I'm using ASP.NET, and IIS web server. I want to use HTTPS protocol on my web site. In my IIS web server, I binded my web site on port 443 using following procedure:
Open IIS
Chose site I want to configure (in my case "My Test site")
Click Bindings on right side of window
In new window I deleted http, and added https (IIS asks you a
certificate file, which I previously created)
Click OK
Click browse on right side of IIS window
Am I using HTTPS now, and is all my data is encrypted?
It should be. However to ensure that the data is encrypted, you can do this further check.
Open the site in the browser and if you are using firefox, you should see a green colored label near the address bar, on internet explorer, you will see a lock sign - in short, there will be some sort of security information. Open it and check it. It will show the status of certificate and will also show you if the site is protected or not.
This is the final test at client side. If you have proper certificate installed which could be validated, it would say that the site is protected, otherwise it would say that the data is encrypted but the certificate is not valid - kind of security exception.
Related
I have been using Windows Azure to host some of our internal utility projects using Web App. When I create a new web app say "MyTestApp", the default URL created in portal will be:
"http://MyTestApp.azurewebsites.net"
Refer Image
However, when I click this URL, it will not open in browser. To fix it, I have to manually append "s" in the protocol to make it
"https://MyTestApp.azurewebsites.net".
I understand that by default, Azure secures the *.azurewebsites.net wildcard domain with a single SSL certificate, so the clients can access the app at
"https://appname.azurewebsites.net"
But I wondering why the portal display the non SSL URL (http). Is there a reason for that?
Update:
I tested it with Firefox too (based on suggestion in comments) and tried both hitting URL as well as Browse button. Since the URL is http, on new tab, it just say "waiting for MyTestApp..." and then "waiting for login.microsoft.com...".
However, when I click this URL, it will not open the WebApp in browser.
If we click the URL and the [Overview] table is fully loaded, then it will work correctly . We also can browse the website via click the [Browse] option.
why the portal display the non-SSL URL (http)?
This may be the topic about advantage and disadvantage of Http VS Https. Generally, one of the primary blockers for HTTPS adoption is the fact that the HTTPS protocol is slow. Here’s a very informative ServerFault thread showing just how big of a slowdown.HTTPS encrypts traffic between us and a server. It is more security than HTTP. And Azure also allow HTTPS access to our WebApp and support to enforce HTTPS on our WebApp.
I have an ASP.NET web forms application that requires that requires that a user log in.
I have had the application running on a live server with an IP address pointing at it, to allow external customers to test it. e.g. http://1.2.3.4/application
Last week the customers decided that they were happy to switch their users to my application, and asked us to switch the existing URL across to it e.g. http://www.applicationurl.com
As soon as we did this, the login page stopped working:
- if you log in with an incorrect username or password, it correctly tells you that you have made a mistake
- if you log in with a correct username and password, no error message displays, but instead of redirecting to the next page, the user is redirected back to the login page
Just to be clear, no changes were made to the application - it is still running on the same server with the same config settings. If I log on using either the internal or external IP address then the application works fine - once logged on I am redirected to the default page; it is only when using the external URL that I keep getting redirected back to the login page. The .css and images all load correctly for the login page.
This is .NET 3.5 running on IIS7 on Windows Server 2003.
Could you check web.config file's forms Element for authentication:
Check the path attiribute. is it "/".
Check the domain (if set).
On consultation with our IT team, I learned that the company that supplies us with DNS names was proxying the calls to our web server. When we switched the domain name to directly calling our IP address, the issue was resolved. I guess the proxy must have been modifying the HTTP calls or blocking cookies or something.
The way to check whether this is happening is to ping your domain - in our case, it was returning the IP address and domain name of our DNS supplier rather than the IP address of our web server.
I've set up an ASP.NET intranet website with
From another pc:
It works perfectly fine if I access it via IP e.g http://11.11.11.1:88/Default.aspx
Unfortunately, when I go to http://MyWebsite.mycompany.com:88/Default.aspx I get a login box popping up.
