I need to write a very simple authentication proxy service - the user must login via a web browser, then the page redirects the user to another URL if the login was correct.
The server is IIS7; auth is via Active Directory. While I have heaps of experience in Linux, Apache, Python, etc, I have virtually no programming experience in the Windows environment. I understand that IIS can handle the authentication part, but I'm a bit unsure where to start for the generating the URL. What language, environment and resources would be a good starting point?
While one part of me wants to break out the python, another wants to do it 'The Windows Way (TM)'.
Even better would be to use the Windows Domain SSO so the user wouldn't even need to log in, but that can come later.
In the WISA world (Windows, IIS, SQL, ASP.Net), you can accomplish the above in ASP.Net Forms Authentication (an option is to use Active Directory)
If this is a private site (corporate Active Directory intranet) an easy way to get no login prompt at all (SSO from user AD login on PC) is if you have IE in your network (NTLM/integrated authentication). You can do the security restrictions in IIS for files, folders, etc. without any development - nor would you need ASP.net involved..the files could simply be html, etc. Access is granted in AD in your users/groups to some resource. Although I have never done it, if IIS can run Python, then you can bust out the python :). IE may not be the only choice, it seems you can config Firefox - I have not tired this...if its internal/corporate, IE is pretty much the no brainer for it (no sweating/nothing to figure out or tweak).
Related
I have installed webdav for Domino and made the required changes in the webdavconfig.nsf.
If I give designer rights to anonymous users, I can access and update the word documuments in the database through Internet Explorer and MS Word, but if I change them back to no rights, i cant. Of course I want to edit them with my own credentials.
What am I doing wrong?
OS windows 10
URL which works anonymous (????? are hidden)
webdavs://dev.?????.nl/webdav/domino/eod.docx
https://dev.?????.nl/development/webdab.nsf
https://dev.?????.nl/webdav/domino/
Any help would be appreciated!
I wrote that application.
You are in the tricky land of authentication. Domino supports: Basic, FormBased, Cookie based (LTPA) SPENEGO and SAML. The later 3 need configuration work.
What happens when you use WebDAV is that no longer your browser, but a local library (belonging to Explorer or Office) talks to Domino.
You can "manually" try that using File - Open and paste the URL to the document (the one with https://, not webdavs://).
The only thing that happens with a webdavs:// url: a little helper checks, based on extension in the registry, what app is needed (Word, Excel, OpenOffice) and then calls that app with the https:// url as parameter. Like starting e.g. Excel from the command line:
excel.exe https://someserver/path/spreadshit.xls
By default Windows now uses NTLM or Kerberos authentication, neither of them supported by Domino (There used to be a proxy translating NTML to LTPA by a 3rd party). So no credential reaches Domino. Hence you need anonymous access rights.
For older versions of Windows I described what you need to do to get Basic Auth going.
Never came around to check what setting you would need on Windows 8 or 10 to allow basic auth there. Also, in theory, SAML or SPENEGO SSO might do the trick.
If you got Mac or Linux, you could check them first.
So the challenge isn't with the webDAV plugin as such, but in finding a common authentication ground between the OS and Domino. Hope that clarifies it a little.
Let us know how it goes!
I have an application set up in IIS that has Windows Authentication enabled. When I browse to this site in IE11 it prompts me for login credentials (which is strange because I'm logged on to the domain)
However, when I open up Fiddler it starts working perfectly fine, no prompts for authentication. When I close Fiddler again, it starts prompting me again. Any idea what could cause this? I'm trying to narrow down what exactly Fiddler is doing so I can figure out what I need to do to make the prompts on my app go away.
I cover many possible culprits in my post Help, Running Fiddler Fixes My App. My guess here, though, is that maybe your server is trying to use Kerberos authentication when going direct and NTLM when you go through a proxy.
To better debug this, a few things we need to know: Which browser? What's the hostname of the target server? Is it hosted on your current machine? If you disable Tools > Internet Options > Advanced > Use Windows Integrated Authentication (and restart) does it make a difference? What Zone (Right-click the page in IE, choose Properties) does the target run in?
I inherited a mess of servers which host multiple applications on IIS6, protected by R6 SiteMinder. The environment is soon going to R12, and we have also received some new servers with IIS7.5. (Lots of change, all within the next 60days.)
I am not an expert, and so am having trouble with some of the more detailed steps of configuration. Thus far, on the new server I am able to create and apply SiteMinder to the DefaultWebSite (and everything contained within), and any custom Sites that I create. Unfortunately in our environment, it is already set up with a handful of applications that live underneath DefaultWebSite, only some of which we desire SiteMinder protection.
