IIS site keeps prompting for credentials for Windows Authentication method - windows

I need some help to understand what is the exactly reason I can'g get Windows Authentication working on IIS site for a specific user's group.
What is happening is that even my user being part of the group which I gave access to the site, IE keeps prompting for my credentials and even when I type the password the HTTP response is 401 (Unauthorized).
I'm also not allowed to change IE's settings to add any site to the trusted list (it's blocked by the company). In the other hand, besides the fact that it's blocked, the site domain is listed like
(*.domain.com)
Follow bellow the scenario:
Server: Windows Server 2012
IIS: 8.5
Users: DomainA\MySimpleAdUser, DomainB\ServiceAdUser
Groups: DomainB\MYGROUP (AD Group which contains DomainA\MySimpleAdUser)
IIS_IUSRS (Local Server group which contains DomainB\ServiceAdUser)
Pool Settings
Name: PoolA
Process Model > Identity > DomainB\ServiceAdUser
Settings on Server Level
ASP.NET > .NET Authorization
Allow | Users: All Users | Entity type local
IIS > Authentication
Anonymous Authentication disabled
Windows Authentication Enabled
Extended protection: Off
Enable Kernel-mode authentication: Enabled
Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
Allow | Roles: DomainB\MYGROUP | Entity type local
Settings on Site Level (which runs on a valid SSL certificate on 443 port, this is the only binding)
Pool: PoolA
ASP.NET > .NET Authorization
Allow | Users: All Users | Entity type inherited
IIS > Authentication
Anonymous Authentication disabled
Windows Authentication Enabled
Extended protection: Off
Enable Kernel-mode authentication: Enabled
Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
Allow | Roles: DomainB\MYGROUP | Entity type inherited
Permissions on site root directory
Full control permission to IIS_IUSRS
Read&Execute, List and Read permissions to MYGROUP
Web.config
This is the only configuration line that exists regarding authentication:
<authentication mode="Windows" />
=============================
Observations
I already tried to use my specific user to get access to the site, but stills prompt for the credentials
The only way to get the site up and running is when I allow anonymous access to it.
Please help me to figure out what is missing. I appreciate any help.

There could be an issue with security loopback check. Please find below procedure to disable it.
Click Start, click Run, type regedit, and then click OK.
Backup the registry
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor, and then restart your computer.

I've found that if the authenticated user is not able to read the folders for static content in your web app, it will authenticate you, then deny access.
This can be solved by Granting local_Machine\Authenicated_Users access to the needed resources.
In my case, I added Authenticated_users to the IIS_IUSRS Group and it solved my problem. Be aware that this can also grant any authenticated user to all files and folders available to the IIS_IUSRs group. So be careful that these users cannot access the file system by any other means. A separate group granting NT AUTHORITY\Authenticated_Users just enough rights to read pngs, and static content is the best way to go.
Config: Windows Server 2012 R2 Running IIS 8.5, NET Framework 4.5, with static content enabled.

Related

Setting up a proxy with authentication in web.config for internet access

I need to have my .NET application access the internet, however they only allow me to access the internet through a proxy server with authentication.
On my first attempt I simply configured Internet Options with the proxy and user/pass, it worked, but that configuration only applied to the windows account I was logged with, when someone else logged in with their account they didn't have the proxy setup, plus I think over time it will re-prompt you for the credentials again. So this didn't work.
Second attempt was by following these steps form https://github.com/rollbar/Rollbar.NET/issues/186
using following block in your app.config or web.config file:
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy proxyaddress="proxyAddress" usesystemdefault="True"/>
</defaultProxy>
</system.net>
and in Credential Manager >> Add a Generic Credential
Internet or network address: your proxy address
User name: your user name
Password: you pass
Again, no luck, I still get asked for authentication:
Inner Exception:
Type Of Exception: System.Net.WebException
Source Of Exception: System
Target Site: GetRequestStream
Exception Message: The remote server returned an error: (407) Proxy Authentication Required.
What am I missing on my approaches? is there a way to propagate the proxy settings to any account/caller from my first attempt? Am I missing something on my second attempt?
Thanks.
A RollbarConfig object supports the following properties for proxy related settings: ProxyAddress, ProxyUsername, ProxyPassword for providing custom proxy settings. The same properties can be configured via either XML or JSON config file as well (as proxyAddress, proxyUsername, proxyPassword)

Using windows authentication for database connection - Which user is used?

