WebService Security between DMZ - Protected Network - security

I have a custom desktop application which invokes an ASMX web service. The Service is hosted under a SharePoint Site in a Virtual Directory in IIS. The authentication used is Windows Integrated.
Now, I want to use the same application from a host in our DMZ. I configured ISA Server to allow HTTP access from the DMZ to the Server in our protected network.
Trying to test the application I got some errors like: "Client found response Content type text/html but expected text/xml". I guess that this error comes from the authentication failure since the same app works fine in the protected mode.
What are my options here concerning authentication? Should I allow Anonymous?
Thanks,
Dimitris.

I finally found the solution!
I had to provide to all the DMZ Domain users that would access the Web Service "Allowed to Authenticate" Permission under Active Directory WFE's computer account

Related

How to allow web applications from different Azure accounts (company) to allow mutual access over the Internet?

I want my web app to be able to send requests to another web app,
I have added the (Outbound) Public IP of the web apps to the mutual access restriction.
In Kudu Console, I use "tcpping" to test that the hostname of his web app is connected (443port).
But I execute my web app with postman and my web app is getting "Forbidden".
Later, when I executed curl in the Kudu Console of my web app, I also received 403 Forbidden.
And the Kudu Console of the other party's web app executes curl and displays 401,
In addition to Access Restriction, do I need to confirm any settings?
As HarshithaVeeramalla-MT said, it was later found that the outbound IP addresses of both parties were not complete, and all IP addresses of Additional Outbound IP Addresses need to be added to the Netowrking/Access Restriction before they can access each other.
Thank you.

ARR on IIS to skip windows authentication

I have a network with DMZ, where my application is deployed.
My application is deployed in IIS on a server in the internal network. On this IIS, 'Windows Authentication' is enabled for my application.
I have another IIS in the DMZ where I have used ARR (Application Request Rewrite) to route all requests to the internal server where my application is hosted. On this IIS, 'Anonymous Authentication is enabled'
When I try to access my application from public internet (through DMZ), the browser displays the authentication popup. But for users from public internet does not have windows account in the domain.
Is there any configuration that can authenticate internal users on their windows account and external users without it?

Issues in IIS Manager

I am using IIS Manager in window 10,
I need to host my ASP .NET web Form project in iis and access from other devices in same network.
i add new website and provide physical path.
the ip access from the computer but cannot able to access from other device in same network.
It Shows:
While Authentication file.
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
As far as I know, this is IIS warning when you click test in the binding window.
By default, IIS will use identity to access the protected files.With psasthrough
authentication like impersonation, IIS will attempt to use the actual identity of the user when accessing protected resources.
If user doesn't auth, it will use application pool identity to access the resources.
In my opinion, it is just a warning not a error.

Accessing ADFS from outside corporate network

I'm trying to authenticate a SPA against an active directory.
My understand till now is:
- using ADFS as an STS for getting tokens
- using ADAL.js for simplifying communication with ADFS
In order to setup a prove of concept, I created a virtual machine on Azure based on windows server 2016. Then installed an AD and an ADFS.
ADFS works correctly when I am on the virtual machine, I can see its metadata url on https.
Now I would like to develop my SPA from my development machine, but I cannot reach the ADFS endpoint from outside Azure.
The question is: is it correct/allowed trying to authenticate from a computer outside that network?
I read many possibilities without finding a solution:
- using an express route for establishing a VPN
- using an ADFS proxy
- joining the AAD
Thank you.
Definitely - I do it all the time.
No - you don't need Express Route / Proxy.
In your VM configuration in Azure under "Overview", are you using the DNS name you see there.
Under "Networking", have you enabled http and https?

Constrained delegation (Kerberos) only working using localhost

We have developed a WebAPI application that runs on IIS 6.2. That API uses Integrated authentication. So, the operations will be executed in the user context of the user that is calling the API.
Apart from that, because some of that operations execute remote actions to another server in the platform. We used constrained delegation (kerberos) to manage the Kerberos double hop and be validated in the remote server as the user calling the API.
We made the configuration changes in the IIS (regarding enabling Windows authentication) and we enabled "Trust this computer for delegation to any service (Kerberos only)" in the AD for the server running the IIS.
The current status is, if we access the API using localhost, everything is working as expected. However, if we access using the FQDN or even 127.0.0.1, it fails with unauthorized when the API call executing the remote operation behind the scenes returns.
Does anyone know what we can fix such configuration issue?
Thanks
Sounds like you did everything right...except didn't or haven't set the SPN properly in AD for the principal (computer/server object) referring to the web service running on the target server. For example, the server name is server1, and the AD and DNS domain name is acme.com. Then the SPN for the server in AD would need to be HTTP/server1.acme.com. Ref: Setting up Kerberos Authentication for a Website in IIS

Resources