If I set Windows Authentication to true in IIS7 and set Anonymous Authentication to false, I will get a WWW-Authenticate header. I assume this is the cue to the browser to popup the authentication dialog. I'm trying to figure out where in the ASP.NET pipeline the WWW-Authenticate header gets set (and what class is responsible for setting it it). I've done quite a bit of Googling and looking at WindowsAuthenticationModule and UrlAuthorizationModule in reflector but can't seem to pinpoint it!
Several modules in IIS 7 perform tasks related to security in the request-processing pipeline. In addition, there are separate modules for each of the authentication schemes, which enable you to select modules for the types of authentication you want on your server.
The one you are looking for is the WindowsAuthenticationModule, which performs NTLM integrated authentication. It is located in Inetsrv\Authsspi.dll.
The picture below shows the HTTP request processing pipeline mechanism of IIS7.
For a complete in-depth elaboration, including the above material, visit: http://learn.iis.net/page.aspx/101/introduction-to-iis-7-architecture/
That should answer all your questions :-)
If you have Windows Authentication set in IIS the authentication will occur between the client and IIS.
.NET may access the details when is set in the web.config but IIS sends the WWW-Authenticate header and manages credential exchange.
See more:
https://www.owasp.org/index.php/Authentication_In_IIS
http://msdn.microsoft.com/en-us/library/ff647405.aspx
Related
I was reading this article about troubleshooting Azure Application Gateway Session Affinity Issues, and listed as a possible cause it states "My application cannot handle cookie-based affinity", how do I know if my ASP.Net web application can handle cookie based affinity or not?
Thanks,
Firstly, as you're hosting the website on an Azure VM, you would typically deal the same way as you would on-prem, unlike on Azure App Service VM- for this setting - you can just toggle switch to enable or disable ARR Affinity from Azure Portal > Application Settings.
Kindly refer this blog Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core for the latest changes.
Just to clarify -The application gateway can only perform session-based affinity by using a cookie. From your issue description, you have set "cookieBasedAffinity": "Enabled", as mentioned in the document, is that correct? You can leverage based on your application needs.
<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />
You cannot add cookies in web.config but you can add some custom section to access cookies.
You can handle this via code use the System.Web.HttpCookie.HttpOnly property. as mentioned in this article.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
As mentioned in the same document you're referring to, you can review the session logs to determine whether the cookies provided by the client have the ARRAffinity details If you don't find the ARRAffinity details, such as "ARRAffinity= ARRAffinityValue" within the cookie set, that means the client is not replying with the ARR cookie.
Additional discussion on this topic- Token Authentication vs. Cookies
I am playing with Asp.Net Web Api 2 creating a REST service with token authentication (under normal IIS 7.5, not express). Therefore, I've used the standard generated template that comes with Visual Studio 2015.
I understand the concept and the code too, did some testing wth Fiddler, getting the token, try to register etc. and I like the approach.
But there's 1 thing I don't understand and I miss that in about every article I've read about it:
what should be the IIS authentication setting(s) for the service?
By default, anonymous authentication is turned on and the other options
(forms, windows, basic) off.
If I understood correctly it shouldn't matter (because the OAuth Authorization Server and OWIN in the WebApi service should take over the complete authentication mechanism for the service, right?), or else all IIS authentication options should be turned off.
But I see that it does matter. Because if I want to execute a '/api/Register' POST method, it only works if I have anonymous authentication turned ON. If I turn it off, I get a 401.2 Unauthorized result.
But it seems so unlogic / unsafe to me to keep the anonymous authentication turned ON. I'd like to turn that off. Or do I have to have it turned on? And if so, why? Am I missing something?
I've also set the authentication method in my web.config to 'None':
(Only thing I changed in my web.config is the database connectionstring.)
I have an ASP.NET web service that I can access via a windows program but now I want to secure the web service. I can secure the web service using forms authentication. How do you access the secured web service from a windows forms application?
Although this is not the right approach, tt is theoretically possible to use forms authentication in the manner you describe. This could be accomplished by either:
Using a WebRequest to send your requests in raw form to the web service. This will involve inspecting the response, extracting the relevant forms-authentication fields, and sending a response back which logs the user in. This will generate a cookie which you must send along with each subsequent response to the service
Generate the FormsAuhentication authentication cookie yourself. This is complex as it involves synchronising the machine key on the calling application, and artificially manipulating the headers being sent to the machine hosting the service.
Display the forms-authentication form for the user to log in to at the beginning of a session requiring interaction with the web-service. You can then harvest the generated cookie and present it to the service in HTTP headers as in option (2).
As you can see, these methods are highly complex, and are fundamentally a hack to use forms-authentication where it was never intended.
Microsoft intended us to use either Windows authentication, or SSL certs to secure access to ASP.NET web services. See HTTP Security and ASP.NET Web Services on MSDN.
If you are able to use WCF, then a few more options present themselves, including the ability to build a custom authentication mechanism into the SOAP, with some support from WCF.
For the most part, securing web services is one of the trickiest parts of the job. Many live solutions which I have seen are compromises such as the ones above.
It seems the answer is no. Forms authentication is a cookie-based mechanism, and your WinForms app won't be able to hold and relay the cookies (without some serious workarounds, if at all).
A potential workaround that I wrote up when researching your question attempted to use a NetworkCredential object, but that didn't work. Also tried was the ClientCredentials in .NET 4.0.
var ss = new MySecureWebService.MyServiceSoapClient();
ss.ClientCredentials.UserName.UserName = "abc";
ss.ClientCredentials.UserName.Password = "123";
string asmxReturn = ss.HelloWorld(); //exception returned here
The console app was still presented with the login html page when calling the webmethod.
Other Suggestions
If you have the source to your web service, extract its logic out into an assembly of its own. Reference that assembly in your WinForms app, and it's just as if you're calling the web service.
I understand that your goal is to reuse the app that's deployed, but the next best thing would be to use the same logic/implementation via .dll reference.
This might help: http://dotnetslackers.com/articles/aspnet/Securing-ASP-Net-Web-Services-with-Forms-Authentication.aspx.
We are deploying our ASP.NET 3.5 app to a production server for beta testing.
Each page is secured using SSL.
On our homepage (default.aspx) we have web services which populate flash objects.
I am getting an error:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
Also, when using firefox, receive the Windows Login pop up screen.
Does anyone have any clue what or why this is happening?
Much thanks!
I would think that the request from Flash to the secure web services doesn't have credentials or that the secure certificate in the response can't be validated.
Probably both.
So in flash there will probably need to be some code like:
request.Username = "xyz"
request.Password = "***"
or something similar
In .net there is a way to manually override the validation of a certificate for the request. I'm not sure how you would do that in Flash.
I'll update this if I find a sample for the .net way.
Sounds like IIS isn't configured for anonymous access.
If you believe you have it setup correctly (sounds like it isn't), then you might try troubleshooting your connection with Wfetch.
We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?
You can leverage ASP.Net's built in session management by decorating your webmethods with
<EnableSession()>
Then, inside your method, you can check that the user still has a valid session.
If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.
If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.
Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.
You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'
If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.
That way you could restrict the access and have different swf file depending on the user.