I'm having problems accessing a mercurial repository. (mercurial 1.7.1)
Its set up on IIS6 windows 2003 over Https,
I can access the site through a browser using the same credentials,
I can access the site if I enable anonymous access for the virtual directory in IIS, but I need to use the Integrated Windows authentication.
I have tried setting the path in my hgrc file to:
[paths]
default = https://username:password#example.site.com/hg/hgweb.cgi/TestRepository
then if I try to Push or Pull I get the error message:
abort: authorization failed
Any Ideas?
The most useful output is probably in your webserver/IIS logs -- check there. You can also try --debug on the mercurial command line to get a little more output, but it's likely going to be on the web server side.
I have changed the Directory security authentication mode to basic authentication. For the time being this seem to be sufficient for our needs
Related
After attempting to configure IIS as a replacement for IIS Express, both stopped working and delivered the above error on deploying the .NET Core project in VS2019. According to IIS anonymous authentication is enabled, I also entered explicit user name and password as well as giving my user all rights to work with the project's directory. I restarted the IIS several times and re-created the pools and Pages, as well as repairing VS2019 in hope to get the IIS Express running again at least.
I have no idea what else I could do.
EDIT: I am using IIS10
Module
IIS Web Core
Notification
AuthenticateRequest
Handler
aspNetCore
Error Code
0x80070005
Requested URL
http://localhost:12345/
Physical Path
C:\inetpub\...
Logon Method
Noch unbestimmt
Logon User
Noch unbestimmt
You can try the following steps to solve your problem:
Right click on the project, go to properties.
Select the web, and then you will find a service setting
Change the project URL for other port, like http://localhost:44338/.
I was able to figure it out myself by now:
For some reason during setting up the IIS and IIS profile (accidentally or by some quirk of VS), the anynomous authentification setting was set to false. Which also affected the IIS Express to not work properly anymore. Simply enabled anonymous authentication resolved the issue for both.
Project Properties -> Debug -> IIS profile -> anonymous authentification: ✓
I have configured a webserver on localhost with https using Microsoft IIS Administration. I am able to browse directory with files with browsers and Visual Studio using localhost prefixed with https, such as https://localhost/trial etc.
I wish to upload a file to the said directory, ie., trial, using Libcurl to test some features. Unfortunately I'm unable to do so.
Using the same Libcurl example as given on
Libcurl File Upload
-modified for https, the console window tells me that the following has occurred, upon running the code :
IIS 10.0 Detailed Error - 405.0 - Method Not Allowed
HTTP Error 405.0 - Method Not Allowed The page you are
looking for cannot be displayed because an invalid method (HTTP verb)
is being used.
I checked the IIS Administrator and saw that all authorizations are allowed. I suppose the fact that it is flagging a HTTP verb issue rather than HTTPS as I'd enabled and used as URL in code isn't a big thing?
Libcurl uses PUT for uploading files, so should be an allowed verb.
I am quite new to this, so I'm not certain I did something incorrect with the setting up of the webserver, or whether there are security issues or permission issues which are causing a problem here.
As far as I know, there is impossible to use http put or post a file to a IIS web application's folder without writing server-side code. Otherwise, configure an FTP site on your IIS installation. Then you could use ftp command to upload the file.
If you really need using HTTP put or post to upload the file, you could consider using WebDav.
More details about what is webdev and how to use it, you could refer to below article.
https://learn.microsoft.com/en-us/iis/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-7/what39s-new-for-webdav-and-iis-7
Try hostname instead of localhost
Add a trailing slash (/) for the directory.
I'm using IIS 8 on Windows 2012 server. I have a site set up to serve as an API for HTTPS traffic on a custom port (4443). I have installed a wildcard SSL certificate, which is functioning properly. Our network firewall is routing all public inbound traffic on port 4443 to this server internally, which is then being handled by IIS.
From the server itself, everything works fine. I am not using localhost, and do not have a hosts file entry looping the traffic back internally. Going to https://api.blahblahblah.com:4443 returns what I want.
However, from external to the network, I am getting a 403 Forbidden error. I know the traffic is making it to the server because I get the correct custom "X-Powered-By" response header that I have set on that server.
I have tried setting the permissions on the folder that contains the site files to allow Full Control to "Everyone", but no luck. The site has Anonymous Authentication enabled for the user "IUSR". Directory browsing is disabled.
What's going on? I'm assuming it's a permissions error with the file system, but I figured having the Everyone permission would eliminate that. Also, there is nothing special about the internal traffic (from the server itself) in terms of an authenticated session or anything. It's just a plain request with no bells or whistles.
Please help! Thanks.
=======UPDATE=======
Here is a sample log entry showing the substatus code of 16:
2018-02-08 17:56:58 10.1.10.11 GET /favicon.ico - 4443 - 184.4.143.229 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36 https://api.blahblahblah.com:4443/data/countyList 403 16 2148204809 97
Apparently this is a client certificate trust issue? Upon further testing, I am able to access the site without issue on another device, just not my primary development PC.
I just set the site to Ignore Client Certificates in the SSL Settings, and it is working as expected again.
A 403 error could occur due to multiple reasons. Could you please share the substatus code. You can find it in IIS logs. Default location - C:\inetpub\logs\logfiles\w3svc_websiteID.
Once you have the substatus code, please share it here.
