I need to have my .NET application access the internet, however they only allow me to access the internet through a proxy server with authentication.
On my first attempt I simply configured Internet Options with the proxy and user/pass, it worked, but that configuration only applied to the windows account I was logged with, when someone else logged in with their account they didn't have the proxy setup, plus I think over time it will re-prompt you for the credentials again. So this didn't work.
Second attempt was by following these steps form https://github.com/rollbar/Rollbar.NET/issues/186
using following block in your app.config or web.config file:
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy proxyaddress="proxyAddress" usesystemdefault="True"/>
</defaultProxy>
</system.net>
and in Credential Manager >> Add a Generic Credential
Internet or network address: your proxy address
User name: your user name
Password: you pass
Again, no luck, I still get asked for authentication:
Inner Exception:
Type Of Exception: System.Net.WebException
Source Of Exception: System
Target Site: GetRequestStream
Exception Message: The remote server returned an error: (407) Proxy Authentication Required.
What am I missing on my approaches? is there a way to propagate the proxy settings to any account/caller from my first attempt? Am I missing something on my second attempt?
Thanks.
A RollbarConfig object supports the following properties for proxy related settings: ProxyAddress, ProxyUsername, ProxyPassword for providing custom proxy settings. The same properties can be configured via either XML or JSON config file as well (as proxyAddress, proxyUsername, proxyPassword)
Related
I need some help to understand what is the exactly reason I can'g get Windows Authentication working on IIS site for a specific user's group.
What is happening is that even my user being part of the group which I gave access to the site, IE keeps prompting for my credentials and even when I type the password the HTTP response is 401 (Unauthorized).
I'm also not allowed to change IE's settings to add any site to the trusted list (it's blocked by the company). In the other hand, besides the fact that it's blocked, the site domain is listed like
(*.domain.com)
Follow bellow the scenario:
Server: Windows Server 2012
IIS: 8.5
Users: DomainA\MySimpleAdUser, DomainB\ServiceAdUser
Groups: DomainB\MYGROUP (AD Group which contains DomainA\MySimpleAdUser)
IIS_IUSRS (Local Server group which contains DomainB\ServiceAdUser)
Pool Settings
Name: PoolA
Process Model > Identity > DomainB\ServiceAdUser
Settings on Server Level
ASP.NET > .NET Authorization
Allow | Users: All Users | Entity type local
IIS > Authentication
Anonymous Authentication disabled
Windows Authentication Enabled
Extended protection: Off
Enable Kernel-mode authentication: Enabled
Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
Allow | Roles: DomainB\MYGROUP | Entity type local
Settings on Site Level (which runs on a valid SSL certificate on 443 port, this is the only binding)
Pool: PoolA
ASP.NET > .NET Authorization
Allow | Users: All Users | Entity type inherited
IIS > Authentication
Anonymous Authentication disabled
Windows Authentication Enabled
Extended protection: Off
Enable Kernel-mode authentication: Enabled
Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
Allow | Roles: DomainB\MYGROUP | Entity type inherited
Permissions on site root directory
Full control permission to IIS_IUSRS
Read&Execute, List and Read permissions to MYGROUP
Web.config
This is the only configuration line that exists regarding authentication:
<authentication mode="Windows" />
=============================
Observations
I already tried to use my specific user to get access to the site, but stills prompt for the credentials
The only way to get the site up and running is when I allow anonymous access to it.
Please help me to figure out what is missing. I appreciate any help.
There could be an issue with security loopback check. Please find below procedure to disable it.
Click Start, click Run, type regedit, and then click OK.
Backup the registry
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor, and then restart your computer.
I've found that if the authenticated user is not able to read the folders for static content in your web app, it will authenticate you, then deny access.
This can be solved by Granting local_Machine\Authenicated_Users access to the needed resources.
In my case, I added Authenticated_users to the IIS_IUSRS Group and it solved my problem. Be aware that this can also grant any authenticated user to all files and folders available to the IIS_IUSRs group. So be careful that these users cannot access the file system by any other means. A separate group granting NT AUTHORITY\Authenticated_Users just enough rights to read pngs, and static content is the best way to go.
Config: Windows Server 2012 R2 Running IIS 8.5, NET Framework 4.5, with static content enabled.
I'm getting this error when I try and access my website:-
HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.
Most likely causes:
• No authentication protocol (including anonymous) is selected in IIS.
• Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
• Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
• The Web server is not configured for anonymous access and a required authorization header was not received.
• The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.
Things you can try:
• Verify the authentication setting for the resource and then try requesting the resource using that authentication method.
• Verify that the client browser supports Integrated authentication.
• Verify that the request is not going through a proxy when Integrated authentication is used.
• Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.
• Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module UrlAuthorizationModule
Notification AuthorizeRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x80070005
Physical Path D:\Logs
Logon Method Anonymous
Logon User Anonymous
More Information:
This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.
