If you have an asp.net site sending messages to a remote queue, how do you handle authentication. If Windows Authentication is turned off, the network service sends a message to the remote queue. Does that mean that in de security tab of the queue, I need to add the netwerk service of the server sending the message? (by the way, I do not use http or https).
And what if Windows Authentication is enabled, do I need to add all users that will log in using windows authentication to the queue?
Related
I have an Azure Application Gateway sending user (HTTPS) traffic to a single backend web server, which is hosting an ASP .Net Framework 4.8 web application in IIS 10; users sign-into the web application using Windows authentication. The Application Gateway is not using cookie-based affinity (as there is only one web server). ASP .Net is using a SQL Server session state database:
<sessionState mode="SQLServer" stateNetworkTimeout="30" timeout="30" allowCustomSqlDatabase="true" sqlConnectionString="Data source=***********************;Database=ASPState;Integrated Security=SSPI;Persist Security Info=True" />
When users sign into the web application, as it is using Windows authentication, they are automatically authenticated using their Windows credentials, so they do not have to enter their user id and password. However, they will sometimes be signed in as the wrong user (someone else who is already signed-in). This only happens when using Application Gateway, and does not happen if the users go direct to the web service URL (bypassing Application Gateway).
When this bug happens, the application logs suggest that ASP .Net is getting the session id for the wrong user, i.e., the session id of the other user who is already signed-in. In Global.asax.cs, Session_OnStart the following gets logged:
Session.SessionID = sessionId for the wrong user
HttpContext.Current.User.Identity.Name = Windows userid for the wrong user
Session.IsNewSession = True
HttpContext.Current.User.Identity.IsAuthenticated = True (this is to be expected because Windows authentication is being used, so the user is already authenticated by IIS)
My guess is that Application Gateway is not persisting the user's Windows identity correctly between requests.
i have many application servers (cyber-ark, SIEM solution, forti gate etc') installed on azure as a IaaS.
all of them connect to an smtp server in order to send notifications via mail.
on my on Prem deployments, this was not an issue, but on azure, all smtp communication seems to be blocked.
i created a send-grid account and tried playing with it, but the send grid smtp server is getting blocked too.
what is the right way to work in this scenario ?
i need a smtp server to integrate with my applications...
what should i do ?
thanks,
david
Depends on your type of subscription, pay-as-you-go if you want the ability to send email from Azure VMs directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. Requests will be reviewed and approved at Microsoft's discretion, and they'll be granted only after additional anti-fraud checks are made. To make a request, open a support case by using the following issue type: Technical > Virtual Network > Connectivity > Cannot send email (SMTP/Port 25). Make sure that you add details about why your deployment has to send mail directly to mail providers instead of using an authenticated relay. More details
I have to find out all logs from IIS log files where we have Authentication Successful messages.
Now I know that status code 200 is for a success message but this code can be returned for any request raised by client.
How can I identify Authentication successful (in my case Windows Authentication to be more specific) events from log files?
IIS access logs won't have successful authentication events, it only logs URL requests, and the account that did the request (if authenticated).
For authentication events for windows authentication, you need to open the "Local Security Policy" snap-in (secpol.msc) on the local computer or by using Group Policy.
Then, go to the Security Settings\Advanced Audit Policy Configuration tree, and in the Logon/Logoff section, configure the Success audit event of "Audit Logon".
More information in Microsoft docs.
Once done, you'll start receiving events in the Windows event viewer, under Windows Logs\Security. They'll appear as event id 4624. Note that this event will appear only when the user is accessing the web application from a different computer. Opening the browser on localhost won't generate that event if the user is logged-in already, which happens when using Internet Explorer.
For Windows authentication, you have to correlate Windows logon audit in system event log and IIS log files. No easy way to get what you want.
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx
We are currently developing a Windows Phone 8 application that won't be published to the Windows Phone Store but will be distributed through our Company Portal (Windows Intune Direct Management).
Our team would like to add Push Notifications using MPNS (Microsoft Push Notification Service) but we are aware that, without submitting the app to the Windows Phone Store, we would be forced to use unauthenticated push notifications that are throttled to something like 500 notifications\day per subscription.
We are evaluating to try a service like Azure Notification hub but It's hard to find some clear documentation about how to set up authenticated push notifications with Notification Hub and even more important, if Notification Hub has the same policy that force to submit the mobile application to the Store.
So, the questions are:
In order to use unthrottled authenticated push notifications, do you know if Notification Hub requires the app submission to the Windows Phone Store?
Do you know any other valid way to get no-quota push notifications?
Microsoft has finally updated its term of service enabling no-quota (unthrottled) notifications for company apps on Windows Phone.
Create a Windows Phone Store developer account if you do not have one. Even though you won’t be submitting apps to the store, you will
need to use the Windows Phone Store to manage your certificate.
Prepare your push service to use the authenticated endpoint as documented here. Also, retrieve your certificate and set up its
service as outlined here.
When you have completed the steps above, do not link it to any app.
Official link:
blogs.windows.com/windows_phone/b/wpdev/archive/2013/12/10/enabling-no-quota-push-notifications-for-company-apps-on-windows-phone.aspx
I do not pretend to be completely correct, but this is what I can say after deep diving into Notification Hub stuff:
MPNS uses either http or https (for authenticated notifications) protocol to deliver data to its clients. Its internal structure can be roughly described as sending a specific xml (or json) to a previously set URI. It has no access to MS marketplace and cant do any app checks. So it seems you can push to any uri you want (I didn`t try that). Notification Hub is a WRAPPER over mpns, wns, apns, gcm, optimized for large arrays of notifications.
Notification Hub has the ability to set the mpns certificate inside the configuration tab, and I think that doesnt mean you`re forced to have an app in a public store with the same certificate.
Hope this helps,
Best regards, Alex
I believe that Notifications Hub will use either unauthenticated push notifications (same restrictions apply) or require the certificate to use authenticated push notifications, which requires registration in the store.
I'm not aware of a way around this at the moment.
I found a page from MSDN
It looks like kinda out of date (Windows Phone Marketplace was the name in WP7 days).
But the 500 limitation isn't changed, and like Alex Yurov said, Azure Notification Hub is just wrapper over MNPS, so this should apply.
So basically your need to re to register a certificate. Your cloud service will use this certificate to talk to the MNPS/Notification Hub, then it's unthrottled.
Unauthenticated and Authenticated Mode
Push notifications can operate
in unauthenticated or authenticated mode. In unauthenticated mode, the
number and frequency of notifications allowed through the Microsoft
Push Notification Service is throttled (unauthenticated push
notifications are currently limited to 500 per day, per channel).
For push notifications in authenticated mode, developers first must
register a certificate with the Push Notification Service through
Windows Phone Marketplace. The certificate must be issued by a
Microsoft-trusted root certificate authority. This certificate then is
used to establish a Secure Sockets Layer (SSL) connection between the
web service and the Push Notification Service. Authenticated push
notifications are not throttled.
UPDATE
This is the corresponding tutorial but NEW version.
No-quota push notifications using a root Certificate Authority
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.