System.Net.WebClient doesn't work with Windows Authentication - iis

I am trying to use System.Net.WebClient in a WinForms application to upload a file to an IIS6 server which has Windows Authentication as
it only 'Authentication' method.
WebClient myWebClient = new WebClient();
myWebClient.Credentials = new System.Net.NetworkCredential(#"boxname\peter", "mypassword");
byte[] responseArray = myWebClient.UploadFile("http://localhost/upload.aspx", fileName);
I get a 'The remote server returned an error: (401) Unauthorized', actually it is a 401.2
Both client and IIS are on the same Windows Server 2003 Dev machine.
When I try to open the page in Firefox and enter the same correct credentials as in the code, the page comes up.
However when using IE8, I get the same 401.2 error.
Tried Chrome and Opera and they both work.
I have 'Enable Integrated Windows Authentication' enabled in the IE Internet options.
The Security Event Log has a Failure Audit:
Logon Failure:
Reason: An error occurred during logon
User Name: peter
Domain: boxname
Logon Type: 3
Logon Process: ÈùÄ
Authentication Package: NTLM
Workstation Name: boxname
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 1476
I used Process Monitor and Fiddler to investigate but to no avail.
Why would this work for 3rd party browsers but not with IE or System.Net.WebClient?

I have seen a similar issue, where the Integrated / NTLM security will only work if you are accessing the host by machine name or localhost. In fact, it is a [poorly] document feature in Windows that is designed to protect against "reflection attacks".
Basically, you need to create a registry key on the machine that is trying to access the server, and whitelist the domain you are trying to hit. Each host name / FQDN needs to be on it's own line - there are no wildcards and the name must match exactly. From the KB Article:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Exit Registry Editor, and then restart the computer.
http://support.microsoft.com/kb/956158/en-us

Have you tried ...
new NetworkCredential( "peter", "password", "boxname" );
You might also try ...
var credCache = new CredentialCache();
credCache.Add( new Uri ("http://localhost/upload.aspx"),
"Negotiate",
new NetworkCredential("peter", "password", "boxname"));
wc.Credentials = credCache;
Also, according to this it may be that IIS is configured wrong. Try replacing "Negotiate" with "Basic" in the above and checking your IIS config for the website. There's also a bunch of possible causes here.

Try going into IE's options and explicitly add the site to the Intranet Zone. Then re-run the program. You should also not run the program from an administrator login. This may trigger the Enhanced Security Configuration for Internet Explorer.
It could explain why you can hit the site with Firefox and Opera, but not with IE or WebClient.

Without knowing your IIS deployment, and assuming that you have the correct authorization rules for upload set in IIS (e.g. the right allow* ACL's on the right dirs you are trying to upload content to, etc), first thing I would try is to set UseDefaultCredentials to true instead of explicitly set Credential. (Maybe you think you are accessing the server with the Credentials you are setting but that's not the case? That would be possible if this works.)
This is a very common scenario, so I would focus on IIS authorization rules for the directory in which you are trying to upload the file, the actual ACL's on that directory. For ex. is your site impersonating or not? if it is, then you have to have actual ACL's on that dir, otherwise whatever account app pool is running on.

Related

Allow Powershell script download from webpage in IIS

I am trying to update a Razor page (running on IIS 10.0 version 1809) to allow me to share a Powershell script. I want the user to be able to right-click the link and select "save" to download the script from a folder on the web server (wwwroot/<site name>/downloadFiles). I verified that the NTFS permissions allow "Read & Execute", "List folder contents", and "Read" to IUSR, Network Service, Users, and IIS_IUSRS.
I tested:
Right-click the link and select "Save link as..." and Chrome tells me, "Failed - No file"
Browse to https://<site url>/<site name>/downloadFiles/script.ps1 and IIS tells me: 404 - File or directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Browse to https://<site url>/<site name>/downloadFiles and IIS tells me: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
In _Layout.cshtml, I have the link setup as:
Script
Any idea how I can make this work?
Use the FileExtensionContentTypeProvider to map the .ps1 extension to the application/octet-stream mime type to force a download as explained in the docs: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files#fileextensioncontenttypeprovider
var provider = new FileExtensionContentTypeProvider();
provider.Mappings[".ps1"] = "application/octet-stream";
app.UseStaticFiles(new StaticFileOptions
{
ContentTypeProvider = provider
});

