I have a SharePoint instance serving as our Extranet to our salesforce - communicating over HTTPS. All sales agents have a Blackberry device, but none can access our Extranet.
In IIS, we only have ASP.NET Impersonation and Windows Authentication enabled, but the BB device doesnt even prompt for credentials, it just receives a 401 error.
Needless to say, the site is browsable on other devices (PC, tablet, iPhone..), so it seems to be something specific to BB settings - or thats my inclination. Anyone have any thoughts on how I can troubleshoot\resolve?
I should add.. I downloaded the BlackBerry emulator for my PC, and that too has the same issue, so I dont think it's a BlackBerry service setting.. but something with how the device is attempting to connect\authenticate.
OK, found the answer (apparently the Google machine is running much better today than it was yesterday ;)
Blackberry doesnt support Windows Authentication since the browser is too old. I had to turn on Basic Authentication, which isnt recommended unless your running over SSL.. which fortunately I am. Found the answer here: http://support.microsoft.com/kb/907273
Related
I'm an rather experienced web developer and have Plesk Onyx running on my dedicated server. It features 2FA via Google Authenticator. Inside Plesk, I added multiple WordPress-based webpages of mine and friends of mine. All of these WordPress installations are securely installed by Plesk and hardened access to by moving the admin area, globally disabling comments, 2FA, and so on.
Now a few days ago, a friend told me he was seeing massive ads on my webpage. Since the server also yields my company's page, that is perhaps something to take serious - so did I. However, I couldn't reproduce the ads or the pop ups, etc. - at all -, neither on my Windows machines (10 and Server 2016), nor on any mobile or laptop device. Yesterday, I was viewing my webpage with a friend of mine (desktop PC). And all of a sudden, ads are shown up when he clicks links in my WP menu and stuff like this. Very pushy, very much, absolutely... unacceptable.
I introduced myself as rather experienced web developer. However, I don't know how to tackle this. Whether my server was actually hacked or compromised, some WordPress plugin is messing up with ads (however, friend found problems on multiple sites that are not using the same plugins), or whatever. I think Plesk and WP are both strong and shouldn't be compromised that easy. Besides, I didn't notice any further.
How to tackle this?
Did you try Revisium Antivirus to scan your websites? It is available on Plesk extensions. I had a similar issue and Revisium Antivirus found all the files that were infected.
Also, check your friend's PC (web browser) for malware. There is some malware (hidden software) which can run adds or add strange links to your website. So, in that case, there is nothing to do with your server or websites.
I swapped my hard disk for an ssd, and am having fun recreating my environment.
Im runnin win7 pro, and my web app is returning false from user.identity.isauthentication (was working fine before I upgraded to the ssd).
I added windows integrated security as a security feature under the windows components (Im running local iis), and enabled it for the web site.
If I disable anonymous, user.identity.isauthenticated returns true with the correct credentials - BUT I am always prompted to enter my credentials.
AHAH - it must be ntfs permissions. But Ive added them for every account I can think of - NETWORK SERVICES, my own account, IUSR, authentication users, and several others that were already there. Makes no difference.
Maybe the app pool Im running under - but Ive tried DefaultAppPool, .NET 4.0, and .NET 4.0 Classic. Again, makes no difference.
Does anyone have any ideas on other things I can try? Im not on a domain or anything like that, this is entirely local. Thanks!
The solution was in the browser, in this case under ie9 Internet Options. After verifying in the Advanced tab that Enable Windows Integrated Authentication was checked, one must go to the Security tab, under Local Intranet/Sites and uncheck "automatically detect intranet network" and check "include all local intranet sites".
What's in your web.config?
<authentication mode="Windows"></authentication>
I've created an intranet site that uses windows authentication
In chrome I can access the site instantly, and in FF it requires Active Directory login.
But with IE7 I'm getting the following error:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Im unsure as to why its okay in other browsers but not IE?
Any help appreciated.
Thanks
Solution:
IE is using Kerberos and not falling back on NTLM like Chrome and Firefox. You must force NTLM authentication in IIS7.5 by following these steps:
Select your site.
Double click authentication.
Select "Windows Authentication" (ensuring that it is enabled).
Click "Providers..." in the right hand column.
Select NTLM and click "Move Up".
Link: windows authentication not working in ie7
I'm not familiar with IIS, but in the past few weeks I've had lots of hand-on experience in integrating AD login into web applications. As is quite logical - every Microsoft product would be better integrated with another such, and Internet Explorer (should be valid for all versions, not just 7) automatically passes your AD login credentials as long as you use Active Directory for your Windows login authentication method.
Every other browser will either need to be configured to do so, ask you to type them in manually or will not support it at all. Which explains why Firefox asks you for a username and a password. Under Opera, you'll most likely get the same error message.
