I have configured a webserver on localhost with https using Microsoft IIS Administration. I am able to browse directory with files with browsers and Visual Studio using localhost prefixed with https, such as https://localhost/trial etc.
I wish to upload a file to the said directory, ie., trial, using Libcurl to test some features. Unfortunately I'm unable to do so.
Using the same Libcurl example as given on
Libcurl File Upload
-modified for https, the console window tells me that the following has occurred, upon running the code :
IIS 10.0 Detailed Error - 405.0 - Method Not Allowed
HTTP Error 405.0 - Method Not Allowed The page you are
looking for cannot be displayed because an invalid method (HTTP verb)
is being used.
I checked the IIS Administrator and saw that all authorizations are allowed. I suppose the fact that it is flagging a HTTP verb issue rather than HTTPS as I'd enabled and used as URL in code isn't a big thing?
Libcurl uses PUT for uploading files, so should be an allowed verb.
I am quite new to this, so I'm not certain I did something incorrect with the setting up of the webserver, or whether there are security issues or permission issues which are causing a problem here.
As far as I know, there is impossible to use http put or post a file to a IIS web application's folder without writing server-side code. Otherwise, configure an FTP site on your IIS installation. Then you could use ftp command to upload the file.
If you really need using HTTP put or post to upload the file, you could consider using WebDav.
More details about what is webdev and how to use it, you could refer to below article.
https://learn.microsoft.com/en-us/iis/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-7/what39s-new-for-webdav-and-iis-7
Try hostname instead of localhost
Add a trailing slash (/) for the directory.
Related
I'm using IIS 8 on Windows 2012 server. I have a site set up to serve as an API for HTTPS traffic on a custom port (4443). I have installed a wildcard SSL certificate, which is functioning properly. Our network firewall is routing all public inbound traffic on port 4443 to this server internally, which is then being handled by IIS.
From the server itself, everything works fine. I am not using localhost, and do not have a hosts file entry looping the traffic back internally. Going to https://api.blahblahblah.com:4443 returns what I want.
However, from external to the network, I am getting a 403 Forbidden error. I know the traffic is making it to the server because I get the correct custom "X-Powered-By" response header that I have set on that server.
I have tried setting the permissions on the folder that contains the site files to allow Full Control to "Everyone", but no luck. The site has Anonymous Authentication enabled for the user "IUSR". Directory browsing is disabled.
What's going on? I'm assuming it's a permissions error with the file system, but I figured having the Everyone permission would eliminate that. Also, there is nothing special about the internal traffic (from the server itself) in terms of an authenticated session or anything. It's just a plain request with no bells or whistles.
Please help! Thanks.
=======UPDATE=======
Here is a sample log entry showing the substatus code of 16:
2018-02-08 17:56:58 10.1.10.11 GET /favicon.ico - 4443 - 184.4.143.229 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36 https://api.blahblahblah.com:4443/data/countyList 403 16 2148204809 97
Apparently this is a client certificate trust issue? Upon further testing, I am able to access the site without issue on another device, just not my primary development PC.
I just set the site to Ignore Client Certificates in the SSL Settings, and it is working as expected again.
A 403 error could occur due to multiple reasons. Could you please share the substatus code. You can find it in IIS logs. Default location - C:\inetpub\logs\logfiles\w3svc_websiteID.
Once you have the substatus code, please share it here.
You can also capture FREB logs by following this article - https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis
Just modify step #10 in this article and don't uncheck anything in your case (leave everything to default). This will clearly tell you what's going on in the IIS pipeline.
If its 403.14, just add a default document in IIS and you should be good to go.
There's a file that I know it's packed with NSIS,and the logic of download file and then Exec highly possible using the NSIS functions like ExecWait in NSIS,
The Problem is :
I'm try to replace the file that NSIS downloaded from web so I could do some tests, first I changed the hosts and made a http server with web.py,so the original url hijacked to myself server and I put a redirect download file link with,and on server I saw 200 but in the client I use some tool find out it returning 400.(I direct print the url in a browser and it worked well download the hijacked file) I don't know what's wrong.
web.py Codes
def GET(self, name):
raise web.redirect('/static/test.exe')
Logs 4 the file download
GET 302 240 Redirect url1,url2
GET 302 300 Redirec url2,url3
GET 200 1.27 M application/octet-stream url3
So I want to know
what may cause the problem of 400 code,even in my python webpy server it showed 200? (sry I'm not familiar with http)
anyone familiar with NSIS,Is there some other solution I could do this hijack? I've tried with R3 hook,But seems failed,since I don't know with API to hook.
In the past I heard of Fiddler could help me with my task,But that traffic just don't show in Fiddler,Maybe The NSis download Fiddler can't capture? And with HttpAnalyze I could see that traffic(the log upon),but I can't do what I want,So Is there any other tool could feed my needs(maybe Made a rule with when xxurl then replace it with myurl)?
