I would like to use certificate authentication for requests on my website. But when I set clientCertEnabled to true (through https://resources.azure.com/) I am getting 403 forbidden error when I try to reach my site through https.
Through browser I get blue screen Error 403 - This web app is stopped but I can still access web site through http. When I switch clientCertEnabled back to false https is working.
Through fiddler I get 403 as well (client certificate is included in request) with no additional info.
I followed this https://azure.microsoft.com/en-us/documentation/articles/app-service-web-configure-tls-mutual-auth/ but there is nothing else mentioned to be required to make this work.
Do I have to upload client certificates somewhere?
Eventually I found out that problem was in my client certificate which I was using for testing.
Certificate generated in a way described in this very useful blog post worked properly:
https://dotnetcodr.com/2016/01/14/using-client-certificates-in-net-part-2-creating-self-signed-client-certificates/
Related
I have configured my express server to work with SSL and a self signed certificate that I installed in my comp.
And for testing purpose im using postman and a traffic analyzer like Burp Suite Community to check the data that is sent to the server.
This analyzer did let me see all the plain text sent to the login endpoint when it was a post to an http login endpoint
But I switched to an https login endpoint, and I still can see the data that is being sent there
If it its over SSL, why is that happening? Isnt it supposed to be unreadable?
I have my React web application hosted on AWS in one cluster https://example1.com and I'm trying to call my API via axios in React which is hosted on a different cluster https://example2.com/api/login and is currently using a self-signed certificate. I want to test if everything works on HTTPS. The API is written in Java and has the Access-Control-Allow-Origin: * header set. I get a CORS error when calling the API.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://example2.com/api/login. (Reason: CORS request did not succeed).
It does not work when I test my React application on https://localhost as well.
My React web application is bundled using webpack. For local development I'm using webpack-dev-server and for production builds Node.js server is used only to serve the pages. The Node.js server is not HTTPS. The Node.js server on https://example1.com is deployed for production builds via Docker on a custom port.
Other external APIs like Eventbrite, Meetup, Google Places and Google Books work fine.
Do I need to do any special configurations in React / Node.js to get this to work?
cURL gives the following error as well when running curl -X POST https://example2.com/api/login
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Running curl -X POST https://example2.com/api/login -k works.
Similarly, in Postman I can only get the API to work when SSL verification is turned off.
Note: Everything works when all hosts are on HTTP.
So browser blocks request to suspicious server.
Workaround may be running server at https://example1.com that will just redirect requests like /api/login to https://example2.com ignoring certificate's error.
But better get trusted certificate.
I choose to host my website in Azure.So I've created a App Service.Then Created a new domain for my App then created/bind the SSL certificate to my corresponding website.
After done with the SSL certificate .I'm still seeing my website url as http//: and not https://
Also i'm not seeing the Green URL for my Website ..!
It look like this
(P.s : My App Service Tier is AzureFreeTier (Basic: 1 Small)
My SSL Type is SNL SSL)
Please help to resolve my problem here
Thanks in Advance,
Jayendran
You need to do a redirect from HTTP to HTTPS. Installing a certificate just makes using HTTPS with your custom domain name possible.
You can either:
Configure your app to redirect to HTTPS when it receives a request over HTTP + enable HTTP Strict Transport Security
Or use an extension in Web Apps to do the first thing:
To install the extension, open your web app blade in Azure Portal. Go to Extensions, then click Add. Then you should find Redirect HTTP to HTTPS from the list and install it.
That will redirect any HTTP calls to HTTPS for you. I would still recommend adding Strict-Transport-Security headers to your responses to make sure your clients do not access your site insecurely the next time.
The reason you arrive to your site on HTTPS after AAD login is because the HTTPS version of your app's URL has been configured in AAD as the reply URL.
And this:
Your Connection to this site is not fully secure Attackers might be able to see the images
is a mixed content warning. It means you are loading content (e.g. images) using an HTTP URL in your pages. Change them to HTTPS and you will solve that problem.
We have an ASP.NET MVC web application where we use digital signatures for both authorization and signing purposes. So in the SSL Settings of the website I've chosen to Require client certificates. I've also chosen to require SSL. But with some clients I have a problem with 403 Forbidden: Access denied error. If I choose to Ignore the Client Certificates the error goes away. Again, this error occurs only with couple of clients, the rest can connect OK.
The IIS version is 7.5
You might wonder the set up of those problematic and the rest clients in the network: There are two routers, A and B. Some clients connect to A and some to B. The above problem occurs on both cases. So nothing like the problematic clients are connected to router A or B.
Had this error for awhile not to long ago, unfortunately it could be anything in the setup. I'll take a shot in the dark and the client is using the machine name? and not the pre made user used for the service.
I already spent so much time trying to figure out what the problem is. I am getting this error when consuming WCF service from a desktop console application. The service works fine when access from a browser with silverlight client.
Error Message:
System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.
I don't understand why it doesn't work even if both client and server have same authentication scheme 'Negotiate'. I am getting HTTP 401.
I verified client and server configuration is correct, because it works in silverlight client using the same client configuration.
IIS7 website is configured with Windows Authentication using providers 'Negotiate,NTLM'.
So, what does this error message mean? :(
I have fixed my WCF issue by setting client security.
client.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;