Windows Authentication Only Works With hosts entry - asp.net

I'm setting up a (ASP.NET) website to be used internally at my company. In IIS, I've turned on Integrated Windows authentication and turned off anonymous access. Once I've done this, the website pops up the "enter your username/password" box whenever you visit the site, but won't log you in even if the username/password are correct. This happens even if you're logged in to your computer with a domain account as opposed to a local account.
However, if I enter the IP of the site in my hosts file, the site works perfectly (logs the user in without the additional challenge).
I guess I have two questions.
1) Why does the hosts entry have this affect?
2) How can I get the site to succeed without a) forcing everyone to edit their hosts file or b) the site challenging them and failing to log them in?
EDIT: I checked, and we do have our DNS server set up to point those URLs to the correct servers. That's why pinging the URL displays the right IP. However, it appears that in addition to having that DNS entry, we also have to have the hosts file entry for the site to work.

You probably are having an issue with Kerberos authentication.
Since you're using a url of Site.DomainName.com, I'm assuming DomainName.com is your AD's name also.
On the server that's running IIS, copy SetSPN.EXE from the resource kit tools and run the following:
setspn -A http/site.domainname.com IISServerName
Where SITE is your URL and IISServerName is the name of the server.

This sure sounds like a dns problem. Does the dns server know about the hostname you are using? Sounds like the dns server does not know the forward lookup (hostname to ip) for the host you are trying to connect to.

We recently set up an intranet site with windows authentication here. The network guys setup a group policy and pushed changed to IE and Firefox.
For IE, it added the site to "Intranet Sites" and for Firefox it modified the configuration file so that our intranet..com would be trusted.

So... we got it to work. Here's what happened.
While looking around at the DNS Manager on test.DOMAINNAME.com, my coworker noticed that a different site on the same server was set up as a "Host (A)" entry, whereas the site we were working on was set up as an "Alias (CNAME)" entry. Several other sites on that computer were also set up as Alias entries, and he mentioned that the one site with the Host entry was "rock-solid", and he'd had sporadic issues with at least one other site that was set up as an Alias.
We talked to the AD/DNS admin, and as a test, he switched our entries from Alias to Host, and once we cleared our local DNS caches, it worked perfectly (without requiring entries in our .hosts file).
So the question still sorta stands. This was a Win2k3 box serving as one of three internal DNS servers, and making this modification fixed our problem. If anyone can add any additional information, we'd be very grateful, but in the meantime, we're debating going back and fixing all our other sites.

Related

How do I give access to another computer on my network, to my website hosted locally?

We have a local instance of IIS 7 running with a website. Instead of the default "localhost" we have something like, mysite.compname.com. This is a separate entry into IIS 7 and the default website was removed to prevent confusion.
Then in our host file we an entry like this:
127.0.0.1 mysite.compname.com
Now when I try to hit this url, http://127.0.0.1/ApplicationName/Project/AddProject.aspx technically it should work, but instead I get a 404. I can vouch that this isn't a problem with the application, because if I navigate to http://mysite.compname.com/ApplicationName/Project/AddProject.aspx it works fine.
My end goal is to be able to give someone my computer name, so that they can visit a test page, so the url above I think would get turned into this http://computername/ApplicationName/Project/AddProject.aspx. Any help or at least links to understanding would help because I'm not sure where my issue is coming from.
It sounds like the IIS site / application is configured using a Host Header.
This means that the site will only respond if the host header sent by the browser matches the one configured for the site.
This is a standard method to allow one server to host sites for many host and domain names.
If you wish to allow others to view the site on your computer you will need to either have a local DNS server which you can edit, or, probably the easiest option, get them to edit their host files to include
<your IP> mysite.compname.com.
Remember to open the requisite ports (probably only 80, maybe 443 for https) in your firewall.
Or, you can try to edit the site config to remove or modify the Host Header requirement. See the first link for details, but be careful, it's easy to break things if you don't know the entire architecture of the site.

