TFS2012 / IIS7.5 and Windows authorize - iis

I develop web app, which cooperates with to TFS2012. In my local machine its works fine, but when i deploy on server i get the following exception:
[WebException: The remote server returned an error: (401) Unauthorized.]
System.Net.HttpWebRequest.GetResponse() +6440920
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequestAndGetResponse(HttpWebRequest webRequest, WebException& webException) +195
My connect to TFS Code:
_collection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("http://xxx/tfs/TestPrjects/"));
_collection.EnsureAuthenticated();
_store = _collection.GetService<WorkItemStore>();
my web-config:
<system.web>
<customErrors mode="Off"></customErrors>
<authentication mode="Windows"/>
...
<system.web>
in ISS i activate Windows authorization:
Where is my mistake?

The details you are using to access TFS are incorrect.
The reason it works on your local machine is because the webserver is running as you, who has access to TFS. On the IIS server it's running as the app pool user, which won't have access.
Potential Solutions
Run the app pool as a user that has access to TFS (or grant the current user access)
This is ok for read only access, but if you're writing back to items you may want to not go down this route
Enable delegation so the code that connects to TFS is run as the currently authenticated windows user
This is much harder to do and only works in internet explorer out of the box. Firefox users can change a setting and Chrome users need to start chrome with a commandline switch.
wrap a using(WindowsIdentity.GetCurrent().Impersonate()) {} around your code that uses TFS and ensure you are using CredentialCache.DefaultNetworkCredentials to connect to TFS.
Use the TFS Server API
Be naughty and use server instead of the client api. The server API writes directly to the db and doesn't need to impersonate a user. I highly doubt this is a supported path and you won't find much information on it. However it still needs to run as a user with access to the db (like option 1, but supports updates as windows authed users)

Related

.NET5 Windows Authentification Prompt

So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.

Clickonce deployment security issue

We have created a dns for external and internal employees to visit an application website. They can both reach the website hosted in iis. they can both download the application that has been deployed using clickonce.
Issue is we want to password protect for external employees.. Internally its ok because we use windows authentication and have a group of users for specific applications.
we created an ad account and password. when i setup windows auth and restrict to this one ad account. i enter in username and password when going to the external dns. thats fine.. i click on the application to install.. and when its trying to install i get + The remote server returned an error: (401) Unauthorized.i'm getting a security error even after i put in the credentials , it somehow still fails when going to install.. what can i do to better password protect applications that will be accessed from the outside using clickonce.. or fix this issue thanks

Windows authentication not working - invalid credentials passed to the SQL Server

I am stuck at the moment on trying to configure the Windows authentication on a web site.
The site is configured (in IIS 7.5) as follows:
Windows authentication and ASP.NET Impersonation - Enabled.
The 'Enable Kernel-mode authentication' is checked.
Providers section contain all 3 possible: Negotiate, NTLM, Negotiate:Kerberos.
The site connects to a SQL Server using Windows authentication as well.
The Web server is marked as trusted for delegation for the SQL server.
When I browse the site locally from the web server everything works; when I browse it from a client computer I get the well known error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I read I should set some SPNs - but in my case - to what\whom ?...
The access to the SQL Server is done individually to users (also, the Web server, SQL server and the users accessing the site are in the same domain; the application pool also uses a domain account)
An advice would be much appreciated ...
I think you're getting "Anonymous Logon" because you have anonymous logon enabled.
Try enabling only Windows authentication and ASP.NET Impersonation and disabling the rest
Also might help to check the internet explorer security settings for the 'zone' you're in from the client computer (i'm guessing internet) at the very end set internet explorer to prompt for user name and password

Kerberos, Claims Based authentication and Sharepoint : Cannot connect to database

I have a server which hosts Sharepoint 2010. I have another server which hosts a SQL Server 2008 R2. SharePoint is Kerberos/Claims Based.
On my SharePoint, I installed a custom made webpart that connects to the SQL Server machine using standard connection string (Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;).
The problem is that when the webpart tries to connect to the sql server, I get the following message :
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
What we've done :
Verify all spn/delegation/trusts things - everything seems okay.
Tried to connect directly from the sharepoint machine via a UDL file to sql server, and it works.
Tried the webpart as standalone ASPX page on a single machine server to prove the code is supposed to work, and it works.
Wireshark -> We can see a KDC_ERR_S_PRINCIPAL_UNKNOWN when ANONYMUS LOGON tries to connect to sql server (obvisously).
SharePoint Developer Dashboard shows us our current username, which is not ANONYMUS.
Traces in the webpart shows two things : The HTTPCONTEXT is set to my current user, so is the Thread.Current.
Using SQL Profiler, we can see that the request is from ANONYMUS
We tried to access a web service on another server from another custom made webpart, and it failed for the same reason (ANONYMUS).
What are we missing? The problem really seems to be that SharePoint is unable to send the current user credential to another server (sql or not).
Have you verified that Kerberos is working ?
Download the Troubleshooting Kerberos Delegation
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=99B0F94F-E28A-4726-BFFE-2F64AE2F59A2&displaylang=en

IIS thows 401 Error Whenever There is a Database Connection in Asp.Net Application

I'm working on an Asp.Net Application in Windows XP Professional with IIS 5, VS 2008 and MS Sql Server 2008. Normal Asp.Net program and html page can be viewed correctly in IIS, however, if there is a successful database connection in the Asp.Net program(otherwise it will show a exception page), the IIS will ask for username and password and then throws:
You are not authorized to view this page
...
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Any one can help?
Thanks
IIS requesting user name and password - do you have windows authentication enabled, or basic, or anonymous? IIS requesting a user name/password isn't database related necessarily...
First thing to always check is that you have configured SQL Server to allow remote connections.
How to configure SQL Server 2005 to allow remote connections
For generic SQL Server Connectivity Troubleshooting consult the following Blog Post
Finally I find out it's not the Asp.Net or SQL Server problem, it's because the Asp.Net program uses URL stored in database and redirect the user to the web root, then when user navigate to the web root directory, IIS automatically uses the iisstart.asp page as an index page, and that page caused the authentication dialog.

Resources