My guess about Chrome is that it's your default browser of choice and at some point in time, you've typed in your login creditenials and that session is still active.
All of this would mean (if my assumptions are correct) that you need to use a different AD account to login into this application than Windows and the latter (being automatically passed by IE) is not authorized.
It sounds like your environment is not setup properly for Kerberos authentication to take place. There are many things that can cause Kerberos authentication failure. E.g. Clock skew on the server or client, missing SPN on the web server, etc.
Normally, when you configure to use Windows authentication, you are asking to use SPNEGO, which means using Kerberos whenever possible and then fall back to NTLM if Kerberos fails. However, this post pointed out that this is no longer true. IE7 stops at Kerberos in certain cases but not falling back to NTLM.
You can try to disable the "Enable Integrated Windows Authentication" as the post suggested. It looks odd but it actually just turns off the SPNEGO, you will still use the NTLM.
I guess Firefox and Chrome works because they are using NTLM but not Kerberos. From my experience, non-Microsoft browser doesn't do Kerberos out-of-box. You need to do some configuration work to make it happens. For example, in FireFox, you need to set the network.negotiate-auth.trusted-uris parameter. See here
Once you confirm the NTLM for IE7 is still working fine. Then, you can post another question to ask how to fix the Kerberos authentication problem for IIS.
start off by looking here and getting a more detailed error description. I had some crazy problems with CRM and it all came down to the order of settings in IIS the answer to the problem ended up being as simple as ;
going into iis and then the authentication setting
clicking on windows authentication and selecting advanced
make sure kernel mode is on
click on providers and ensure negotiate is above NTLM.
I have an Intranet http application running on several machines in our Windows domain; everything works when using IE 7 because I can configure it to use Kerberos authentication and I've figured out how to get one of the intermediate machines to be Trusted for Delegation.
I have researched and tried to get Firefox 3.0.10 to use Kerberos:
navigate to about:config
filter to network.negotiate
update network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris
with the following entries(separated by comma): http://jupiter2000/trimbrokerclient,http://johnxp/fileservicedemo
I have done this and even restarted Firefox and when I browse to the above sites on our LAN, I still get prompted for username and password and even when I supply them and the web page is loaded, I have some code in the app which displays the authentication method in effect and it is still NTLM, not Kerberos as when IE is used.
Can someone comment on how to get Firefox usable on this Intranet application of mine? Thank you.
p.s. while the names above are different, the app is the same. JUPITER2000 is IIS 6.0; JOHNXP is IIS 5.1.
From what I have done myself, you will only want to input the domain, and not the http:// or path.
There are 5 settings that need to be changed in FireFox.
Only the domain is necessary.
See them all here:
FireFox settings for Integrated Windows Authentication
you must use just the server name:
jupiter2000,johnxp
Whenever I try to access a NTLM authenticated intranet site, Safari takes forever to process and then comes back with "The sever is unavailable" or if allowed by the site, loads with out authenticating. I can access these same sites with no problems in both Firefox and Internet Explorer. The sites are hosted on IIS6 and are being generated with either ASP, ASP.Net 1.1 or ASP.Net 2.0.
Any insight on why Safari choking on these sites? Are there any work-arounds to get NTLM to correctly authenticate with Safari?
Update:
In further playing with it I have determined that NTLM will work (with the page loading reasonably fast) if I am using the FQDN for the site (i.e. http://mysite doesn't work, but http://mysite.domain.prv will work). Unfortunately, this will not work due to other constraints on the project.
Does anyone know why the FQDN would work but the shorter name will not? Is this something that can be worked around or is it "Sorry out of luck"?
Update 2:
According to the Wireshark packet sniffer, safari sends a SYN to the correct severs IP address. The intranet sever responds with a SYN, ACK, to which safari sends an ACK. This is the end in communication between safari and the sever. When attempting to access the intranet site by FQDN these three packets were the same but were then followed by a HTTP GET request, which then successfully loaded the page.
Because Safari is connecting to the correct IP address, I find it hard to believe that Safari just doesn't support NetBIOS/WINS names. Additionally, because the NTLM packets are never exchanged as safari never sends the initial GET request, I'm certain that NTLM has nothing to do with this issue.
Does anyone know the status of safari's support of NetBIOS/WINS?
In a similar situation with a Java based B2B client, I was successful in using http://ntlmaps.sourceforge.net/ to traverse the proxy.
Any insight on why Safari choking on these sites?
Because NTLM is not a web standard. You can't expect any given web browser to support it.
Until recently only IE supported it at all. And Firefox's support has to be specifically configured.
Firefox has always been able to traverse NTLM sites. I know because I'm stuck with this god awful custom ASP solution and SharePoint site to use in our intranet... Firefox is a dream.
Apple.. fix Safari kthx?