0
I have an application that was working fine in IIS 8.5 which used this setting in the web.config file for a client certificate login (smartcard) for a path. I had to migrate this application to IIS 10.0 and everything is working except the application does not prompt for the certificate and just simply throws an error in the code that there is no certificate.
I have double checked and triple checked all the settings in IIS, the certificate is the same, the SSL settings are the same. The application is a simple .netcore application and it works perfectly with the exception of the certificate prompt. Is there something that is different in IIS 10 than 8.5 that I could be missing. The portion of the web.config that enables the browser to prompt the certificate I believe is this part here. The developer who did this is not longer with us and I would appreciate any help for this. Is there something that I need to check in IIS other than what I have already checked?
I went through some other posts and made sure that the root and intermediary certificate are in the cert store etc. The app itself loads fine with the SSL certificate.
<location path="SmartCard">
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert" />
</security>
</system.webServer>
Related
I'm getting a prompt for credentials on a website in IIS 8.5 running on Windows 2012 that I cannot explain.
App Pool is running under a custom identity that is a member of Administrators and IIS_IUSRS on the server.
I have the following setting on the Web Site:
Anonymous Authentication = Disabled
ASP.NET Impersonation = Enabled
Windows Authentication = Enabled
useAppPoolCredentials = True
My web.config has:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
</authorization>
I've ruled out folder security by temporarily granting Full Control to Everyone.
The real weird part is that I have the same App Pool, Web Site, and Folder setup on another node in my NLB cluster and it does not prompt for credentials.
I've also compared ApplicationHost.config files between the two servers and did not find any significant differeneces.
Where else could there be a difference between the two servers?
Update from questions in comments:
The HTTP status code is 401.2.5. FailedReqLog:
<failedRequest url="http://url-myapp.com:80/"
siteId="4"
appPoolId="myapp"
processId="14368"
verb="GET"
authenticationType="NOT_AVAILABLE"
activityId="{8000002B-000E-FF00-B63F-84710C7967BB}"
failureReason="STATUS_CODE"
statusCode="401.2"
triggerStatusCode="401.2"
timeTaken="0"
xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
>
AppPool is in Integrated mode
It does allow after entering credentials
I'm trying to stop MS Azure responding with the header/value of Server: HTTPAPI/2.0 on receipt of an invalid request, for example an invalid hostname.
I've seen this SO entry...
Removing Server and X-Powered-By HTTP Headers on Azure Web Site Preview
..and one answer suggests that the only way to get around this is to host the website on an Azure VM, something I'd much rather avoid.
It's 3.5 years on from that question/answer - does anyone know if it can now be suppressed in a WebApp solution
According the description at Remove standard server headers in Azure Web Sites:
HTTP headers are part of the communication process between web servers and browsers, and are included in the request and response. One example is the server header, which lists the product name and version of the web server (e.g., Microsoft-IIS/8.0). All web servers generate these headers, but now you can disable them on Azure Web Sites.
You can try to modify or create a new web.config in the root directory of your application on Azure Web Apps, with following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
Please refer to https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/ for more info.
To remove the MVC header, add this in Global.asax - Application Start event:
MvcHandler.DisableMvcResponseHeader = true;
Using this will remove the version headers,
<httpRuntime enableVersionHeader="false" />
I have a website that is deployed on IIS 7.0 . The requirement i am looking for is very simple . The authentication at root level has form authentication enabled . But i need to disable forms authentication end enable windows authentication in one of the sub folders . But i am unable to do this ! I have tried differnt forums but nothing seems to work . Please help on this !
Problem is that with forms authentication enabled at the root level i am unable to disable forms authentication in one of the sub folders for which windows authentication needs to be enabled !
Please help!
This solution works for me, I have used it with ASP.NET applications with Forms Authentication to disable authentication:
<configuration>
...
<location path="subfolder/images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
...
</configuration>
However, as I far as I know you can't have 2 authentication methods inside the same application. In this scenario your described you need to create a "Virtual Directory" in IIS for the subfolder instead of making it a "Sub Folder".
The Virtual Directory will allow you to declare a new web.config where you set the new authentication method in this case Windows.
For a full walkthrough on how you can perform this please refer to this site:
http://msdn.microsoft.com/en-us/library/vstudio/bb763173(v=vs.100).aspx
Problem Description: So basicly I had IIS express in visual studio 2012 set up and everything worked. It is an MVC 4 intranet application that uses windows authentication. I was able to login in to the intranet site I'm developing using my username and password. But when executing after entering some code the code was the following:
Runspace runSpace = RunspaceFactory.CreateRunspace();
runSpace.Open();
Pipeline pipeline = runSpace.CreatePipeline();
Command getSnapIn = new Command("Add-PSSnapin WebAdministration");
Command importSnapIn = new Command("import-module WebAdministration");
Command getProcess = new Command("New-WebAppPool -Name test");
pipeline.Commands.Add(getSnapIn);
pipeline.Commands.Add(importSnapIn);
pipeline.Commands.Add(getProcess);
pipeline.Invoke();
runSpace.Close();
It kept on asking for my credentials. I cannot see why this code would keep on triggering for credentials.
Things I tried already:
Commenting out the code
Setting up the site in IIS manager (still same problem)
http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication
I Disabled Anonymous Authentication Enabled Windows Authentication. Went to providers and put NTML on top.
I did this in the web config file
<system.web><authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
I tried adding the site to internet explorer local sites.
Any Ideas about this?
http://support.microsoft.com/kb/896861
Its fixed
Method 2 did the trick.
I have added the following configuration section to my web.config file
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
But when I call the *.asmx web service, I still got the following error:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
I am using the IIS7.5 ASP.NET integrated mode.
Any clues? I just found the IIS Authenticatino is very poor and unstable.
Thanks!
It turns out that we need to grant NTFS permission to target folder for the Anonymous Authentication Authenticated As identity, besides enable Anonymous Authentication in IIS.
Windows Authentication happens in both IIS and NTFS file system. I always forget the latter one. I will cut my dummy brain.