I've set up a WebDAV-enabled site on a regular Windows 10 Pro PC using IIS 10. The site is configured to require Basic Authentication (over HTTPS), with local user accounts.
This works, and the site only accepts valid logins, rejecting everything else.
However, even if I disable or block the local user account in Windows' local user management, the local account is still accepted as a valid login by IIS, and files can be downloaded.
I've configured the local user security policies to block accounts after 5 invalid login attempts. I can verify that the local account actually gets blocked after 5 deliberatly invalid attempts. But subsequent website-logins with correct credentials are accepted anyway. So it seems IIS completely ignores if the local user account is blocked/disabled, and just verifies that the credentials are valid.
Any suggestions to what kind of config I'm overlooking?
Related
I have an ASP.NET MVC application that authenticates users against Active Directory.
As I understand this is the process happens when a user logs on to his computer:
User enters credentials on the local machine.
Local machine checks if it already has an authentication ticket for these credentials.
If not, it contacts the first ADS server it can find that offers kerberos authentication functions
The ADS machine checks the credentials against the LDAP database.
If they check out, kerberos returns a TGT (ticket-granting-ticket) to the client machine
For a certain duration set in AD (usually 8~10 hours) this TGT will bypass any credential checking in case the local machine user wishes to connect to resources that require permissions not present in his bare user account (i.e. group memberships, additional machine and share access, etc.)
My question is how does IIS know about the TGT when the browser is making a request to it for my app? Does the operating system send it out on every outbound http request to every single website?
The server (IIS) will indicate to the client (browser) that it needs to authenticate by returning an HTTP 401 error code with a WWW-Authenticate header. The client detects this and determines if it can correctly authenticate. The way this works is as follows:
Determine who the requestor is by checking it's Service Principal Name. It exists as {type}/{fully.qualified.domain}, e.g. HTTP/resource.domain.com. This SPN is mapped to a machine or service account in AD. If this SPN isn't registered, the client falls back to a lesser protocol like NTLM.
Local machine uses the TGT to request a service ticket from AD. AD validates the TGT and looks up the SPN in the request and if found creates a service ticket encrypted against the password of the account associated to the SPN.
Client sends the service ticket to the server via Authorization: Negotiate YII... header.
Server decrypts the service ticket using the password it's been provided, either through a domain join, Windows Service Run As config, or keytab.
Server transforms the contents of the decrypted service ticket into a Windows identity.
Identity is presented to the application.
This flow isn't inherently web-specific. This is how all services authenticate themselves when using Kerberos.
I am hosting a site on IIS 10.0 on my local network with anonymous authentication as the only enabled option. Previously, only the computer hosting the site could login and every other computer on the network was blocked entirely.
Then, I disabled the firewall on the necessary port, but that lead to other devices on the network being prompted for credentials.
Then, I went to inetpub\wwwroot and it wasn't shared, so I shared read permissions with IIS_IUSRS and under the security tab it now has "read & execute," "List folder contents," and "read" checked.
Now other devices are still prompted for credentials AND the very computer that hosts it is denied access. Not even prompted for credentials, just given the IIS error page for 401.3.
Every resource I've found says the security tab is all I need. What am I missing? I can't just continue developing without this, as I'm developing with PHP and so I need an actual server running this.
Anonymous Auth works on IIS is by assigning a user to the incoming request. This is configured under the authentications options. If you check the applicationHost.config, you would see something like this:
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
</authentication>
This is the UI.
There is another factor that comes into play, which is the Application Pool Identity. To check whether this is a permissions issue. Change the application Pool identity to Local System.
If the above works, then it is definitely a permissions issue.
To investigate this you can run procmon.exe. Add a filter on RESULT for ACCESS DENIED and then proceed further.
There is a blogpost which talks about troubleshooting 401.3 errors using Procmon. Here is the link: https://blogs.msdn.microsoft.com/webtopics/2009/06/25/troubleshooting-http-401-3-errors-with-process-monitor/
We have created a dns for external and internal employees to visit an application website. They can both reach the website hosted in iis. they can both download the application that has been deployed using clickonce.
Issue is we want to password protect for external employees.. Internally its ok because we use windows authentication and have a group of users for specific applications.
we created an ad account and password. when i setup windows auth and restrict to this one ad account. i enter in username and password when going to the external dns. thats fine.. i click on the application to install.. and when its trying to install i get + The remote server returned an error: (401) Unauthorized.i'm getting a security error even after i put in the credentials , it somehow still fails when going to install.. what can i do to better password protect applications that will be accessed from the outside using clickonce.. or fix this issue thanks
I have an IIS set up in a domain A, on let's call it the process network. We are using windows-authentication and in this environment everything works as it should.
But we also have users on an office network set up in domain B. There is no trust between the domains, but there is an opening between the networks so they can reach the site. For most users in domain B everything works as expected, when they try do log in they are prompted for the Domain A credentials and then logged in.
However some users are unable to log in. They get prompted to supply credentials as expected but when they do they are denied (3 tries followed by a 401), due to:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Above is taken from IIS event log.
I know for sure the user name is valid, and that the password is correct. I have not tried for all these users, but for some. I have tried to login using my credentials from a user's computer that cannot login, and it worked. So it doesn't seem like it's a client issue.
An interesting side note is that the users having trouble are on geographically different locations than the IIS. I have not received any problems from office network-users from the same region as the IIS is located.
EDIT: The users have changed password after the reset, so i shouldn't be becuase of expired password.
You must establish a two-way domain trust in order to make Kerberos work. Everything else will fail as you see in your logs.
How can i restrict access to the admin/ section of my website? I can't limit it by IP address because we need to sometimes access the admin/ section from remote client locations (when giving a demo, etc).
there is of course, an admin username/password - but what else can i do?
Most applications just use a username/password for access control, and that's generally sufficient. Some that require extra security use two-factor authentication, which might mean using a token that you carry with you (e.g. a device that generates a token that's kept in sync with a server) or a token that is sent to you (e.g. the system sends a text message to your phone with a token that you have to type in in addition to your password).
An easier option is to authenticate using a client certificate; you can carry the cert around with you on a thumb drive in case you're at a remote location (just remember to remove the certificate from the remote machine when you're done).
Here's a nice write-up on client certificate authentication.
Another option is to only allow connections from your local network, and then use VPN to join a remote machine to a local network.
if the admin interface is in an seperate folder, you can use .htaccess and http auth. the same can be done using e.g. rails to restrict access to certain routes (controllers).