There are different download plug-ins for NSIS, some are custom HTTP clients and some use WinINet.
The two most popular plug-ins are NSISdl and INetC. NSISdl is a custom HTTP client but it should support 301 and 302 redirects and INetC uses WinINet and should work if Internet Explorer works.
I would suggest that you just redirect the domain name to 127.0.0.1 in your hosts file and run a simple HTTP file server locally without any kind of redirection, just recreate the required folder structure and use the filename requested by the installer. If that works then you might have to use WireShark to figure out why the redirect fails...
#Anders give me some good advices.But since the url is not static(\xx.exe xx is random),so I can't made a local path same as the Url folder structure :(
Finally I find out it may dued to Http header in past web.py response.
I was wrong to direcly redirect to a static file on webpy server
web.redirect('/static/test.exe'),even in the past I could download it in browser.but it's header may not feeds original exe needs.
Here's my Solution
Redirect the domain name to 127.0.0.1 in hosts file and run a simple HTTP file server locally.Then still using web.py but change the redirect with
web.HTTPError('301', {'Location': 'http://myfileurl'})
And It worked :)
I've got 6 identical machines running IIS and Apache. Today one of them decided to just stop serving requests. I can access all of the webapps when I try from localhost/resource but when I try from url/resource I get a 404. I did a Get request against the machine that isn't working and I get this back:
Server: Microsoft-HTTPAPI/2.0
Connection: close
Compared to a working server:
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Type: text/html
Tried searching for this problem but came up with nothing, anyone got any idea's?
Windows has an HTTP service that manages calls to IIS and other HTTP enabled services on a windows machine. Either you need to configure it to handle your calls, or, in the case of WAMP or similar non-IIS-web-server-on-windows scenarios you may just need to turn it off.
When you see "Microsoft-HttpApi/2.0" returning error, such as 400 "bad URL" or "bad header", etc. the problem is most likely because the HTTP.sys service is intercepting your http request and terminating it because it does not meet with the minimum validation rules that are configured.
This configuration is found in the registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. In my case, it was choking because I had a RESTful call that had a 400 character segment in the url which was 160 characters more than the default value of 260, so I
added the registry parameter UrlSegmentMaxLength with a DWORD value of 512,
stopped the service using net stop http
started the service using net start http
I've run into these issues before and it is easy to troubleshoot but there is very little on the web that addresses it.
Try these links
"the underlying problem is that the client has sent a request to IIS that breaks one or more rules that HTTP.sys is enforcing"
enabling logging on HTTP.sys is described here
a list of the HTTP.sys parameters that you can control in the registry is found here.
A bit late, so put here for posterity ;-)
After trying all sorts of solutions found on the web, I almost gave up, but found this little nugget.
If the response's Server header returns Microsoft-HttpApi/2.0, it means that the HTTP.sys is being called, not IIS.
As a result, a lot of the workarounds will not work (URLScan, etc).
This worked however:
Open regedit
Navigate HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
Finally, restart the service by calling net stop http then net start http
src: WS/WCF: Remove Server Header
Set below registry flag to: 2
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader
Setting this to 2 will ensure that self host WCF services no longer sends the SERVER header and thus ensure we are security compliant.
Please note that this disables ALL server headers.
The default value of 0 enables the header, and the value of 1 disables server header from DRIVER (http.sys), but app can still have headers.
For me I had to restart the server for the changes to take effect.
Hope this helps someone
I was working on our web app on a client's site and ran into an issue where the site root pages loaded, but the reports folder always returned a 404 for files that existed in the folder. The 404 page showed the .Net version of 2 when the application was set to 4, and a test of a non-existent page in the root returned a 404 page showing .Net 4.
I tried just http://localhost/reports and got back a Microsoft Reporting Services page. Not part of my application.
Be sure to check just the default document of the folder when a unexpected 404 comes up and the file exists.
This question and series of replies helped me get to the bottom of the related issue I was having. My issue centered around using just a subdomain to go to our server (e.g. typing "www/somepath" into the browser while on our corporate network), which had worked in the past on an older server, but no longer worked when the system was upgraded to a new server. I saw the unexpected Microsoft-HttpApi/2.0 string in the header when using the Chrome Devtools to inspect the Network traffic.
My HTTP.sys process was already logging, so I could verify that my traffic was going to that service and returning 404 NotFound status codes.
My resolution was to add a binding to the IIS site for the subdomain, making IIS respond instead of the HTTP.sys process, as described in this server fault article - https://serverfault.com/questions/479274/why-is-microsoft-httpapi-returning-404-to-my-network-switch
In my case, running Windows 10 Pro, it was the Windows MultiPoint Service.
By executing:
net stop wms
Port 80 was released.
I would appreciate any hints regarding the following issue:
The problem summary:
While using Negotiate:Kerberos in IIS 7.5, the authorization works correctly right until we setup URL rewriting (using the MS module "URL Rewrite 2.0") - any rewritten URL then returns "401.1 Unathorized" (requests not matching any rewrite rule keep working though).