I have am ASP.NET Web API application that currently makes use of SQL Authentication when connecting to the database. I would like to change the connection to using Windows Authentication. In doing so, how do I specify the user that the web app, and therefore the database access, makes use of? I am using IIS v8.5.9600.16384
I can't say I agree with using integrated for the applications DB access as it makes security a bit more challenging as well as the coding issues tied to always having to deal with the possibility of different priv's for each user but obviously I don't know all the requirements of your situation.
So to answer your question:
If your connection string is set to Intergated Security the identity of the executing thread is used to provide the credentials.
By default the identity of the ASP.NET Worker Process will be the network credentials tied to the identity.
You can view the credentials like this:
IPrincipal threadPrincipal = Thread.CurrentPrincipal;
Console.WriteLine("Name: {0}\nIsAuthenticated: {1}" +
"\nAuthenticationType: {2}",
threadPrincipal.Identity.Name,
threadPrincipal.Identity.IsAuthenticated,
threadPrincipal.Identity.AuthenticationType);
You may set the identity via impersonation in the web.config or programatically.
Web.config:
<identity impersonate="true" userName="accountname" password="password" />
Code: (using the creds of the HttpContext user) this assumes that IIS is using integrated too
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//User is the HttpContext.User
//Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
You will have to turn off Anonymous Authentication and enable Windows Authentication via IIS Manager.

How to access admin.directory.group via OAuth2 in a cron job?

I am trying (and failing) to use OAuth2 to make calls to the admin.directory.group scope via a command line script. I tried configuring a Service Account to do this, but get this error message:
Error calling GET https://www.googleapis.com/admin/directory/v1/groups/foo%40example.com: (403) Not Authorized to access this resource/api
I also tried using an "Installed" application type, taking the manual step of obtaining an authorization code and subsequently a refresh token, but got the same Not Authorized error.
I do have "Enable API access" checked, and also have "Admin SDK" enabled in my project (though oddly it doesn't list admin.directory.group as one of Admin SDK's scopes).
What am I doing wrong?
Have you add the client ID in your Admin Console to grant Admin SDK third party client oauth access?
Here is an instruction on how to do that for task API:
https://developers.google.com/google-apps/help/articles/2lo-in-tasks-for-admins#manage
It should be similar for Admin SDK except you will have to put Admin SDK as the scope
I finally got this to work using a service account. I did have to grant 3rd party access as Emily Lam suggested, but by a different means:
Log in to admin console
Security -> Advanced settings -> Authentication ->
Mange third party OAuth Client access
Authorize a new client by setting the Client Name to the Client ID of the service account, and the the API scope to whatever you need from the Admin SDK (e.g., https://www.googleapis.com/auth/admin.directory.group)
The other thing I needed to do was make sure my request was being made on behalf on an administrative user. Using the PHP API, setting up the credentials object looks like this:
$cred = new Google_Auth_AssertionCredentials(
$clientEmail,
'https://www.googleapis.com/auth/admin.directory.group',
file_get_contents($keyFile));
$cred->sub = 'admin#example.com';
Now I am able to successfully make calls using the Google_Service_Directory class.

Session lost during impersonation

I use SonataAdminBundle with configured sonata_user in config.yml:
sonata_user:
impersonating:
route: _profile_logged
# more config
I have my admin panel under /admin prefix. I've configured UserAdmin (based on User entity) with impersonating field. I've tried to go to impersonate user by clicked link in my admin panel and I saw application (not admin panel) login page.
I checked developer toolbar and I noticed that request for impersonate user was redirected to login page. It's quite strange, because this request has mostly same parameters like previous one (for user list in admin panel). Especially Request Cookies section is identical.
I noticed one difference in Request Headers: first one request (for user list in admin panel) send cache-control max-age=0 but second one (for impersonate) dosen't.
Obviously, I logged to admin panel on user with full permissions (particularly ROLE_ALLOWED_TO_SWITCH).
So, how can I do impersonate directly from admin panel? What could be wrong in my app?
Can you try using config.yml:
sonata_user:
...
impersonating:
route: sonata_admin_dashboard
And in security.yml:
security:
...
firewalls:
...
admin:
...
switch_user: true
These work for me.
I detected a problem:
4. Multiple firewalls don't share security context form docs: http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls
And found sollution:
Firewall Context from docs: http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context
So, define firewall context is necessary if you have separate firewall for application and admin panel.

IIS 7 and windows authentication from outside the web server's domain

I've deployed my site in IIS 7, and can browse to it fine on the web server.
I've set it to windows authentication (only), and when browsing from outside the domain, I want to be challenged for credentials, and gain access when entering a domain\username & password combination that exists in the AD.
401 - Unauthorized: Access is denied due to invalid credentials. My iis logs
I put a dummy site in IIS and set it to anonymous, I can browse to this no problem also.
I checked that windows auth was installed/set up on the web server, and it is.
What set of config parameters do I need to get this working?
*yes, I know I should use some sort of custom authentication provider with accounts stored in a database, but I don't want to go through that yet.
Thanks for any advice, words of wisdom.
I think your only option is to enable basic authentication. The user should then enter the full domain\username with the password. Beware though that basic authentication uses just base64 which can be very easily decoded. So if you enable basic authentication you have to use SSL/TLS as well.
In Internet Explorer, you can get it to prompt you by: Internet Options > Security > Custom level > User authentication > Logon > Prompt for username and password.

Resources