IIS 7 and windows authentication from outside the web server's domain - windows

I've deployed my site in IIS 7, and can browse to it fine on the web server.
I've set it to windows authentication (only), and when browsing from outside the domain, I want to be challenged for credentials, and gain access when entering a domain\username & password combination that exists in the AD.
401 - Unauthorized: Access is denied due to invalid credentials. My iis logs
I put a dummy site in IIS and set it to anonymous, I can browse to this no problem also.
I checked that windows auth was installed/set up on the web server, and it is.
What set of config parameters do I need to get this working?
*yes, I know I should use some sort of custom authentication provider with accounts stored in a database, but I don't want to go through that yet.
Thanks for any advice, words of wisdom.

I think your only option is to enable basic authentication. The user should then enter the full domain\username with the password. Beware though that basic authentication uses just base64 which can be very easily decoded. So if you enable basic authentication you have to use SSL/TLS as well.

In Internet Explorer, you can get it to prompt you by: Internet Options > Security > Custom level > User authentication > Logon > Prompt for username and password.

Related

Spring Cloud Config with Github repo using Credentials

I am trying to access the Github repo which sits behind an enterprise firewall (Open VPN). I am trying to access with my username and password but getting the below Exception. Any suggestions on how to access the repo with Spring Cloud.
application.properties:
spring.cloud.config.server.git.uri=https://github.com/company-repo/abc.git
spring.cloud.config.server.git.username=tarun
spring.cloud.config.server.git.password=xxxxx
spring.cloud.config.server.git.ignore-local-ssh-settings=true
Exception:
Error occured cloning to base directory. org.eclipse.jgit.api.errors.TransportException:
https://github.com/company-repo/abc.git: not authorized
Do not Use Your GitHub password in your app.prop file...You will get a Not Authorized exception. Instead Generate an access token.
Creating a personal access token
You should create a personal access token to use in place of a password with the command line or with the API.
Personal access tokens (PATs) are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line.
If you want to use a PAT to access resources owned by an organization that uses SAML SSO, you must authorize the PAT. For more information, see "About authentication with SAML single sign-on" and "Authorizing a personal access token for use with SAML single sign-on."
As a security precaution, GitHub automatically removes personal access tokens that haven't been used in a year.
Creating a token
Verify your email address, if it hasn't been verified yet.
In the upper-right corner of any page, click your profile photo, then click Settings.
Settings icon in the user bar
In the left sidebar, click Developer settings.
In the left sidebar, click Personal access tokens.
Click Generate new token.
Give your token a descriptive name.
Select the scopes, or permissions, you'd like to grant this token. To use your token to access repositories from the command line, select repo.
Click Generate token.
Click to copy the token to your clipboard. For security reasons, after you navigate off the page, you will not be able to see the token again.
Warning: Treat your tokens like passwords and keep them secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs.
To use your token to authenticate to an organization that uses SAML SSO, authorize the token for use with a SAML single-sign-on organization.
Using a token on the command line
Once you have a token, you can enter it instead of your password when performing Git operations over HTTPS.
For example, on the command line you would enter the following:
$ git clone https://github.com/username/repo.git
Username: your_username
Password: your_token
Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.
If you are not prompted for your username and password, your credentials may be cached on your computer. You can update your credentials in the Keychain to replace your old password with the token.
The way i made it work is :
Generate the Access Token on Github repo and provide read and admin rights to it
Use the Token as password
Credentials can be saved in Kubernetes as Secrets or inside Vault. Hope this helps.

Windows custom Credential Provider

Working on a custom credential provider which authenticates the user based on the response from a server. If the server or a third party responds with a yes, the CP should allows the user to login without any further authentication but I couldn't find a way to avoid the user authentication. Can we avoid the authentication and allow the user to login based on the response from another server ?
I am trying it on Windows 10. Developing using VC++.
Thanks, Shan.