The setup:
Windows Server 2008 R2 x64
IIS 7.5
URL Rewrite 2.0
Server is in a domain
SPN exists for HOST/hostname and HOST/hostname.domain (created by default)
Pool is using default ApplicationPoolIdentity (no custom account, not network service)
Kernel mode set to OFF
Authentication providers set to "Negotiate:Kerberos" only (no NTLM or annonymous)
URL Rewrite rule as as "^(.*)/$" => "index?x={R1}"
The result:
1) When accessing any URL not matching any URL rewrite pattern, Kerberos is working correctly, i.e. Kerberos ticket is issued (verified using klist), sent (verified using netmon and HTTP headers) and accepted (verified by URL being accessible and appropriate AUTH_USER property set to my domain account name) => no problem here.
2) When accessing any URL matching URL rewrite pattern, e.g. "hostname/foo" the result is:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Error Code 0x80070055
Requested URL http://hostname/index?x=foo
Physical Path D:\wwwroot\
Logon Method Not yet determined
Logon User Not yet determined
(if we try to access the rewritten URL directly, e.g. hostname/index?x=foo, Kerberos works again normally)
The attempts to solve it so far:
After googling, we have tried several options:
turning kernel mode ON: Kerberos stopped working completely, using either default pool identity or network service (I suppose we would need to setup additional HTTP SPN and/or use custom domain account with additional SPN for that account explicitly)
turning "useAppPoolCredentials" ON: no difference
enabling "Failing Request Tracing": surprisingly these failing 401.1 requests ARE NOT generating any output into the fail logs no matter what rule we try to setup (e.g. 400-999) - the folder is just empty (while other errors, like 404 or even handshake 401.x when accessing not-rewritten URLs are generating logs - very strange)
The conclusion:
So far we have reached a dead end - it may be some weird kind of "double hop" issue requiring using a custom domain account rather than default app pool identity, but as we're in fact accessing the same resources, it seems more like a URL Rewrite issue.
Any tips, hints, pointers? Anything would be highly appreciated.
Best regards,
Marek
we face the same issues as you do. By enabling extended error logging, we were able to put the finger on the actual problem, which seems to be a bug in the rewrite module (or at least in some part of IIS, which is related to the module):
When the URL gets rewritten, the access to the new rewritten URL is checked (seemingly hardcoded) using Basic Authentication and NTLM, neither of which has been configured on the Website at hand. The only configured authentication provider is Kerberos. Since the client doesnt send NTLM nor Basic credentials, there is no way this can work.
We (another person on the current project) are sending the issue to Microsoft. I will let you know, when I get any result.
It seems as though you have multiple issues here.
Failed-Request Tracing Logs
To fix your missing logs issue, you must make sure that the user that is running your site's AppllicationPool has read/modify rights to the folder where those logs are generated, otherwise you won't see anything. See the section labeled "Enable Failed-Request Tracing" on this page: Troubleshoot Failed Requests Using Tracing in IIS 7
What isn't clear is the fact that the site's Application Pool Identity (found in Advanced Settings for Application Pool) is the account that needs read/modify rights to that folder.
Once that is fixed you can load the XML logs in IE and see a much clearer picture of what is going on.
401.1 - Unauthorized Issue
A possible fix to your 401 error is to make sure unlisted file name extensions are allowed in Request Filtering. Go to IIS --> Sites --> [your site] --> Request Filtering
You have two options here:
Allow File Name Extension... and add the value "." (minus the quotes), see this answer.
Edit Feature Settings... and enabled the option "Allow unlisted file name extensions"
The 1st option should work well, the 2nd option obviously opens up a gaping hole but allows everything so you should be able to get it working.
I hope that helps.
I have recently install Server 2008 R2 on a new server and want to use the FTP capabilities that are now shipped with IIS 7.5.
Since my users are not windows users, I was using IISAuthManager but this prodiver does not offers home directory on a user basis.
I found this sample http://learn.iis.net/page.aspx/669/how-to-use-managed-code-c-to-create-an-ftp-authentication-provider-using-an-xml-database/ to get going with a simple xml based user config. But i can't make it work. It's always gving me
Response: 530-User cannot log in.
Response: Win32 error: The system cannot find the file specified.
Response: Error details: An error occured during the authentication process.
I used procmon to get if the xml config file was read with no luck. I don't even think my assembly is being used.
Anybody ever had the same issue ? Basicly, any tips would be apreciated.
The IIS FTP custom providers are a nightmare to debug. In this case sounds like a config error, check that you followed the set up instructions (or manually checking applicationHost.config). Or post your code (inc config) if you still need help.
Barry
IIS Manager > Your site > FTP Authentication
Probably, you have all Basic and Anonymous Authentication disabled.
One of them should be enabled.