If I enter username/pass it just rejects it, and I can't get access
From the server:
Both IP and DNS alias work. So no problems while on the server itself
Anonymous user access is disabled
Any ideas?
Any suggestions on what further info I can give to help solve this?
Additional:
Accessed via IE only (6 and up)
I use IIS 6.0
Username in Domain\Username format
Config set to <deny users="?">
AppPool identity as Domain\zWhatever (used for windows auth to sql db)
AppPool identy user is in IIS_WPG group, plus is admin on server
Ohh riiight. Got it!
I changed my AuthenticationProvider for my website from "Negotiate, NTLM" to "NTLM, Negotiate"
Following these instructions:
http://support.microsoft.com/kb/215383
With a slight change to their instruction to set provider of course
mine:
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "**NTLM, Negotiate**"
You can get the Website ID by clicking on the "Web Sites" folder on the left in IIS. This should list all your website with their ID
In Internet Explorer options, add MyWebsite.mycompany.com to your list of Trusted Sites.
In Internet Explorer:
select "Tools"
select "Internet Options"
click the "Security" tab
click the "Trust Sites" icon
click the "Sites" button
enter the website domain
e.g., http://MyWebsite.mycompany.com:88 (use https if possible)
if the website doesn't have SSL, un-check "Require server verification (https:)"
click the Add button (don't forget this part)
For Firefox, it's also pretty simple to configure NTLM authentication.
For Chrome NTLM, see this thread.
I'm working on a website that uses a non-secured asp.net session cookie.
The session is shared between http and https.
We want to use different sessions for http and https (because of security reasons).
Is this configurable in ASP.NET, the httpCookies config element in system.web isn't specific enough. I'd rather not programatically build this.
If it's not possible, what approach should I take?
I would setup the https files in a folder called "Secure" as a sub-application of the http app in IIS. Right click on My computer (or Computer in Windows Server 2008) and click on "Manage". Expand Services, then Internet Information Service, then Websites. Then, expand your website and right click on the "Secure" folder that you just created. On the default tab, click Create Application. Anytime that you have a switch to a https page, make sure that you are using "https://www.yourdomain.com/Secure/" on the front of the url. I would just use a Configuration Setting in web.config to set that url string as a programmatically accessible value. Then, your https sub-application will set you a new session cookie as it is a separate application.
I have been tasked with getting a asp.net (vb.net) talking to an analysis services engine on our production servers. The web server is a separate machine from the web server. The web server runs as the IUSR_ user. The application (of course) works on the development machine which has both IIS and Analysis services on it. The problem I see appears to be a permissions error (returned in the browser by the asp.net app):
An existing connection was forcibly closed by the remote host ....
it is described in a similar post here: http://www.mydatabasesupport.com/forums/sqlserver-olap/201903-existing-connection-forcibly-closed-remote-host.html
I am not a system admin, nor am I an expert in analysis services (why have I been tasked with this you ask? because other people haven't been able to get it working and it has fallen on me). Anyway, I could use some help ... I have tried creating and adding the user (IUSR_) to the sql server and added that user to the role. While that worked on my local machine, it did not work in our production environment where the sql and web servers are separate.
tia,
Don
well after some fiddling i came up with something that works. its probably not a huge security concern because this server is not visible to the public internet; it is visible only to a couple iis servers (it is not on our lan) - this is, however, a 'brute-force', non-secure solution (in some environments anyway) ...
ON THE IIS SERVER: added this to the connection string in web config: SSPI=anonymous; this turns on an unauthenticated access request.
ON THE SQL SERVER: in analysis services, right click on the server. under "general" go near the bottom to "Security\RequireClientAuthentication" and change it to False
same page, select "security" on the left (instead of general). Add "ANONYMOUS LOGIN" to the list of users
get out of the server properties. right click on the CubeViewer role in the cube and choose properties. Add ANONYMOUS LOGIN to the list of users.
so, i have unauthenticated access from our iis server to the sql server.
i'd still be interested in seeing a more secure solution - oh, and i forgot to mention, there is no domain ... these are two servers on the same subnet with only regular logins.