View more information »
Microsoft Knowledge Base Articles:
• 907273
• 253667
I have to use Anonymous authentication only, can anyone help please?
This unbelievably vague question and answer actually led me to the proper solution for the specific problem of HTTP 401.2 Unauthorized against an Anonymous Authentication resource in IIS. The "Authorization Rules" element within IIS allows a explicit Allow/Deny entries, with an explicit option for "All Anonymous Users." Specifying this solved an access problem I spent the better part of a day trying to resolve, and I thought I'd add the additional detail here.
For me, the solution was to go into IIS Manager, select the website, right-click on Authentication, select Open Feature, and then enable Anonymous Authentication.
This SO question has more possible solutions since it seems that there's a myriad of different reasons:- HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers
Ok, Finally i got solution to my problem.
'Authorization Rules' were not set up on system.
I setup required 'Authorization Rules' and able to browse site successfully.
I have written below code to access a web page and run in Ubuntu.
How do I fix this? I have tried suggested fixes from all over the internet, but still can't figure out a solution.
A 407 response means "Proxy Authentication Required", as described here.
Now you appear to be setting a proxy user and password in the System properties, but it is apparently not working. I can think of a couple of explanations:
You could be setting the properties too late. Those properties are read by the default ProxySelector and Authenticator as they are initializing. If you set them too late, then they won't be respected. Try setting the properties using -D... options.
You could be using the wrong proxy username and password.
The proxy could be expecting the proxy authentication details in a different form than they are being supplied. Take a look at the headers in the response for the failed request. There should be a "Proxy-Authenticate" header that includes a "challenge".
If this approach doesn't work, another alternative would be to implement the proxy selection and authentication programatically by implementing and registering your own ProxySelector and Authenticator classes.
FOLLOWUP
I included the ProxyAuthenticator class and now, "java.net.ProtocolException: Server redirected too many times (20)" is thrown.
Somehow, your application has gotten into a redirection loop.
I'm still not convinced that you set the proxy properties early enough.
I am working on ASP.NET 4.0 MVC3 web application that works in intranet environment. The application makes use of Windows authentication. Its application pool is run by domain user that has spn set on a domain controller. Authentication works using Kerberos (on IE and Firefox after some additional configuration).
Now I want to upload files to sharepoint, but it's important for me to upload the file as the user currently logged in into the application (so the file is created on Sharepoint with his/her credentials).
I have the following code in ResourceExists(Uri uri) function:
'...
Dim identity As System.Security.Principal.WindowsIdentity = HttpContext.User.Identity
Dim impersonationContext = identity.Impersonate()
response = request.GetResponse()
impersonationContext.Undo()
'...
This works when running locally, but when I deploy to the server I get the exception:
System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n at WebDav.WebDavClient.ResourceExists(Uri uri)\r\n at Website.Website.WebdavController.Upload(HttpPostedFileBase file, UploadViewModel vm)
I read something about passing on the credentials, that is not possible with NTLM, but I am sure I am using Kerberos (I checked the headers with wireshark and fiddler) and I see the following:
Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgJDAiBgkqhkiC9x...
Any ideas why the impersonation does not work when running on the IIS server?
I found the answer here:
http://support.microsoft.com/kb/810572
"Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft"
And that was exactly the case. I tried now with another machine that is not load-balanced and it works.
The only thing that still surprises me is that ImpersonationLevel of the identity is still Impersonate not Delegate...
After setting <identity impersonate="true"/> in your web.config try the following:
using (((WindowsIdentity)User.Identity).Impersonate())
using (var client = new WebClient { Credentials = CredentialCache.DefaultNetworkCredentials })
{
string result = client.DownloadString("http://sharepoint");
}
you need to configure your site correctly in IIS for impersonation to work.
see Configure ASP.NET Impersonation Authentication (IIS 7)
I've deployed my site in IIS 7, and can browse to it fine on the web server.
I've set it to windows authentication (only), and when browsing from outside the domain, I want to be challenged for credentials, and gain access when entering a domain\username & password combination that exists in the AD.
401 - Unauthorized: Access is denied due to invalid credentials. My iis logs
I put a dummy site in IIS and set it to anonymous, I can browse to this no problem also.
I checked that windows auth was installed/set up on the web server, and it is.
What set of config parameters do I need to get this working?
*yes, I know I should use some sort of custom authentication provider with accounts stored in a database, but I don't want to go through that yet.
Thanks for any advice, words of wisdom.
I think your only option is to enable basic authentication. The user should then enter the full domain\username with the password. Beware though that basic authentication uses just base64 which can be very easily decoded. So if you enable basic authentication you have to use SSL/TLS as well.
In Internet Explorer, you can get it to prompt you by: Internet Options > Security > Custom level > User authentication > Logon > Prompt for username and password.