I have to find out all logs from IIS log files where we have Authentication Successful messages.
Now I know that status code 200 is for a success message but this code can be returned for any request raised by client.
How can I identify Authentication successful (in my case Windows Authentication to be more specific) events from log files?
IIS access logs won't have successful authentication events, it only logs URL requests, and the account that did the request (if authenticated).
For authentication events for windows authentication, you need to open the "Local Security Policy" snap-in (secpol.msc) on the local computer or by using Group Policy.
Then, go to the Security Settings\Advanced Audit Policy Configuration tree, and in the Logon/Logoff section, configure the Success audit event of "Audit Logon".
More information in Microsoft docs.
Once done, you'll start receiving events in the Windows event viewer, under Windows Logs\Security. They'll appear as event id 4624. Note that this event will appear only when the user is accessing the web application from a different computer. Opening the browser on localhost won't generate that event if the user is logged-in already, which happens when using Internet Explorer.
For Windows authentication, you have to correlate Windows logon audit in system event log and IIS log files. No easy way to get what you want.
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx
Related
I have the following access policy configured that should blocks access to Microsoft Teams, if there is no valid client certificate:
This policy works in the browser, when teams.microsoft.com is opened (including logging in with valid crendetials) with the custom error message:
Yet, while using the Teams Desktop App, the affected user can login and use teams even without the certificate. The message in the Activity Log of Microsoft Cloud App Security states "bypass session control".
How does the rule not affect the Teams App but work in the browser.
The teams app cannot have access to a certificate, because I tried it in a Sandbox.
As well as the bypass info must mean, somewhere a bypass is allowed/configured? But where would I find that?
If you extend the policy to also check the Client App both for Browser and App, then also the Teams App will be blocked by the policy (or not if the certificate is available).
• You are able to access Teams client app on desktop because you have not selected filters that include ‘client app equals to Mobile and Desktop’ in Access Control Policy as below.
• So, once you select the filters as per your convenience, as above, and the actions to take as ‘block’ or ‘test’, the desktop teams will not be able to start up. Also, the ‘bypass session control’ message in the browser while accessing a blocked or restricted site is displayed in activity logs in Microsoft cloud app security because you might be having ‘admin’ level access to modify, create or delete any access control or session control policy in there.
Please find the below links for more information: -
https://learn.microsoft.com/en-us/cloud-app-security/manage-admins
https://learn.microsoft.com/en-us/cloud-app-security/troubleshooting-proxy
I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.
Only windows authentication is enabled.
What I observed is I get 401 followed by 200 for every request.
And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.
I tried applying authPersistSingleRequest="false" for windows authentication.
Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app
Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).
Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.
Make sure you configured the spn account properly with the application pool.
Open IIS Manager and select the Configuration Editor.
In the dropdown menu select system.webServer > security > authentication > windowsAuthentication
set useAppPoolCredentials to True.
In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.
Refer below link for more detail:
Troubleshoot Kerberos failures in Internet Explorer
I am trying to get DocuSign Connect to make HTTP Post request to my URL.
I have done some testing with POSTMAN app on google chrome and I am able to process the DocuSign XML Messages sent through this HTTP Post Request.
Attached is my setup.
I am unable to receive any messages from DocuSign (I have tried both sending and signing) and additionally I do not see any logs under Logs or Failures.
Is there any possible reason for this?
Updates: I was using a Self-Signed Certificate on my application and hence DocuSign was unable to post the XML message to my web service.
This has been resolved after installation of a DocuSign accepted certificate.
Assuming your account is configured properly for Connect and you do not see anything in the logs or failures here's some possible reasons:
Security software or firewall on your side blocking/catching the message before it reaches your listener
You are filtering for an envelope you do not have permission to.
Your tests are invalid (i.e. you've configured for a signing event but the user is declining or taking some other action).
Also, I just realized you don't have Require Acknowledgement enabled in your Connect config- try turning that on to see if any failures start showing up. Here's the description from the docs of this option:
"Require Acknowledgment: Select this option to log posting failures. DocuSign waits 100 seconds for an acknowledgement before recording a failure. DocuSign logs a failure if the attempt to reach the external endpoint returns anything other than an HTTP 200. The acknowledgment failure messages are logged on the Failures page, which is accessed by clicking FAILURES on the Connect page. When this option is selected, DocuSign will automatically attempt to repost any failures. You can also manually repost from the Failures page."
Check that you have "Connect" enabled as one of the account's features. Do this using the admin tool (New DocuSign Experience) or Preferences in Classic.
Also, if you're trying out Connect on a production account, only some types of accounts include the Connect feature. Contact your Account Manager if it isn't enabled.
All Developer Sandbox accounts on the demo platform do include Connect.
All account types support webhook subscriptions at the envelope level using the eventNotification feature.
Are you using production account or sandbox account for docusign connect.. You must include the protocol HTTP or HTTPS in the web address for sandox account and you must include HTTPS:// in the web address for Production accounts because SSL is required in Production account. Docusign Connect sends the xml to the default ports of 443 for HTTPS: and 80 for HTTP. If you cannot use port 443 for Production contact DocuSign to review possible options. Check this link for docusign connect technical information.. Hope you have handled the server side of it (i.e, the url which you have mentioned in the URL to publish) inorder to get the response from the docusign to the desired url when some event happens..
For example:
If you are using sandbox docusign account for Connect means, URL to publish as to be something like this http://domain.com/Home/DocuConnect (Hosted application port number as to be 80). For sandbox account,docusign connect are enabled defaultly for all the users.
If you are using production account for Connect means, URL to publish as to be something like this https://domain.com/Home/DocuConnect (Hosted application port number as to be 443). In some cases docusign connect are enabled based on the respective subscription plans. To check that go to features tab see for Docusign Connect and try to tick the checkbox and if it is not checked then you got to contact the Docusign Account Manager.
I'm developing an extension that, as part of its processing, needs to access the user's message headers. Since they aren't contained in the HTML, a call is made to a servlet running in our server, which is hosted by Amazon Web Services, that connects to the Gmail IMAP server using the user's credentials. However, the first time the user runs the extension, Google sends a warning email to the user asking if it's OK to let the connection happen and blocks the connection until the user OKs it.
Is there any way for the user to OK the connection in advance and if not, how can else I get at the headers?
If you have an asp.net site sending messages to a remote queue, how do you handle authentication. If Windows Authentication is turned off, the network service sends a message to the remote queue. Does that mean that in de security tab of the queue, I need to add the netwerk service of the server sending the message? (by the way, I do not use http or https).
And what if Windows Authentication is enabled, do I need to add all users that will log in using windows authentication to the queue?