We have developed a WebAPI application that runs on IIS 6.2. That API uses Integrated authentication. So, the operations will be executed in the user context of the user that is calling the API.
Apart from that, because some of that operations execute remote actions to another server in the platform. We used constrained delegation (kerberos) to manage the Kerberos double hop and be validated in the remote server as the user calling the API.
We made the configuration changes in the IIS (regarding enabling Windows authentication) and we enabled "Trust this computer for delegation to any service (Kerberos only)" in the AD for the server running the IIS.
The current status is, if we access the API using localhost, everything is working as expected. However, if we access using the FQDN or even 127.0.0.1, it fails with unauthorized when the API call executing the remote operation behind the scenes returns.
Does anyone know what we can fix such configuration issue?
Thanks
Sounds like you did everything right...except didn't or haven't set the SPN properly in AD for the principal (computer/server object) referring to the web service running on the target server. For example, the server name is server1, and the AD and DNS domain name is acme.com. Then the SPN for the server in AD would need to be HTTP/server1.acme.com. Ref: Setting up Kerberos Authentication for a Website in IIS
Related
I am using IIS Manager in window 10,
I need to host my ASP .NET web Form project in iis and access from other devices in same network.
i add new website and provide physical path.
the ip access from the computer but cannot able to access from other device in same network.
It Shows:
While Authentication file.
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
As far as I know, this is IIS warning when you click test in the binding window.
By default, IIS will use identity to access the protected files.With psasthrough
authentication like impersonation, IIS will attempt to use the actual identity of the user when accessing protected resources.
If user doesn't auth, it will use application pool identity to access the resources.
In my opinion, it is just a warning not a error.
I'm trying to authenticate a SPA against an active directory.
My understand till now is:
- using ADFS as an STS for getting tokens
- using ADAL.js for simplifying communication with ADFS
In order to setup a prove of concept, I created a virtual machine on Azure based on windows server 2016. Then installed an AD and an ADFS.
ADFS works correctly when I am on the virtual machine, I can see its metadata url on https.
Now I would like to develop my SPA from my development machine, but I cannot reach the ADFS endpoint from outside Azure.
The question is: is it correct/allowed trying to authenticate from a computer outside that network?
I read many possibilities without finding a solution:
- using an express route for establishing a VPN
- using an ADFS proxy
- joining the AAD
Thank you.
Definitely - I do it all the time.
No - you don't need Express Route / Proxy.
In your VM configuration in Azure under "Overview", are you using the DNS name you see there.
Under "Networking", have you enabled http and https?
I have a 2 node NLB running IIS. Servers are identical in every respect. When on the server I can browse to the local Windows Integrated Security site without any problems using the local member name. But when I switch to it's cluster name, it prompts me for credentials.
<- Renders just fine
<- Renders just fine
<- Prompts for credentials
Certificates aren't the issue. Non WI-Security sites work just fine.
Seems like it doesn't want to pass credentials across the cluster name (and most likely right back into the same server I am on. I did try a couple of affinity settings with no change).
Thanks all for any ideas.
Nick
This has to do with the way Kerberos delegation works with Windows Integrated security.
In short, here's what you'll need to do:
Set the identify of the application pool running your website to a domain user, on all IIS servers participating in the NLB cluster
Ensure this domain account is in the IIS_USRS group on each web server
Create an SPN entry for your NLB cluster DNS name, and the domain user. For example:
setspn -S HTTP/ domain\accountname
Following this, you should be able to access your site without additional prompt for credentials.
A more detailed explanation is available here: https://blogs.msdn.microsoft.com/rakkimk/2006/12/08/enabling-kerberos-delegation-on-a-nlb-scenario/
During development the team prefer to develop against a local database and local IIS Express web server.
We tried to configure an address of http://localhost:<port>/ in the Azure AD B2C application configuration as a return URI, but this isn't permitted (technically it should work, although I can see why it isn't permitted). So at the moment, when anyone signs in, it returns them to the test server URL.
We'd like to be returned to our local development server instance. Is there any way that people know of to achieve this?
You can use localhost, but make sure to use https:
https://localhost:<port>
See also this answer: DNS URLs in Azure AD B2C don't work
Just a self signed certificate is enough to make this work. We use this a lot (together with B2C) for our development machines.
I have a custom desktop application which invokes an ASMX web service. The Service is hosted under a SharePoint Site in a Virtual Directory in IIS. The authentication used is Windows Integrated.
Now, I want to use the same application from a host in our DMZ. I configured ISA Server to allow HTTP access from the DMZ to the Server in our protected network.
Trying to test the application I got some errors like: "Client found response Content type text/html but expected text/xml". I guess that this error comes from the authentication failure since the same app works fine in the protected mode.
What are my options here concerning authentication? Should I allow Anonymous?
Thanks,
Dimitris.
I finally found the solution!
I had to provide to all the DMZ Domain users that would access the Web Service "Allowed to Authenticate" Permission under Active Directory WFE's computer account