siteminder does not build headers - siteminder

We are running SiteMinder 6 - that's the reason why we cannot ask for SiteMinder support.
We have noticed a strange behavior making a user unnable using the application she had been authorised to.
We have checked the policied,the apache reverse proxy configuration, the web agebt configuration, and all sound ok.
But capturing data between the reverse proxy and the back end application, we noticed that the RP sends no header, although the logs says it does.
had anybody suffered from a similar issue?
We rebooted the RP, without success.
thank you for your help.

Related

Permissions in Keycloak, where can I allow all clients?

I am new to Keycloak. I have installed a Docker container with Keycloak 19.0.2. Then created a new realm, client and user. As described in various tutorials it says.
Now I tried to connect my Spring Boot application with Keycloak. But I always get the error connection reset.
I have now tested something around and found out something strange.
When I call the URL /realms/rName/.well-known/openid-configuration with Chrome or Edge I see a JSON string, same URL in Firefox I get the error page load error. Also Insomnia gets an error Error: Failure when receiving data from the peer.
I suspect that my Spring Boot application is also getting this. Now where can I set the permissions in Keycloak to allow everyone to talk to the endpoint?
Many greetings
EDIT: Same situation on Root Page. http://localhost:8080/. The Welcome Site is shown on Edge and Chrome but not in Firefox or Insomnia
please excuse my question. I have been able to find the problem. Another process was also listening on the same port. Why there was no error that the port is already in use, I don't know. Now I set Keycloak to another port and it works with all clients. That it is technically possible at all, I wonder, especially why it is program dependent. Well, it works now. Thanks to all who helped.

Why is intertactive Broker Client Web API fails due to proxy remote host setting?

The Interactive Borker (IB) has a setting for the proxyRemoteHost which is like this "ib.abcd.com". This config won't work unless it's changed to "X.ib.abcd.com", where X = [1-5]. We need to specify a server to make it to work. Although this looks good for DEV purpose, in product we don't wanna specify the server instead use the base URL.
The Interactive Broker team has been troubleshooting this issue for a while and not able to pin point any reason. I really appreciate if anyone can help me understand probable causes behind this issue, so I can give more input for the relevant team to fix this issue. I can't add the logs due to some sensitive information in them. In logs, we can see the SSO authentication always fails while using proxyRemoteHost setting as base URL ("api.abcd.com") but works when we specify a server ("X.api.abcd.com"). No further info in the logs that mentions any reasons behind the failure.
We have tested this on latest Chrome and Firefox with CORS enabled. Also, once in a blue moon, it works fine with the base URL which totally surprises me.

Windows authentication box pops up with integrated authentication on web page

I am running two Windows server 2016s with IIS 10.0.14393. One server for staging purposes, and one for production.
The application has one "front-end app" and one "back-end REST api" running on the same IIS server. The front end communicates with the backend (suprise!). The difficulty I am facing is that the staging server works as expected, i.e no "Sign in" box appears when entering the front-end web page (React). However, on the production server this box pops-up.
When the page is loaded, there is javascript that fetches some information from the API, and it seems that this async fetch is causing the pop-up to occur (the request is in pending mode until login).
I have studied the configuration of IIS on the two servers but can't seem to find any obvious differences.
Both instances have both windows authentication and anonymous authentication turned on for both front-end and backe-end. I need this as the API has different types of authentication for the endpoints.
Anyone that has solved a similar issue?
Thanks
If someone experiences a similar issue the following link may help: https://support.microsoft.com/en-us/help/258063/internet-explorer-may-prompt-you-for-a-password
In my case I was sending the request to the api with the full domain url. The problem was fixed by just using the machine name (and port in my case) when sending the request. If the whole domain with punctuation is used, the system believes that the request is meant for the Internet and not the intranet, and will not include any credentials.
Another, and probably more robust solution, is to add the site in question to: Internet properties -> security -> Local intranet -> sites -> advanced.

Not able to intercept traffic from nike.com login request

I'm using BurpSuite to intercept the HTTP/HTTPS requests sent when logging in on https://www.nike.com/. I'm trying to achieve this with the following step:
Opening BurpSuite and Firefox
Turning on the proxy intercept
Turning on FoxyProxy on Firefox
Opening the website and trying to logging
These steps usually work for me, but in this case, I'm getting a "we are unable to connect to our servers" error without anything appearing on the intercept tab when trying to logging (I have tried turning off the intercept feature but it still yields the same issue, so I think it might be a proxy and certificate problem).
To clear things up:
I'm running the latest versions of BurpSuite and FireFox.
I have installed and reinstalled the BurpSuite certificate using this guide.
I've tried all of this on my iMac, MacBook and iPhone all of these devices yield the same issue
Here bellow is the error message I'm getting:
Here are my BurpSuite Proxy setting:
(in the Certificate tab I just have Generate CA-signed per-host certificates selected)
I have been using BurpSuite for over 2 years now and it's the first time I'm facing such an issue, any help is appreciated
I have shared my question with the Portswigger support (the team behind BurpSuite) and got the following response:
Hi
Thanks for your message.
We have reproduced the issue in our testing environment.
It looks like Nike.com are performing a fairly sophisticated check to
stop automated tool from accessing parts of their site.
Please let us know if you need any further assistance.
Cheers
Liam Tai-Hogan
PortSwigger Web Security

ASP.Net windows authentication seems not working

I have a web application with Windows Authentication enabled. It is working only with localhost though I have set Bindings. Ping to IP and hostname returns result.
Any help would be appreciated
Have set authentication to windows and impersonate to true. NTLM has been moved up.
Also tried adding the site to Intranet and Trusted Site list. Windows authentication is enabled in IE as well.
Both the server and client is on the same domain ... in fact it is not at all working in server itself.
Any help would be appreciated.
With the detail you've given it is a bit hard to give concrete advice so I'll give you a method I've used over the years to try and track down where the issues is.
With the current setup put an image on your webserver and try to retrieve it in the browser using the exact address. Do this on the server itself first and if that works then do it on a client machine.
If it works on server but not on client then there could be a client browser issue/a network issue/a dns issue.
If it doesn't work on the server then change the file level and IIS permissions to anonymous for just that image and the folder / website it is in. Then test the URL on the server in a browser and on a client in a browser.
If it works you've got a permissions issue with NTLM.
Hope this helps you narrow things down.
Dorje

Resources