
Install oauth_common and twitter on your Drupal site
Check that both Oauth and the Twitter modules are enabled. I didn't use any of the other Twitter modules to do this
Go to the twitter module in Drupal
Go to the Configure (button) -> settings (Tab)
(note that the Callback URL is http://localhost/yourwebsite/twitter/oauth i.e. it doesn’t have to be 127.0.0.1)
Click on the link that says register your application
Go to twitter and sign in to be a developer
Add a new application, making a distinct feed name
Enter your site details
For localhost use: http://127.0.0.1:8000/twitter/oauth for both the website and callback URLs
Press save when you've done
Next go to the Test OAuth button - this will give you your illusive consumer key and consumer secret key
Back to the Drupal website and and to the twitter module to configure (button) -> settings (Tab)
Copy and paste these consumer and consumer secret keys you just got
Press Save configuration
Hopefully no errors.
Go to the twitter tab in the module and hopefully your twitter avatar has appeared
Read the top of the page where it says "Tweets are pulled from Twitter by running cron. You can view the full list of tweets at the Tweets view."
Select the View Tweets checkbox and click view - Chances are your tweets won’t show up in the next window - yet
Go to your drupal Configuration screen and to [System] Cron and press the "Run cron"
Now go back to view tweets from the twitter module and they should all appear
[This was a pig to figure out]
asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.
I need to generate a CTL for use with IIS7.
I generated a CTL file using MakeCTL (on Win2k3 SDK) and put only my own RootCA certificate in the CTL.
However, when I then use adsutil.vbs to set my website to use this CTL, I get:
ErrNumber: -2147023584 (0x80070520)
Error Trying To SET the Property: SslCtlIdentifier
I'm using adsutil.vbs like this:
cscript adsutil.vbs set w3svc/2/SslCtlIdentifier
where is the friendly name of the CTL
The problem is, I am not able to set a friendly name. At the end of the wizard it says "Friendly Name: ".
In IIS6 I can create a CTL with a friendly name (showing in Certificates MMC) but if I export it from there, when I import it, it no longer has a friendly name.
Can anyone show me how to do it please?
This should work on IIS 7.0 but probably not on IIS 7.5.
Let us know if this page is helpful please - http://www.rethinker.net/Blog/Post/14/How-to-Create-and-Use-a-CTL-for-IIS-7-0
I'm experiencing exactly the same problem and am having the same trouble finding an answer.
There appears to be no documented way to create a friendly name for Certificate Trust Lists using MakeCTL. And the only documented way to add a CTL to IIS7 uses the adsutil script Neil references above, yet it requires a friendly name. I assume we could dig into a programatic way to do this but I'm not looking to get that deep.
The core of this problem is that IIS7 seems to have lost favor for CTL's, else it would have some UI support for them. Are people using some alternative to CTL's in combination with Client Side Certificates?
I find it odd this isn't a bigger problem for IIS7.
Update:
I finally came back to this and have figured out the Friendly Name issue. To get a friendly name assigned you must store the CTL in the Certificate Store rather than to a file (I had always used the file approach previously). So, using MakeCTL in the wizard mode (no arguments) and choosing to 'Certificate Store' on the 'Certificate Trust List Storage' page results in a new page that let's you specify a Friendly Name.
So I now have a CTL in the 'Intermediate Certification Authorities' certificate store of LocalMachine. Now I am trying to use 'netsh http add sslcert' to assign the CTL to my site.
Before I could use this command I had to remove the existing SSL cert that was assigned to my site for server authentication. Then in my netsh command I specify the thumbprint of that very same SSL cert I removed, plus a made up appid, plus 'sslctlidentifier=MyCTL sslctlstorename=CA'. The resulting command is:
netsh http add sslcert ipport=10.10.10.10:443 certhash=adfdffa988bb50736b8e58a54c1eac26ed005050 appid={ffc3e181-e14b-4a21-b022-59fc669b09ff} sslctlidentifier=MyCTL sslctlstorename=CA
(the IP addr is munged), but I am getting this error:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I am sure the error is related to the CTL options because if I remove them it works (though no CTL is assigned of course).
Can anyone help me take this last step and make this work?
UPDATE 01-07-2010: I never resolved this with IIS 7.0 and have since migrated our app to IIS 7.5 and am giving this another try. I installed IIS6 Compatibility on my test server and tried the steps documented here using adsutil.vbs. I immediately ran into this same error that Niel did above:
ErrNumber: -2147023584 Error trying to SET the Property: SslCtlIdentifier
when running this command:
adsutil.vbs set w3svc/1/SslCtlIdentifier MyFriendlyName
I then went on to try the next adsutil.vbs command documented and it failed with the same error.
I have verified that the CTL I created has a Friendly Name of MyFriendlyName and that it exists in the 'Intermediate Certification Authorities\Certificate Trust List' store of LocalComputer.
So once again I am at a dead standstill. I don't know what else to try. Has anyone ever gotten CTL's to work with IIS7 or 7.5? Ever? Am I beating a DEAD horse. Google turns up nothing but my own posts and other similar stories.
Update 6/08/10 - I can now confirm that KB981506 resolves this issue. There is a patch associated with this KB that must be applied to Server 2008 R2 machines to enable this functionality. Once that is installed all works flawlessly for me.
The question is about IIS7, but for anyone looking for this information - from IIS8 you no longer need to use CTLs, but rather use "Client Authentication Issuers" in the certificate store.
This is documented in more detail: http://technet.microsoft.com/en-us/library/hh831771.aspx