You can also capture FREB logs by following this article - https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis
Just modify step #10 in this article and don't uncheck anything in your case (leave everything to default). This will clearly tell you what's going on in the IIS pipeline.
If its 403.14, just add a default document in IIS and you should be good to go.
I would appreciate any hints regarding the following issue:
The problem summary:
While using Negotiate:Kerberos in IIS 7.5, the authorization works correctly right until we setup URL rewriting (using the MS module "URL Rewrite 2.0") - any rewritten URL then returns "401.1 Unathorized" (requests not matching any rewrite rule keep working though).
The setup:
Windows Server 2008 R2 x64
IIS 7.5
URL Rewrite 2.0
Server is in a domain
SPN exists for HOST/hostname and HOST/hostname.domain (created by default)
Pool is using default ApplicationPoolIdentity (no custom account, not network service)
Kernel mode set to OFF
Authentication providers set to "Negotiate:Kerberos" only (no NTLM or annonymous)
URL Rewrite rule as as "^(.*)/$" => "index?x={R1}"
The result:
1) When accessing any URL not matching any URL rewrite pattern, Kerberos is working correctly, i.e. Kerberos ticket is issued (verified using klist), sent (verified using netmon and HTTP headers) and accepted (verified by URL being accessible and appropriate AUTH_USER property set to my domain account name) => no problem here.
2) When accessing any URL matching URL rewrite pattern, e.g. "hostname/foo" the result is:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Error Code 0x80070055
Requested URL http://hostname/index?x=foo
Physical Path D:\wwwroot\
Logon Method Not yet determined
Logon User Not yet determined
(if we try to access the rewritten URL directly, e.g. hostname/index?x=foo, Kerberos works again normally)
The attempts to solve it so far:
After googling, we have tried several options:
turning kernel mode ON: Kerberos stopped working completely, using either default pool identity or network service (I suppose we would need to setup additional HTTP SPN and/or use custom domain account with additional SPN for that account explicitly)
turning "useAppPoolCredentials" ON: no difference
enabling "Failing Request Tracing": surprisingly these failing 401.1 requests ARE NOT generating any output into the fail logs no matter what rule we try to setup (e.g. 400-999) - the folder is just empty (while other errors, like 404 or even handshake 401.x when accessing not-rewritten URLs are generating logs - very strange)
The conclusion:
So far we have reached a dead end - it may be some weird kind of "double hop" issue requiring using a custom domain account rather than default app pool identity, but as we're in fact accessing the same resources, it seems more like a URL Rewrite issue.
Any tips, hints, pointers? Anything would be highly appreciated.
Best regards,
Marek
we face the same issues as you do. By enabling extended error logging, we were able to put the finger on the actual problem, which seems to be a bug in the rewrite module (or at least in some part of IIS, which is related to the module):
When the URL gets rewritten, the access to the new rewritten URL is checked (seemingly hardcoded) using Basic Authentication and NTLM, neither of which has been configured on the Website at hand. The only configured authentication provider is Kerberos. Since the client doesnt send NTLM nor Basic credentials, there is no way this can work.
We (another person on the current project) are sending the issue to Microsoft. I will let you know, when I get any result.
It seems as though you have multiple issues here.
Failed-Request Tracing Logs
To fix your missing logs issue, you must make sure that the user that is running your site's AppllicationPool has read/modify rights to the folder where those logs are generated, otherwise you won't see anything. See the section labeled "Enable Failed-Request Tracing" on this page: Troubleshoot Failed Requests Using Tracing in IIS 7
What isn't clear is the fact that the site's Application Pool Identity (found in Advanced Settings for Application Pool) is the account that needs read/modify rights to that folder.
Once that is fixed you can load the XML logs in IE and see a much clearer picture of what is going on.
401.1 - Unauthorized Issue
A possible fix to your 401 error is to make sure unlisted file name extensions are allowed in Request Filtering. Go to IIS --> Sites --> [your site] --> Request Filtering
You have two options here:
Allow File Name Extension... and add the value "." (minus the quotes), see this answer.
Edit Feature Settings... and enabled the option "Allow unlisted file name extensions"
The 1st option should work well, the 2nd option obviously opens up a gaping hole but allows everything so you should be able to get it working.
I hope that helps.
I have recently install Server 2008 R2 on a new server and want to use the FTP capabilities that are now shipped with IIS 7.5.
Since my users are not windows users, I was using IISAuthManager but this prodiver does not offers home directory on a user basis.
I found this sample http://learn.iis.net/page.aspx/669/how-to-use-managed-code-c-to-create-an-ftp-authentication-provider-using-an-xml-database/ to get going with a simple xml based user config. But i can't make it work. It's always gving me
Response: 530-User cannot log in.
Response: Win32 error: The system cannot find the file specified.
Response: Error details: An error occured during the authentication process.
I used procmon to get if the xml config file was read with no luck. I don't even think my assembly is being used.
Anybody ever had the same issue ? Basicly, any tips would be apreciated.
The IIS FTP custom providers are a nightmare to debug. In this case sounds like a config error, check that you followed the set up instructions (or manually checking applicationHost.config). Or post your code (inc config) if you still need help.
Barry
IIS Manager > Your site > FTP Authentication
Probably, you have all Basic and Anonymous Authentication disabled.
One of them should be enabled.