IIS website inaccessible from server (but ok from outside)

On a server where an IIS website is hosted, if I open IE or Firefox and type the IIS website url, i got an error after a few seconds ("Cannot display the webpage", just like website would be offline). If I do the same from the exterior (as normal user do) everything works.
I have tried to give the IP address directly (thus skipping DNS), problem is the same. It only works if I type the internal ip address of the IIS website (eg : 10.0.0.x).
The reason I want to do that is that I need to access a specific page of the website in order to execute a scheduled task. I cannot use internal ip address to do that, because host name (HttpContext.Current.Request.Url.Host) is used inside ASP.NET code to switch between different configuration.
Here is my question : is it possible to access a specific page on a IIS website from server where website is hosted ? (using complete url, not internal ip address ?)
Yes - If I understand your question correctly you should be able to add a mapping in your local hosts file to point that domain at your IIS webserver.
e.g.
10.0.0.x my.example.hostname
(where x is obviously a number)
We use this configuation internally when developing multiple sites on our local machines - each site is bound to a specific hostname and all these hostnames have mappings in the 'hosts' file to 127.0.0.1
The same principal applies here, if I've understood the question correctly :)

Website accessible from everywhere except for client's network

My client has a website that is showing some strange behavior. The site is built in ASP.Net and used to be hosted on their internal network. It's now been moved to a different server outside their network. They have other sites hosted on the same server, some built using DotNetNuke, and some classic ASP. All these sites are hosted on one application server, with a database (SQL Server 2008) on a separate server (which is on the same network as the application server). They share the application server, and the database server.
Now that this site has been moved to the outside server, they can't access it. I can, and so can others that I work with (from different IPs, across the country). But the client can't from their network. They can access the landing page subsite.clientdomain.com (no db access), but nothing else. So, for instance, there's a link to subsite.clientdomain.com/folder. When they click that link, the URL changes to subsite.com/folder, which does not work. For myself and others not at the client site, the URL does not change and opens with no problems.
I didn't write the site, and didn't even know it existed before this problem cropped up, so I know very little more than this. Any help is appreciated.
I'm going to go with Martijn B's answer. There's a DNS issue on the internal network. Somewhere on of the DNS servers is a definition that maps http://companywebsite to an ip address like 192.168.1.20 or whatever.
I would open a command prompt on your PC and type
ping new_website_name.com
Take a look at the IP address that comes back. You can also do an nslookup on new_website_name.com that will give you more information. If you (person A) gets one IP address and Person B (inside the network) gets a different IP address....there is definitely a DNS issue on the internal network.
You're going to have to do some network tracing to determine exactly where any redirection is occurring. Given that the problem is only manifested in certain locations, it is likely that it is a function of network configuration in that location (as previously suggested). Without understanding exactly what redirection is occurring, it would be unwise to make configuration changes that might make the problem worse or introduce new issues.
A DNS server cannot AFAIK redirect to a different URL. So something is redirecting from subsite.clientdomain.com/folder to subsite.com/folder, which could be caused by a HTTP redirect. This can be triggered by the software/website itself or by IIS.

