I am trying to get a better understanding of what is going on with Windows Auth in our ASP.NET MVC 4 application.
It's just using standard Windows auth, and when I access the application via the machine name, from a workstation on the domain:
http://product/
Then authentication occurs automatically, and I am allowed through.
However, if I access the SAME machine, using a host-name that has been mapped in our DNS (to the exact same internal IP):
http://product.company.com
then I am presented with the basic authentication box for my Windows credentials. I can type them in and proceed, but I want to know - why am I being prompted to enter my credentials in the former, but not the latter, and how would I correct this?
[EDIT]
Here are some results of NSLOOKUP
C:\Users\me>nslookup
Default Server: dnsserver.company.com
Address: 192.168.4.250
> product.company.com
Server: dnsserver.company.com
Address: 192.168.4.250
Name: producttest.company.com
Address: 192.168.5.106
Aliases: product.company.com
> product
Server: dnsserver.company.com
Address: 192.168.4.250
Name: producttest.company.com
Address: 192.168.5.106
Aliases: product.company.com
Just add your site to the local intranet zone in browser options.
Related
Jupyter only allows access from localhost unless I do a bunch of extra security stuff. I am running my server so that it is only accessible on a local network where anyone with access is equal in trustworthiness to localhost. How do I set up a jupyter notebook server with no extra security features?
Based on your question, I expect you want this configuration (in ~/.jupyter/jupyter_notebook_config.py):
c.NotebookApp.ip = '0.0.0.0' # listen on all IPs
c.NotebookApp.token = '' # disable authentication
There are a few security features in Jupyter (as of 4.3.1). I'll go over how to disable each one, and whether/when it makes sense to disable it:
It listens only on localhost. This can be changed to all public IP addresses:
c.NotebookApp.ip = '0.0.0.0'
Listening on public IPs should generally come with enabling HTTPS and/or password or token authentication (docs). If it's all internal on a trusted network where nothing bad ever happens, you can proceed to disable other security features:
Token authentication is enabled by default. To disable it:
c.NotebookApp.token = ''
Disabling authentication means that anyone with access to the host can run code. It seems like this is what you want. You can also enable a password:
In [1]: from notebook.auth import passwd
In [2]: passwd()
Enter password:
Verify password:
Out[2]: 'sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed'
You can store this in c.NotebookApp.password.
You can also store this password in (~/.jupyter/jupyter_notebook_config.json):
{
"NotebookApp": {
"password": "sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed"
}
}
Jupyter also has CORS protections, to avoid other websites from being able to access this server. This means that when a user on your network visits example.com, javascript on that page cannot execute code on your notebook server. It sounds like you don't want to touch this, but if you are running a service that should be able to access the notebook server, you can add it to:
c.NotebookApp.allow_origin = 'https://your.other.host'
Finally, Jupyter 4.3.1 introduces an xsrf token, which is part of dealing with the same category of cross-site execution above. You don't need to touch this if users are only accessing the server directly, rather than through javascript on additional websites.
c.NotebookApp.disable_check_xsrf = True
A completely insecure notebook server, which is to say one where any website can run code on it, as long as a browser can connect to its host (this would include localhost or LAN if the browser is running from inside the LAN):
c.NotebookApp.ip = '0.0.0.0' # listen on all IPs
c.NotebookApp.token = '' # disable authentication
c.NotebookApp.allow_origin = '*' # allow access from anywhere
c.NotebookApp.disable_check_xsrf = True # allow cross-site requests
This might be desirable if you are aiming to make compute resources free for the world to use however they want via the notebook API.
I've made an ASP NET page, and put it on a Windows 2008R2 server running IIS and DNS. (Those are the only 2 roles in server manager.)
Without me touching anything the following urls work to get to my site:
ServerName = REALLYCOOLSERVER, IPAddress: 123.123.123.123
http://REALLYCOOLSERVER/App/Login.aspx
http://123.123.123.123/App/Login.aspx
http://localhost/App/Login.aspx
I am on a domain.
