I need to use Shibboleth SP for the one of the sites on IIS 8.5 which was under the CA SiteMinder agent previously(v.12.52.100.499). I've removed SiteMinder module as well as handler for this site. But I'm still redirecting to the SiteMinder SSO page. I've checked the application web.config file, applicationhost.config and didn't find any SM parameters. How can I turn off the SiteMinder agent for the one site?
Related
I want to login with certificate. But on default IIS needs aspx page.
Can I use jquery/ajax for doing this?
I have build a MVC 5 application. Now is time to publish it to production.
The infrastructure consist of two servers: one that can be accessed on internet and the other that is accessed only in intranet.
Server is Windows Server 2012 R2 and uses IIS 8.5 to host the application.
The application consist of backend and frontend. Backend's functionality are accessible only with login.
The problem that I want to solve is: How can I prevent login to the application from Internet and allow it only in intranet?
I think that might be some configuration on web.config to prevent opening of login page.
I have read a lot articles, but all the results are to prevent pages of unauthorized users. In my case login controller has [AllowAnonymous] attribute and it can be accessed without authorization.
If it can be done with a simple configuration in web.config I am going to add a key in web.config to keep track where it is the server on internet or the server on intranet like:
//for server accessible on intranet
<add key="serverType" value="PUBLIC"/>
// or
//for server accessible on intranet
<add key="serverType" value="Private"/>
And in the corresponding controller for login I will check for the value and if it is ConfigurationManager.AppSettings["serverType"] == "PUBLIC" I will redirect it to site public home page.
Does this solution have any security issue?
In this case, I would change the config with transforms or Parameterization (I prefer this one) to use the appropriate authentication type. For example, Anonymous for public and Windows/Forms Auth for private. You would have a transform/parameterization for each server type.
The following posts provide more specifics around ASP.NET security.
https://msdn.microsoft.com/en-us/library/3yfs7yc7.aspx
https://msdn.microsoft.com/en-us/library/7t6b43z4.aspx
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
We have a ColdFusion developer who claims that solely by adding a few lines of code in the Application.cfm file of an application that he wants to be encrypted that he can force the IIS Web server to encrypt all communications involving that application. So for example, let's assume this developer's ColdFusion application resides at www.ThisIsIt.com/xyz/. He includes a conditional statement in his Application.cfm file (see below) to force a Web browser to preface the URL to his application with https.
<CFIF not cgi.server_port_secure>
<CFLOCATION URL="https://#cgi.server_name##cgi.script_name#" ADDTOKEN="no"/>
</CFIF>
Meanwhile within Internet Information Services (IIS) Manager, the xyz directory is NOT set to require SSL. If you visit https://www.ThisIsIt.com/xyz/, it will in fact be prefaced by https, but how can the content of his application as well as the communication between server and client Web browser be encrypted if the IIS Web server is not instructed/configured to encrypt the xyz directory, and why does the Web browser indicate an encrypted communication? Is this a mere trick or a legitimate means to encrypt a ColdFusion application?
The application-based rule works by detecting that SSL is not being used and redirects the user to the secure HTTPS domain. A valid SSL certificate is required to be configured otherwise a security message is displayed.
This method only forces HTTPS access for ColdFusion scripts. Static, non-CFML files like CSS, JS, PDF (that don't care about the presence of the application.cfm script) can be accessed directly without any HTTPS redirect.
The best way to "force" SSL for all web requests using IIS is with a web.config rule.
https://stackoverflow.com/a/29089228/693068
My employer has a local ADFS server. We are using o365/SharePoint Online with ADFS so when you attempt to access a SharePoint cloud site you are take to login page on our network.
I need to develop a simple ASP.NET C# website hosted locally on a server on a network.
At a high level what is entailed in using ADFS on asp.net/iis websites? And can it be set so that the same login page is used?
If I have a webpage on a local webserver authenticated by the same ADFS and Iframe that page inside a sharePoint web page authenticated by the same ADFS. Should the page with render without authenticating?
1) I'd recommend checking into Windows Identify Foundation (WIF). Although your app will need to run under TLS/SSL, you probably will just need to run the FedUtil.exe application to generate your application's metadata for ADFS to consume when creating an RP.
2) In theory this might work, but the Iframe'd page will still redirect to ADFS momentarily to get an authentication token. It is just that the login page won't be displayed.
We have a SQUID reverse proxy and a MOSS 2007 portal. All sites are using NTLM.
We cannot get it working with SQUID as a reverse proxy.
Any ideas where to start?
Can you switch to Kerberos instead of NTLM?
You're encountering the "Double-Hop Issue", whereby NTLM authentication cannot traverse proxies or servers.
This is outlined at this location:
http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx
And over here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
Double-Hop Issue
The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD.
The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON.
On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
264921 (http://support.microsoft.com/kb/264921/) How IIS authenticates browser clients
If switching to Kerberos is not an option, have you investigated the Squid NTLM project?
http://devel.squid-cache.org/ntlm/
you can use HAProxy for load balancing