Using IIS server with NTLM authentication. Where can I modify the session timeout settings?.
I'm afraid it is almost impossible to control the lifetime of your NTLM ticket from server side.So windows authentication should be implemented in a trusted environment.
I think the only way to log out windows authentication is clean cache in server side and re-open web browser.
If you need kind of authentication that ticket timeout can be controlled all the time, you could use custom form authentication instead.
https://learn.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs
Related
So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.
I am encountering the following issue when trying to configure an intranet ASP.NET site in IIS 8.5 for Windows authentication. I have the IIS Windows authentication provider settings set to:
Negotiate
NTLM
This works great for Windows-based browsers - users are logged in seamlessly. Mac-based browsers don't seem to support the Negotiate protocol; when accessing my site you are prompted for your domain credentials. Even when responding with correct credentials, the browser responds to the authentication challenge with "NTLM xxxxxxx...". IIS doesn't like this and always responds with a 401. This sends the browser into an authentication loop where you are prompted for your credentials endlessly. If you click "Cancel" (depending on which browser you are in), you will finally get a 401 response (not very useful).
If I modify the settings and remove the "Negotiate" provider, I am still prompted when accessing the site from a Mac browser, but this time the NTLM challenge succeeds and I can authenticate. The problem with this is I am now getting an authentication prompt from Windows browsers as well.
Is there a way to get around this (do I have Windows authentication misconfigured)? I am fine with having to answer a credential prompt from the Mac but as the vast majority of my users will be accessing from Windows, I would prefer they still get the "invisible" log on experience.
If I'm understanding your question correctly; Safari/Apple doesn't support Windows Authentication. Basic Authentication needs to be enabled within IIS in order for Safari to login.
I have to mention that I am new to IIS. I have a local IIS 8.5 on a windows server 2012 machine. When I enable the windows authentication (basic authentication is disabled), I can access and see the home page of IIS (http://localhost) with the credentials of a LDAP user in the same domain. However, when I enable basic authentication (windows authentication is disabled), I cannot access the home page with the same credentials I used for windows (The authentication pop up never goes away).
Shouldn't the same credentials work for both basic and windows authentication or basic authentication works differently ? If not, then how are the credentials validated in case of basic authentication ?
Note: Eventually I plan to write restlet java code to post resources using basic authentication.
So finally I got this problem solved. For Basic Authentication (click on edit), we need to set the default domain (realm is optional). Once I set the default domain, I could login using the LDAP user credentials.
We are using the Sharepoint.OpenDocuments.EditDocument2 ActiveX control and method.
The method is being called from JavaScript in an IE6 client on a Windows XP SP3 client (fully patched).
The server is running IIS6 on Windows Server 2003 SP1
Fronting the IIS server is Tivoli Access Manager (TAM) which proxies access to the web applications sitting behind it. Similar to forms authentication, it creates a session cookie for authentication purposes, that must be present for the HTTP request to reach the IIS server.
In front of TAM is an F5/BigIP load balancer and SSL encryption offloader, which enforces that incoming requests use the HTTPS protocol.
What is happening is that HTTP requests issued by this control do not contain any session cookies that were present in the browser. It drops the ASP.NET session cookie, the ASP.NET forms authentication cookie and the TAM cookie
Because the TAM cookie is missing the request is redirected to the TAM login page, which then shows up via HTML conversion in Word or Excel.
The API documentation at http://msdn.microsoft.com/en-us/library/ms440037.aspx mentions nothing about security or appropriate usage scenarios for this control.
Should these controls work in an ASP.Net Forms Authentication scenario or are they only supported with Windows Authentication. If Forms Authentication is supposed to function, how do we get the control to include the necessary session cookies in its requests?
The answer as provided by Microsoft Support.
This control merely forwards the URL of the document being retrieved to the appropriate office application.
The office application attempts to negotiate authentication with Sharepoint Server (full version). If no Sharepoint, the Office application does a simple get on the URL.
Ultimately, this means that this control does not support authentication scenarios that rely on session cookies.
We have a SQUID reverse proxy and a MOSS 2007 portal. All sites are using NTLM.
We cannot get it working with SQUID as a reverse proxy.
Any ideas where to start?
Can you switch to Kerberos instead of NTLM?
You're encountering the "Double-Hop Issue", whereby NTLM authentication cannot traverse proxies or servers.
This is outlined at this location:
http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx
And over here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
Double-Hop Issue
The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD.
The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON.
On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
264921 (http://support.microsoft.com/kb/264921/) How IIS authenticates browser clients
If switching to Kerberos is not an option, have you investigated the Squid NTLM project?
http://devel.squid-cache.org/ntlm/
you can use HAProxy for load balancing