Coldfusion 10 Ignores IIS authorization rules - iis

I have a website for which I am trying to configure the security of certain directories. I have added the appropriate deny and allow rules under IIS Authorization Rules.
If a user tries to access the folder without specifying the file name in the URL, IIS kicks in and applies the rules properly. For example, https://example.org/siteadmin/groupeditor will correctly cause IIS authorization rules to be applied.
If the user tries to access a static file like *.jpg or *.htm, IIS will also properly apply the authorization rules. https://example.org/siteadmin/groupeditor/mypicture.gif or https://example.org/siteadmin/groupeditor/test.htm will cause IIS authorization rules to be applied.
If a user knows the CFM page name, they can access the page. https://example.org/siteadmin/groupeditor/mypage.cfm will render
I have the pages "guarded" with logic in an application.cfc to check to see if the user is in an appropriate role. However, it is bugging me to no end that this configuration isn't working properly. The only thing that I can guess is that somehow ColdFusion's ISAPI filter is getting access to the request before IIS. Is this correct? Is there any way to fix this?

Related

Azure b2c custom policy login redirect through Azure front door is defaulting 404 to a domain I am unsure of how to manage. How do I redirect the 404

I have a domain that is protected through Azure b2c. The way I set it up is that a domain linked through Azure front-door is the login domain.
login.contoso.com
The app domain is
my.contoso.com
What is happening is that when I go to login.contoso.com (without any routing or path redirect uri's) directly it will default to a 404 error and land on this page
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
To note, the correct path works. i.e. login.contoso.com/<token>azureb2c...
The issue is how to I handle the 404 error?
I'd like to default direct that to my main domain site i.e. contoso.com or someotherpage.
The odd part for me is that because the domain, sub-domain, is login.contoso.com I don't think there is actually a page from Azure emitting that. I think, correctly, that is just my domain's way of handling 404's or wrong page.
I already handle the redirect if the person goes to my.contoso.com and isn't logged in they go directly to login.contoso.com However, I don't think i'm handling the 404 errors correctly because anything outside of that emits the previously described error screen.
So I think the question is, how can I direct a subdomain's 404 to a url of my choosing of a domain that is setup through Azure front-door?
Is that just in the same permissions of my webconfig for the main app service domain ie., contoso.com? Or, is it the webconfig of the app service specifically for the subdomain my.contoso.com?
• You can surely configure the redirection for your different subdomains from a particular subdomain URL while logging in or any other kind of activity like session auto-logout after token expiration by configuring the correct routing rules for redirection in the Azure front door classic version.
Kindly check the snapshot below as demonstrated according to your requirement: -
Thus, according to the above snapshots, you can configure the redirection for the ‘login.contoso.com’ URL to the desired domain URL of your choice, i.e., ‘contoso.com’ or ‘someotherpage.com’ for in Azure AD B2C too.
• Also, in the above snapshot, I have selected ‘Temporary Redirect (307)’ for HTTPS protocol as according to the below documentation link, the target resource is temporarily under a different URI. The user agent MUST NOT change the request method if it does an automatic redirection to that URI. Since the redirection can change over time, the client ought to continue using the original effective request URI for future requests.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-url-redirect?pivots=front-door-standard-premium#redirection-types
As you want the redirection to happen for the ‘login.contoso.com’ URL when you redirect to that page, it will surely happen when you configure it accordingly as above since this redirection is temporary according to the situations stated above.

In IIS, how do you configure folder access for basic authentication?

In IIS 7, how do you configure folder access for basic authentication against domain?
I've done the following:
Enabled Authentication - Basic Mode.
This seems to work for regular folders, but once I convert the folder to an Application in IIS, users get rejected unless I add them specifically to the Security item in Windows. Do I need to do this for every single user?
What if I need all members of domain to access a given url?

Basic HTTP Authentication in IIS

Is it possible to do BOTH of these using a web.config file? If not, what would be the easiest way to achieve them on an IIS server.
Protect a web-accessible folder via HTTP auth
Allow access from a specific username/password AND a specific IP address
This is possible using .htaccess and .htpasswd on Apache, but I need an IIS equivalent if one exists.

Mysteriously appearing required NT authentication after Classic ASP site update?

A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.

MOSS Domain Configuration

We are having some issues getting SharePoint to work as we want it to.
We have an enterprise MOSS configuration on our domain and have the entry http://intranet pointing to it on port 80.
We also have another site collection and have pointed an internet domain name http:/nww.oursector.nhs.uk at it. We have done this to allow those outside our domain but on the same physical network to view it. Our network admin hasd configured the firewall to redirect any requests to this url to our sharepoint server.
The problem with this is that we have had to turn on anonymous access otherwise SharePoint sees this url as external and blocks authenticated access to the site. This means that all users need to manually sign in to the site, which is making working with SharePoint quite problematic.
Is there a way to configure SharePoint to allow the url http:/nww.oursector.nhs.uk to access the site collection without having anonymous access turned on for the site? I want users to be able to browse to the site and if authenticated then fine, if not then prompt them to login.
Can anyone suggest a way to achieve this?
I would say you need to use SharePoint's alternate access mapping to use the correct authentication type depending on the method users are using to access the website.
Basically i think this would work as follows for your situation:
For internal users, use the default zone, using NTLM with SSO configured.
Thus users should be signed in transparently without requiring to login.
For external users, extend the web application, using the extranet zone, using anonymous access.
This will allow external users, to browse the website without signing on.
See:
http://blogs.msdn.com/sharepoint/archive/2007/03/06/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-1.aspx

Resources