In IIS6 I was able to simply add a site to SiteMinder authentication by applying the ISAPI6WebAgent.dll in the wildcard mappings. In IIS7.5, this does not seem to work. I follow the specific details in the installation manual and it seems like it is either an all-or-nothing situation: everything under DefaultWebSite is protected, or nothing is.
This will cause a SIGNIFICANT amount of additional work in my environment (and it also means upgrading in place is not possible, so all applications that require SiteMinder authentication will need to be migrated in the next 60 days.) Is there ANY workaround for this? Google has not provided me with any solutions, and my SiteMinder team is claiming "it is no longer possible with IIS7.5" to keep the environment the way it is currently set up.
Any and all help appreciated.
For those that care, if you are running under an Integrated App Pool, you can simply add and remove the SiteMinder modules to control which sites are protected by SiteMinder. This DOES work on apps below a virtual directory - and using the config files you can both inherit protection by default, or have it unprotected and add it later by simply "Configure Native Module" and adding it back.
I've created an intranet site that uses windows authentication
In chrome I can access the site instantly, and in FF it requires Active Directory login.
But with IE7 I'm getting the following error:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Im unsure as to why its okay in other browsers but not IE?
Any help appreciated.
Thanks
Solution:
IE is using Kerberos and not falling back on NTLM like Chrome and Firefox. You must force NTLM authentication in IIS7.5 by following these steps:
Select your site.
Double click authentication.
Select "Windows Authentication" (ensuring that it is enabled).
Click "Providers..." in the right hand column.
Select NTLM and click "Move Up".
Link: windows authentication not working in ie7
I'm not familiar with IIS, but in the past few weeks I've had lots of hand-on experience in integrating AD login into web applications. As is quite logical - every Microsoft product would be better integrated with another such, and Internet Explorer (should be valid for all versions, not just 7) automatically passes your AD login credentials as long as you use Active Directory for your Windows login authentication method.
Every other browser will either need to be configured to do so, ask you to type them in manually or will not support it at all. Which explains why Firefox asks you for a username and a password. Under Opera, you'll most likely get the same error message.
My guess about Chrome is that it's your default browser of choice and at some point in time, you've typed in your login creditenials and that session is still active.
All of this would mean (if my assumptions are correct) that you need to use a different AD account to login into this application than Windows and the latter (being automatically passed by IE) is not authorized.
It sounds like your environment is not setup properly for Kerberos authentication to take place. There are many things that can cause Kerberos authentication failure. E.g. Clock skew on the server or client, missing SPN on the web server, etc.
Normally, when you configure to use Windows authentication, you are asking to use SPNEGO, which means using Kerberos whenever possible and then fall back to NTLM if Kerberos fails. However, this post pointed out that this is no longer true. IE7 stops at Kerberos in certain cases but not falling back to NTLM.
You can try to disable the "Enable Integrated Windows Authentication" as the post suggested. It looks odd but it actually just turns off the SPNEGO, you will still use the NTLM.
I guess Firefox and Chrome works because they are using NTLM but not Kerberos. From my experience, non-Microsoft browser doesn't do Kerberos out-of-box. You need to do some configuration work to make it happens. For example, in FireFox, you need to set the network.negotiate-auth.trusted-uris parameter. See here
Once you confirm the NTLM for IE7 is still working fine. Then, you can post another question to ask how to fix the Kerberos authentication problem for IIS.
start off by looking here and getting a more detailed error description. I had some crazy problems with CRM and it all came down to the order of settings in IIS the answer to the problem ended up being as simple as ;
going into iis and then the authentication setting
clicking on windows authentication and selecting advanced
make sure kernel mode is on
click on providers and ensure negotiate is above NTLM.
I have a folder in which all asp files are protected by including validate.asp (which presents a login if the session is not validated and ends the response, otherwise it allows the page to display.
How can I protect non-asp content?
The Site is running under Windows 2003 Server with IIS 6.0
#My Other Me: check out ISAPI Rewrite
ISAPI_Rewrite is a powerful URL manipulation engine based on regular expressions. It acts mostly like Apache's mod_Rewrite, but is designed specifically for Microsoft's Internet Information Server (IIS). ISAPI_Rewrite is an ISAPI filter written in pure C/C++ so it is extremely fast. ISAPI_Rewrite gives you the freedom to go beyond the standard URL schemes and develop your own scheme.
Alternatively, you can also check out IIS Password
IISPassword password protects web sites that are hosted on Microsoft IIS, without using system user accounts. IISPassword protects complete web sites, subfolders or even certain files or file types. When trying to access a password protected object, the user is asked to log in through a dialog box ..
ISAPI Rewrite has a lite version and IISPassword has a trial version, so you can try out both for free to see if they could suit your needs.