authentication issue with an intranet website running under IIS6

I have an an intranet website running under IIS6 (under a specific port, not the default one) with a integrated windows authentication enabled and uses an application pool configured with a service account. the issue is, if I access the website using the server name with a fully qualified domain in the URL, it throws a login prompt (doesn't work even if enter my windows login credentials), but if I use the IP address of the server then it works fine. Please let me know what I need to do to get the URL with server name working.
for example http://servername:8080/default.aspx throws login prompt, but http://ip address:8080/default.aspx works fine
I am experiencing the same problem. I believe it is something to do with Kerberos authentication mechanism. If it resorts to NTLM it will work (which it does when using an IP address). Kerberos requires an SPN registered on Active Directory for it to work. Kerberos also won't allow you to have application pools running under different accounts but with the same server name. In these situations you should have an alternate name for the site and register that with Kerberos. However, I haven't actually resolved the issue yet so these are just suggestions.
Two possible problems come to my mind:
The DNS server in your network is not resolving servername to an IP
Run Ping servername from the command line to check if the name brings the IP expected
edit the C:\Windows\System32\drivers\etc\hosts file and add the server name and IP address
The Bindings in IIS6 does not expect servername
Make sure that servername is included in the list or the Host Header Name field is empty
I had exactly these symptoms when the web server had its IP address changed due to a new internal IP addressing scheme. Pass through authentication worked from the webserver itself but not from any other system. From other systems, using the host name in the URL caused IE to prompt for credentials which were always rejected, using the IP address in the URL caused IE to prompt for credentials which were accepted. After chasing a lot of red herrings we suspected that the server was caching credentials against the old IP address, so we rebooted the server and it all came right.
Try this. I had exactly same problem and it fixed it for me (I'm the linked thread)
I set my AuthenticationProvider for my website to "NTLM, Negotiate"
Following these instructions:
http://support.microsoft.com/kb/215383
With a slight change to their instruction to set provider of course
mine:
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "**NTLM, Negotiate**"
You can get the Website ID by clicking on the "Web Sites" folder on the left in IIS. This should list all your website with their ID
Thanks to Nick's answer that lead me to it

Why can I see my website even though it's down?

I'm wondering if anyone knows how this happens? My website is down, but every computer on my internet connection/router can see it. I've cleared my cache etc, but another computer in the house shouldn't be seeing a site that's offline. How weird?
It's hosted remotely, not on my network or anything.
The first question to ask yourself is, how certain are you that it's down? If computer A can access it and computer B cannot, either one could be "right":
The site could be down, and computer A could be looking at a cached version from the ISP.
The site could be up, but computer B could be having general internet connectivity problems, or problems accessing this site in particular (bad DNS cache, etc.)
One way to tell is to add some new content to the site (via FTP or an in-place content management system like wordpress, for example) and see if the computer that can access it (computer A) can see the changes. If so, then you're looking at a "live" site, where the pages are being served directly from the server. (If the server is active and runs web software like PHP or ASP, then that would be another way to "prove" that the site is up and running).
Do you know the IP address of your web server?
Do you have direct access to the Internet on port 80?
Tell if your server is up or down by doing the following
telnet 255.255.255.255 80
Where 255.255.255.255 is your web server's IP address. On windows the screen will go blank if the server answers. Then type
GET / HTTP/1.0
And hit enter twice. You should see the content of your default page. If your running as a virtual host, you'll probably need to use HTTP/1.1 and the Hostname tag.
GET / HTTP/1.1
Host: www.yourservername.com
There is one return after HTTP/1.1 and two returns after your hostname. If you get content (the correct content) back from your web server it is definitely not down. If the server fails to connect then your web server is really down, and the content your computers are seeing could be any of the following:
local page cache
local proxy server
ISP proxy server
local ARP poisoning attack redirecting you to attacker's local web server which mirrored your site.
DNS poisoning to direct your browsers to someone else's web server which mirrored your site.
If your site is up, but geographically separated folks can't see your site, it is most likely a DNS issue or an ISP level routing issue.
A good tool to check for DNS issues is OpenDNS's CacheCheck. As for the routing issue, the best bet is to call your web hosting company and see if they've had any other complaints from their other customers, or if they are currently working on a routing issue.
Internet provider cache maybe.
What DNS servers are your friends using? Same as yours?
Your ISP is probably caching the content.
i know it's down cause i asked my friends in other locations to look at it. then i ran a test using this site i found.
http://www.websitepulse.com/help/tools.php
i'm switching hosts and we're dealing with my main domain name. that's the other reason i expected this interuption. i just want to know when it's finally switched.
is ISP cache a bad thing?

Resources