I would like to be able to have users of the site navigate to something like:
http://foo/App/Login.aspx
Here's what I've been trying:
Opened IIS Manager, Sites > Edit bindings
There is one row here with Type: http, Host Name: blank, Port: 80, IP Address: *
From what I've read, I simply needed to edit this row, and set a Host name: foo
Then in DNS manager, Forward Lookup Zone > New Zone > Primary Zone (company.com) > Create new file with this file name (company.com.dns) > Do not allow dynamic updates > Finish
This produces the 3 types: Start of Authority(SOA), Name Server(NS), and Host(A) rows.
The A row's name is the server name, with Data being IP Address (123.123.123.123)
My research shows me if I create an Alias (CNAME) with:
Alias name: foo
Fully qualified domain name (FQDN): foo.company.com
Fully qualified domain name for target host: Browse > to A record..so.. servername.company.com
However, when I got to IIS Manager and click on Browse foo on *:80(http), I get a broken link. Also, in my browser when I got to http://foo/App/Login.aspx it's also a broken link.
Any help would be greatly appreciated.
Thanks.
I am working on a Symfony2 app. I'm using FOSUserBundle to handle authentication and recently integrated it with FOSUserBundle using this tutorial: https://gist.github.com/danvbe/4476697 .
The problem is:
I can login using the google api on localhost and everything works fine.
However when I try to login on a real server I get:
Error: invalid_request
device_id and device_name are required for private IP: http://<server_ip>/login/check-google
Request details:
response_type=code
scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
redirect_uri=http://<server_ip>/login/check-google
client_id=<my_id>
Google documents don't mention these two parameters. I tried to manually send a request with device_id being a UUID and device_name set to "notes". The response I get this time is:
Error: invalid_request
Device info can be set only for native apps.
Request details:
cookie_policy_enforce=false
response_type=code
device_name=notes
scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
redirect_uri=http://<server_ip>/login/check-google
device_id=4b3403665fea6
client_id=<my_id>
Now, what am I doing wrong?
Google will not accept a local (private) IP address when doing Oauth or API calls. My workaround was to add an entry in my Windows hosts file for the local IP:
\Windows\System32\drivers\etc
192.168.1.2 fakedomain.com
then register it with Google in their dev console. That appears as a "real" domain to them, but will still resolve in your browser or code to the local IP. I'm sure a similar approach on Mac or Linux would also work.
It really looks like your using the wrong flavor of oauth. device_id is used with Devices. I would really expect you to be using the WebServer flow. You may need one of the other flows as I don't see enough detail here to judge, but they all can be found at the links.
Recently, my wordpress website has been experiencing a spike in hack attempts by various IPs but they all have the same user Hostname:
A user with IP address xxx.xxx.xx.x has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username to try to sign in.
User IP: 91.121.156.62
User hostname: ks359219.badhost.com
A user with IP address xxx.xxx.xx.x has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username to try to sign in.
User IP: 5.135.182.147
User hostname: ks3289006.badhost.com
A user with IP address xxx.xxx.xx.x has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username to try to sign in.
User IP: 5.135.185.89
User hostname: ks3290602.badhost.com
A user with IP address xxx.xxx.xx.x has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username to try to sign in.
User IP: 5.39.86.162
User hostname: ks3273571.badhost.com
The security plugin I am using seems to be fending them off, but I would like to be able to block all requests from ANY IP that is associated with the user hostname using a wildcard like xxx.badhost.com
The plugin lets me block a range of IPs such as 123.12.1.* but not hostnames. What would be the best way to block these hacking attempts? .htaccess? Thanks
Refer to this Apache doc page for examples of what you might want to do. It covers most cases of redirecting, blocking, etc. from direct domains and referring sites.
http://httpd.apache.org/docs/2.2/rewrite/access.html#blocked-inline-images
For WordPress you can use VSF Simple block http://wordpress.org/plugins/vsf-simple-block/
In Block Rules settings enter the part of the hostname string you want to block e.g. badhost.com
Bear in mind this is an active plugin, so does use some server resources and database queries for each lookup request, but we haven't found it too heavy.
PS - from the ks. part of the example I have a good idea of the hosts you wantto ban - I agree with you, these hosts are bad news - Ban them.... :)
If you do whois ks3273571.badhost.com, it'll tell you the NetRange and CIDR for that ISP's netblock.
For example, whois 69.59.197.21 (StackOverflow) reports:
NetRange: 69.59.192.0 - 69.59.223.255
CIDR: 69.59.192.0/19
asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.