I'm trying to get a Ruby script to download a file off a server, but I'm getting a 401.2 from IIS:
You do not have permission to view
this directory or page using the
credentials that you supplied because
your Web browser is sending a
WWW-Authenticate header field that the
Web server is not configured to
accept.
I've checked that basic auth is enabled. Is there something special about how Ruby handles basic auth? Is there a way for me to see what the server actually gets and what the headers say is acceptable?
This is my code:
Net::HTTP.start(url, port) {|http|
req = Net::HTTP::Get.new('/file.txt')
req.basic_auth 'username', 'password'
response = http.request(req)
puts response.body
}
Snippet from the Microsoft website
HTTP 401.2: Denied by server configuration
Description
The client browser and IIS could not agree on an authentication protocol.
Common reasons
* No authentication protocol (including anonymous) is selected in IIS. At least one authentication type must be selected. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
253667 (http://support.microsoft.com/kb/253667/ ) Error message: HTTP 401.2 - Unauthorized: Logon failed due to server configuration with no authentication
* Only Integrated authentication is enabled, and an older, non-Internet Explorer client browser tries to access the site. This happens because the client browser cannot perform Integrated authentication. To resolve this problem, use one of the following methods:
o Configure IIS to accept Basic authentication. This should only occur over SSL for security purposes.
o Use a client browser that can perform Integrated authentication. Internet Explorer and new versions of Netscape Navigator and Mozilla Firefox can perform Integrated authentication.
* Integrated authentication is through a proxy. This happens because the proxy doesn't maintain the NTLM-authenticated connection and thus sends an anonymous request from the client to the server. Options to resolve this problem are as follows:
o Configure IIS to accept Basic authentication. This should only occur over SSL for security purposes.
o Don't use a proxy.
You should also try to look at ruby-httpclient - Simple HTTPClient library for Ruby which can use NTLM auth.
Related
I have set up SSO using weblogic on windows and Kerberos, It is working fine for the http pages, however I observed a strange behavior on https pages which requires CONFIDENTIAL setting for the transport, It works fine if I first access a page on http which is not configured as secured in web.xml(Transport-Gurantee as None) and then the https page.
But If I try to hit the https url directly which is configured with Transport-Gurantee as CONFIDENTIAL then it shows the Basic Auth Dialog and a 401 Unauthorized response, Looking at the logs I see that the Server responded with the WWW-Authenticate but browser showed the Basic Auth Dialog in response instead of getting the Authorize token.
Does anyone has any idea on what might be issue here, If there is any problem with the browser settings then it would not have worked irrespective of accessing the http url first.
I can see the following error log in weblogic console
Malformed request "Can not parse URI from http request". Request parsing failed, Code: -1
Found one of the link here
SPNEGO on IBM WebSphere Portal 6.1 with https
For my case it is weblogic 12c , I don't think reinstalling 12c is a valid solution for it
Ok I got it fixed , It turns out to be an issue with the browser configuration , the https://myserver.domain.com was not inside the intranet domain and the control to do that rests with the windows Admin team, once they added it , the https urls are also working fine.
I am a rookie when it comes to Jmeter and I am struggling to get a HTTP Request to run successfully (even for 1 iteration).
The Site being tested is an Intranet site used by staff. In terms of accessing via any browser, the homepage loads (having authenticated me as a user through my Domain Login/Password - through logging in to my laptop). From what I can gather from tools such as FIDDLER:
GET request to the server sent, Server response is 401 unauthorized (WWW-Authenticate: Negotiate)
GET REQUEST header sent back with Authorization: Negotiate HASH, Server response is 401 Unauthorized with a different WWW-Authenticate: Negotiate HASH
GET REQUEST sent back with same Authorization: Negotiate HASH as received in previous SERVER response. Server responds with HTTP 200.
I am struggling to get the above working in JMETER. I have tried by capturing the output from Blazemeter Chrome plugin and saving as .jmx file but replaying this results in
div id="header">h1>Server Error
h2>401 - Unauthorized: Access is denied due to invalid credentials.
h3>You do not have permission to view this directory or page using the credentials that you supplied.
