I'm experimenting with running a .NET Core site in IIS as my own logged in user, because I have written an API that interacts with User32.Dll (moves cursor for example).
I don't care about the security aspect of running a website as my own user.
If I set up the site completely normal in IIS (with identity set to ApplicationPoolIdentity), the API starts and everything works, except it's not my user it's trying to interact with.
At this point I've managed to set the identity to DOMAIN\USER (my user), but when I try to start the application pool, it dies (stops) when I send the first request and just returns 503 service unavailable.
I was hoping running an IIS site as my own local user would be easy, but I've spent probably 2 hours now trying to get it to work. What steps do I have to take? I'm quite lost at this point.
EDIT: I should probably mention, that when I start the application pool, w3wp.exe is not being run. So something is definitely wrong, when I try with my own user as the identity.
Related
We develop an React application with an Express NodeJS backend and this application is secured by an authentication using IBM App ID. Everything works fine on the authentication mechanism if the application is deployed on a Cloud Foundry Service with only 1 instance running.
For performance and high availability reason we need to scale up the number of instances. Unfortunately, as soon as we add an instance, we face problems with authentication. We loop over the authentication screen several times before the authentication succeeds and we can access the application.
For information, we use a Cloudant database to store the session.
Have you ever encountered this problem and how did you solve it?
Thank you for your feedback.
Technically what you are doing is the right thing.
I've encountered these problems before and first thing is usually local session handling - either the default memory store or some file based session store. You should have this covered, as you say you have sessions in Cloudant, but sometimes when you want to enable local developers running the app, you may need to have some switches to control if the shared store is used, but also if http or https is used.
Why http vs https is important, you probably have 'cookie: { secure: true }' which needs to be flip/flopped in that case. Next you might want to http trace the login attempt to see that you don't accidently use another host name than what you begun with. This could easily happen if your CALLBACK url for App ID changes it. These might still not be your reason, and if it is so - then setup that 2 instance environment, save the logs from app servers, http trace from browser and inspect created sessions from Cloudant. There should be only one session created, one url for application used, same session cookie saved in browser. If any of that does not add up - then you need to figure out why not.
An existing Win2016 server with IIS10 prompts for creds on a simple website set up with Windows Authentication. A new server does not.
I have an existing Win2016 server running IIS. I set up a simple website with one .htm page that says Hello World. If I turn on Windows Authentication only, the browser continually prompts for username/password. I want Kerberos authentication only, so the Providers list contains Negotiate only. Enable Kernel-mode authentication is selected. The app pool is running as Network Service. The target browser is Chrome.
After many hours going nowhere with this problem, I decided to build a new box with the same spec. After setting up the site in the same way, I do not get prompted by the browser! Strange!
Both boxes are domain joined and seemingly have the same GPOs applied.
Can anyone advise on how I can get the first server to behave like the second? Unfortunately moving to the new box is not an option at this stage. Any help on a structured methodology for diagnosing the Kerberos exchange between server and client would be most helpful.
Thank you.
I just discovered that azure app services can scale both up and out. For out this means creating multiple instances. So my question is do I need to change my asp.net web app to support this? For example if a user asks to run an async report that runs in background and then comes back later to download the report will it just work? What about security. If a user has authenticated, gotten a cookie, and then leaves the app alone for a while and then continues will it work? Is there any documentation to help.
If your code doesn't support, you can always switch on server affinity. This ensures the request will route back to the same server. However this is not recommended you want any server to respond, rather the same one they started with.
You don't need to change your code, it will just work and its Azure is smart enough to route traffic to the servers for you, so your question about async, yes that will 100% work.
If you use store information in the cookie, it should work without server affinity, but if you use session, then you most likely will need to turn it on (depending on where session is stored - inproc, sql). Here is an article about server affinity https://blogs.msdn.microsoft.com/appserviceteam/2016/05/16/disable-session-affinity-cookie-arr-cookie-for-azure-web-apps/
Hope that helps
I have successfully installed liferay 7 and configured CAS 3.6 for SSO. Everything is working fine. I was able to create users, assign roles, create pages etc etc.
After few days, I was trying to create a new user via admin, I got warning "User 30810 is not allowed to access URL https://mysite:8443/group/control_panel/manage and portlet com_liferay_users_admin_web_portlet_UsersAdminPortlet". I could not able to create user. and from then that user does not have any permission that I use to do earlier.
I googled a lot on this, got few suggestions like
1) Adding below in portal-ext.properties:
redirect.url.security.mode=domain
redirect.url.domains.allowed=*.mysite.com
session.timeout.warning=0
session.timeout.auto.extend=true
2) Some links:
https://web.liferay.com/community/forums/-/message_boards/message/92226678
3) Somewhere it is mentioned that this it is bug with liferay started from liferay 7 GA4
4) If you read the link, it is mentioned that it related to Guest user and session expiration that starts causing this issue etc.
Had any one gone through this issue? Is there any solution or workaround for this?
I could not able to update this question with all the option I tried or solutions that is mentioned on google or liferay's official jira sites however I will keep updating this question with proper references.
Meanwhile
Do provide your suggestions/solutions.
"this starts happening when some session automatically logs out"
This phrase tells me several things, like the possibility of an user logging out even though you set "session.timeout.auto.extend".
Two basic scenarios where this can happen is:
When you close your tabs, after the assigned timeout, the user will be logged out. And when you got back, especially after a browser crash or using the back button, your browser used old data.
When you have the auto session extension working with a big timeout, leading to the possibility that the session timeout configured in Liferay being bigger than the one configured on the server.
On the last case, one might be interested on completed the config you exposed with short timeouts.
session.timeout.warning=0
session.timeout.auto.extend=true
session.timeout=5
session.timeout.redirect.on.expire=true
I know it is an old thread but it may help someone...
The "extend session" functionality is not working correctly and the final user session is expired, so when they try to log in, they have the wrong CSRF token from the previous session:
You have to double-check that the session.timeout Liferay portal.properties has the same value as the session timeout configured in your application server.
You have also check that the session.timeout.auto.extend.offset is greater than 60 seconds to avoid having problems with the chrome javascript intensive throttling
A Session is per browser (determined via cookies), but when does an "Application" start, and end, and how does IIS know know when a request is a part of the same same "Application" instance (if not done via cookies the same way that sessions are)?
"Application" scope is global, and every request to a website shares the same application. Anything stored in the application is visible to all users. The application starts when the first request to the website is made, and ends when IIS stops the website (for example, when IIS itself is shut down, or when the website hasn't been accessed in a while).
Application is said to be start when it is first deployed on the webserver and is available to the users for access. Each time it is un-deployed or the server is shut down the application ends.
The second part is not clear but assuming for determining the application, each application has a root which is unique for all the application that are deployed on a web /app server. So the server can figure that out from the URL being requested.
As such each request is considered as separate and some mechanism like sessions, cookies etc has to be used to club individual requests as a part of single user session.