IIS site keeps prompting for credentials for Windows Authentication method

I need some help to understand what is the exactly reason I can'g get Windows Authentication working on IIS site for a specific user's group.
What is happening is that even my user being part of the group which I gave access to the site, IE keeps prompting for my credentials and even when I type the password the HTTP response is 401 (Unauthorized).
I'm also not allowed to change IE's settings to add any site to the trusted list (it's blocked by the company). In the other hand, besides the fact that it's blocked, the site domain is listed like
(*.domain.com)
Follow bellow the scenario:
Server: Windows Server 2012
IIS: 8.5
Users: DomainA\MySimpleAdUser, DomainB\ServiceAdUser
Groups: DomainB\MYGROUP (AD Group which contains DomainA\MySimpleAdUser)
IIS_IUSRS (Local Server group which contains DomainB\ServiceAdUser)
Pool Settings
Name: PoolA
Process Model > Identity > DomainB\ServiceAdUser
Settings on Server Level
ASP.NET > .NET Authorization
Allow | Users: All Users | Entity type local
IIS > Authentication
Anonymous Authentication disabled
Windows Authentication Enabled
Extended protection: Off
Enable Kernel-mode authentication: Enabled
Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
Allow | Roles: DomainB\MYGROUP | Entity type local
Settings on Site Level (which runs on a valid SSL certificate on 443 port, this is the only binding)
Pool: PoolA
ASP.NET > .NET Authorization
Allow | Users: All Users | Entity type inherited
IIS > Authentication
Anonymous Authentication disabled
Windows Authentication Enabled
Extended protection: Off
Enable Kernel-mode authentication: Enabled
Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
Allow | Roles: DomainB\MYGROUP | Entity type inherited
Permissions on site root directory
Full control permission to IIS_IUSRS
Read&Execute, List and Read permissions to MYGROUP
Web.config
This is the only configuration line that exists regarding authentication:
<authentication mode="Windows" />
=============================
Observations
I already tried to use my specific user to get access to the site, but stills prompt for the credentials
The only way to get the site up and running is when I allow anonymous access to it.
Please help me to figure out what is missing. I appreciate any help.
There could be an issue with security loopback check. Please find below procedure to disable it.
Click Start, click Run, type regedit, and then click OK.
Backup the registry
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor, and then restart your computer.
I've found that if the authenticated user is not able to read the folders for static content in your web app, it will authenticate you, then deny access.
This can be solved by Granting local_Machine\Authenicated_Users access to the needed resources.
In my case, I added Authenticated_users to the IIS_IUSRS Group and it solved my problem. Be aware that this can also grant any authenticated user to all files and folders available to the IIS_IUSRs group. So be careful that these users cannot access the file system by any other means. A separate group granting NT AUTHORITY\Authenticated_Users just enough rights to read pngs, and static content is the best way to go.
Config: Windows Server 2012 R2 Running IIS 8.5, NET Framework 4.5, with static content enabled.

AAD Authentication Without Interactive Login

I have a need to authenticate against Azure Active Directory from a .net Web API. I read Vittorio Bertucci's article: Using ADAL .NET to Authenticate Users via Username/Password, and was wondering if there's any way of getting around the limitation of not being able to do this from a website/confidential client. He describes this as an AAD setting. Is it one that can be turned off?
Any assistance with this would be much appreciated!
This is not common scenario to use the Resource Owner Password Credentials in a web app. The recommend way is that using the Client Credential flow as Shawn Tabrizi suggested.
If you do want to use the Resource Owner Password Credentials flow, you can construct the request yourself as below:
POST: https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
resource={resource}&client_id={clientId}&grant_type=password&username={userName}&password={password}&scope=openid&client_secret={clientSecret}
The Client Credential Flow (App Only Flow) should enable your confidential client to be able to authenticate to a downstream resource without a logged in user. This type of authentication is pure Service to Service Authentication, and will require only a secret for the client app to be presented either in the form of an App Key (symmetric key) or a Certificate Credential (asymmetric key).
However, all forms of access to an AAD Resource will require some form of initial interactive login. In the case of App Only Flows, you will need an Admin to perform an interactive login experience with the Client application, which will then allow subsequent user-less flows.
Check out these sample and let me know if it addresses your question!
https://github.com/azure-samples?utf8=%E2%9C%93&query=daemon
I hope this helps!

Impersonation in ASP.NET web application does not work when running on IIS

I am working on ASP.NET 4.0 MVC3 web application that works in intranet environment. The application makes use of Windows authentication. Its application pool is run by domain user that has spn set on a domain controller. Authentication works using Kerberos (on IE and Firefox after some additional configuration).
Now I want to upload files to sharepoint, but it's important for me to upload the file as the user currently logged in into the application (so the file is created on Sharepoint with his/her credentials).
I have the following code in ResourceExists(Uri uri) function:
'...
Dim identity As System.Security.Principal.WindowsIdentity = HttpContext.User.Identity
Dim impersonationContext = identity.Impersonate()
response = request.GetResponse()
impersonationContext.Undo()
'...
This works when running locally, but when I deploy to the server I get the exception:
System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n at WebDav.WebDavClient.ResourceExists(Uri uri)\r\n at Website.Website.WebdavController.Upload(HttpPostedFileBase file, UploadViewModel vm)
I read something about passing on the credentials, that is not possible with NTLM, but I am sure I am using Kerberos (I checked the headers with wireshark and fiddler) and I see the following:
Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgJDAiBgkqhkiC9x...
Any ideas why the impersonation does not work when running on the IIS server?
I found the answer here:
http://support.microsoft.com/kb/810572
"Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft"
And that was exactly the case. I tried now with another machine that is not load-balanced and it works.
The only thing that still surprises me is that ImpersonationLevel of the identity is still Impersonate not Delegate...
After setting <identity impersonate="true"/> in your web.config try the following:
using (((WindowsIdentity)User.Identity).Impersonate())
using (var client = new WebClient { Credentials = CredentialCache.DefaultNetworkCredentials })
{
string result = client.DownloadString("http://sharepoint");
}
you need to configure your site correctly in IIS for impersonation to work.
see Configure ASP.NET Impersonation Authentication (IIS 7)

Resources