Any ideas as to how I should go about getting this to work would be greatly appreciated.........
JMeter comes with HTTP Authorization Manager which you can use to bypass NTLM authentication challenge. Just add it to your Test Plan and provide the following values:
Username: your Windows domain user name
Password: your Windows domain password
Domain: your Windows domain
Mechanism: BASIC_DIGEST
The HTTP Authorization Manager should automatically handle auth flow. See Windows Authentication with Apache JMeter article for more details if required.
I have a reverser proxy setup with ARR and URL Rewite on IIS 8.5
public site exposed is http:/publicsite
http:/publicsite act as a reverse proxy to the internal site http:/internalsite
Every thing was working fine till we implement SSO for the internal site.
Once sso is implemeted internal site is redirecting to http:/ssosite to get authenticated
Since in ARR we have enabled the option "Reverse rewrite host in response headers" the redirection to sso site was not proper.
To make it work "Reverse rewrite host in response headers" is disabled. and the sso redirection started working.
But now the issue happening is after succesful login the ADFS tries to redirect to http:/publicsite. and reverse proxy respond with a 302 and the location in the response is http:/internalsite and the client machine doesnt have access to.
In the same browser if i try to access the site http:/publicsite again everything is working as expected because it is already authenticated and no redirection required to sso site and back to application.
My understanding is the response header is not getting re written since we have disabled the "Reverse rewrite host in response headers" option.
Set preserveHostHeader="true" in applicationhost.config in the reverse proxy server. This solved the issue.
https://forums.iis.net/t/1176668.aspx
I am trying to test an ASP.NET Web Api locally using IIS Express. When I use Chrome and hit the url (localhost:5000/api/test, for example) the json displays fine, but when using Postman I keep getting unauthorized 401.2 when hitting the same url. The api controller has Anonymous access on the route.
On the error message, one of the likely causes is:
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
Is Postman somehow changing the headers?
[2019 Update]
Got the same issue, I couldn't debug an ASP Core 2.1 API using Postman when running on the local machine using IIS Express. I kept on having "Could not get any response" despite it was working fine on a browser.
Following troubleshooting steps explained here PostmanLabs Github, I noticed into Postman console that this was coming from a certificate issue.
Disabling SSL Verification from Postman Settings > General allowed the request to pass through.
Looks like it's your proxy.
I haven't found the proxy setting in postman. So I deleted postman for Win and installed postman for Chrome. Possibly Postman gets the environment from Chrome.
Anyway the resolution is to use Postman for Chrome instead of Postman for Win.
I have a localhost WebAPI site up with IIS Express (HTTPS). Postman started to respond as expected to GETs and POSTs after I changed (in Postman)
File --> Settings --> Proxy
to: "Use the system proxy"
and turning on: "Respect HTTP_PROXY ...".
I had earlier set up a custom proxy that wasn't working with HTTPS.
Am using WSO2 API Manager 1.9.1 and have defined a service that can be access over both http and https. When I try to "test" it through the API Console under https://localhost:9443/store/apis/..., the API call fails as the REST AJAX call is send over http instead of https.
Chrome complains that the page was loaded over HTTPS but requested an insecure XMLHttpRequest. The request is blocked as it should be served over HTTPS.
Firefox likewise blocks the request with a "mixed active content" error.
Safari fails with a more obscure message: "Failed to load resource: The network connection was lost.".
A workaround is to set the API scheme to https only but this is not particularly desirable. Is there a fix or other way to cope with this issue?
This issue occurs when you're trying to access a HTTPS URL from the web browser
but the end point is actually HTTP. This is not the default behavior of swagger console in API manager 1.9.
Usually when you are accessing from the web browser using HTTPS, API console
(swagger console) calls an end point of HTTPS by default.
Try to expose the service as both HTTP and HTTPS(Manage Tab) when you are publishing an API.
Thanks
Ojith