We are deploying our ASP.NET 3.5 app to a production server for beta testing.
Each page is secured using SSL.
On our homepage (default.aspx) we have web services which populate flash objects.
I am getting an error:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
Also, when using firefox, receive the Windows Login pop up screen.
Does anyone have any clue what or why this is happening?
Much thanks!
I would think that the request from Flash to the secure web services doesn't have credentials or that the secure certificate in the response can't be validated.
Probably both.
So in flash there will probably need to be some code like:
request.Username = "xyz"
request.Password = "***"
or something similar
In .net there is a way to manually override the validation of a certificate for the request. I'm not sure how you would do that in Flash.
I'll update this if I find a sample for the .net way.
Sounds like IIS isn't configured for anonymous access.
If you believe you have it setup correctly (sounds like it isn't), then you might try troubleshooting your connection with Wfetch.
Related
I have IIS 8.5.9600.16384 running on Windows Server 2012R2 and a website configured as application with separate application pool.
In IIS Authentication only "Anonymous Authentication" is enabled. To perform authentication, my site uses it's own login prompt and calls a .net core backend with basic schema, something like
POST /mycorebackend/login
with http header
Authorization: Portal base64encoded_username_and_password_here
Everything works just fine if authentication is successful and backend responds with HTTP OK.
But if backend returns 401 Unauthorized I've got pop-up from IIS asking me to provide credentials, like I'm trying to access a folder with some content, but I'm not.
I just need to get my 401 error and continue my js execution without any prompts.
Can anyone help or at least give a me hint where to search for?
I think this may be related to IIS-kestrel integration or so... For some reason IIS tries other schemes or so...
Thank you
I think you are looking for these settings. that should resolve it
I am playing with Asp.Net Web Api 2 creating a REST service with token authentication (under normal IIS 7.5, not express). Therefore, I've used the standard generated template that comes with Visual Studio 2015.
I understand the concept and the code too, did some testing wth Fiddler, getting the token, try to register etc. and I like the approach.
But there's 1 thing I don't understand and I miss that in about every article I've read about it:
what should be the IIS authentication setting(s) for the service?
By default, anonymous authentication is turned on and the other options
(forms, windows, basic) off.
If I understood correctly it shouldn't matter (because the OAuth Authorization Server and OWIN in the WebApi service should take over the complete authentication mechanism for the service, right?), or else all IIS authentication options should be turned off.
But I see that it does matter. Because if I want to execute a '/api/Register' POST method, it only works if I have anonymous authentication turned ON. If I turn it off, I get a 401.2 Unauthorized result.
But it seems so unlogic / unsafe to me to keep the anonymous authentication turned ON. I'd like to turn that off. Or do I have to have it turned on? And if so, why? Am I missing something?
I've also set the authentication method in my web.config to 'None':
(Only thing I changed in my web.config is the database connectionstring.)
I'm very new to ASP.NET and I've been struggling trying to get the username of the client sending requests to a web service script on the server side.
After searching online I found two properties that supposedly gives the server page access to the client username;
User.Identity.Name
and then I got another piece of code from an ex-senior colleague who left before figuring this problem out, his function used UserPrincipal.Current.DisplayName
and for both of these I'm getting a blank string.
I've searched for what my problem could be and I'm suspecting it's because I don't authenticate the user on the server side somehow.
I just accessed those two properties/variables directly (UserPrincipal.Current.DisplayName and User.Identity.Name)
can anyone help shed some light on this issue please? I haven't a clue what I'm doing wrong/ not doing.
Your suspicions are correct; you have to explicitly authenticate the user via a built-in .NET mechanism such as Forms Authentication or Windows Authentication for User.Identity to be populated by the framework.
You didn't specify from where the requests are coming (web, windows app, windows service, etc), but this article provides nice overview of getting Forms Authentication set up with asmx.
I have an ASP.NET web service that I can access via a windows program but now I want to secure the web service. I can secure the web service using forms authentication. How do you access the secured web service from a windows forms application?
Although this is not the right approach, tt is theoretically possible to use forms authentication in the manner you describe. This could be accomplished by either:
Using a WebRequest to send your requests in raw form to the web service. This will involve inspecting the response, extracting the relevant forms-authentication fields, and sending a response back which logs the user in. This will generate a cookie which you must send along with each subsequent response to the service
Generate the FormsAuhentication authentication cookie yourself. This is complex as it involves synchronising the machine key on the calling application, and artificially manipulating the headers being sent to the machine hosting the service.
Display the forms-authentication form for the user to log in to at the beginning of a session requiring interaction with the web-service. You can then harvest the generated cookie and present it to the service in HTTP headers as in option (2).
As you can see, these methods are highly complex, and are fundamentally a hack to use forms-authentication where it was never intended.
Microsoft intended us to use either Windows authentication, or SSL certs to secure access to ASP.NET web services. See HTTP Security and ASP.NET Web Services on MSDN.
If you are able to use WCF, then a few more options present themselves, including the ability to build a custom authentication mechanism into the SOAP, with some support from WCF.
For the most part, securing web services is one of the trickiest parts of the job. Many live solutions which I have seen are compromises such as the ones above.
It seems the answer is no. Forms authentication is a cookie-based mechanism, and your WinForms app won't be able to hold and relay the cookies (without some serious workarounds, if at all).
A potential workaround that I wrote up when researching your question attempted to use a NetworkCredential object, but that didn't work. Also tried was the ClientCredentials in .NET 4.0.
var ss = new MySecureWebService.MyServiceSoapClient();
ss.ClientCredentials.UserName.UserName = "abc";
ss.ClientCredentials.UserName.Password = "123";
string asmxReturn = ss.HelloWorld(); //exception returned here
The console app was still presented with the login html page when calling the webmethod.
Other Suggestions
If you have the source to your web service, extract its logic out into an assembly of its own. Reference that assembly in your WinForms app, and it's just as if you're calling the web service.
I understand that your goal is to reuse the app that's deployed, but the next best thing would be to use the same logic/implementation via .dll reference.
This might help: http://dotnetslackers.com/articles/aspnet/Securing-ASP-Net-Web-Services-with-Forms-Authentication.aspx.
We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?
You can leverage ASP.Net's built in session management by decorating your webmethods with
<EnableSession()>
Then, inside your method, you can check that the user still has a valid session.
If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.
If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.
Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.
You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'
If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.
That way you could restrict the access and have different swf file depending on the user.