ASP.NET Windows Authentication returns wrong user to the application

I have two domains A and B, with a user Administrator in each. Both admins have different objectGuids, SIDs and passwords. There's an IIS 8.5 in B configured with Windows Authentication (Methods Negotiate/NTLM, Extended Security disabled, Kernel mode auth enabled). Domain B trusts domain A (one-way trust).
When I now open IE as A\administrator, and connect to the IIS in B, the IIS returns to me that the user logged in is B\administrator (should be A\administrator).
This is my code:
public class UserController : ApiController
{
// GET api/<controller>
public User Get()
{
var usr = ((WindowsIdentity)User.Identity).User;
return new User() {
Name = User.Identity.Name,
SID = usr==null?"":usr.ToString()
};
}
}
Also, the same is in the IIS log:
2018-05-07 09:19:10 172.17.41.31 GET /winauthtest/User - 80 B\Administrator 172.17.42.11 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E) - 404 0 2 31
Is this intended behaviour or a bug, and if it's a bug, where to report the bug?
Can I fix it by changing Windows Authentication settings, or what else could I do about it?
Do you know any other possibility to get the true SID of the user that is accessing my IIS?
OMG, I had the same problem and your problem gave me a hint as to why this is happening. So, running my project in Chrome gives me the wrong domain, while opening in Edge gives me the correct domain. I have my project set up using Windows Authentication and it seems Chrome is in some way blocking Windows Authentication.
This link gives more info.
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
In the end, another of my coworker had the same issue and we couldn't fix it properly. It would misbehave randomly. The only solution that seemed to work was restarting the PC.

OpenAM and CDSSO - how to configure

I'm trying to set up OpenAM with CDSSO, but I cann't find the right setup.
My environment looks like this:
OpenAM:
version: 10.0.0
few tomcat
behind loadbalancer 10.10.10.10:8000
availble by http://abc.xxx.com which redirects to http://sso.yyy.com or by http://sso.yyy.com
Apache with web agent
apache version: Apache/2.2.15
web agent version: Version: 3.0-04, Revision: 9150
host have access to 10.10.10.10:8000, but not to http://abc.xxx.com or http://sso.yyy.com
accessed via http://efg.xxx.com
End user / browser
have access to http://sso.yyy.com, but not to 10.10.10.10:8000
Tested configurations
Try 1
In web agent configuration I setup
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=http://10.10.10.10:8000/opensso/cdcservlet
in browser I have redirect to 10.10.10.10:8000/opensso/cdcservlet
Location: http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fefg.xxx.com%3A80%2F&
in web agent log is
am_web_do_cookie_domain_set(): setting cookie iPlanetDirectoryPro=;Path=/.
is_server_alive(): Connection timeout set to 2
am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://efg.xxx.com:80/] [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fefg.xxx.com%3A80%2F]
process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fhttp://efg.xxx.com%3A80%2F&].
process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fhttp://efg.xxx.com%3A80%2F&]
am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
am_web_process_request(): render result function returned AM_SUCCESS.
Try 2
In web agent configuration I setup
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=http://sso.yyy.com/opensso/cdcservlet
in browser I have
403, You don't have permission to access /
in web agent logs is
am_web_do_cookie_domain_set(): setting cookie iPlanetDirectoryPro=;Path=/.
am_web_get_url_to_redirect: unable to find active Access Manager Auth server.
process_access_redirect(): get redirect url returned AM_FAILURE, redirect url [NULL].
process_access_redirect(): returning web result AM_WEB_RESULT_FORBIDDEN.
process_request(): returning web result AM_WEB_RESULT_FORBIDDEN, data []
am_web_process_request(): Rendering web result AM_WEB_RESULT_FORBIDDEN
am_web_process_request(): render result function returned AM_SUCCESS.
Questions
Is it possible to perform such a configuration?
In newer version of OpenAM (12.0.0 › OpenAM Administration Guide) I find
OpenAM Conditional Login URL (Not yet in OpenAM console)
CDSSO examples: com.forgerock.agents.conditional.login.url[0]= login.example.com|http://openam1.example.com/openam/cdcservlet, http://openam2.example.com/openam/cdcservlet, com.forgerock.agents.conditional.login.url[1]= signin.example.com|http://openam3.example.com/openam/cdcservlet, http://openam4.example.com/openam/cdcservlet
what does it mean "Not yet in OpenAM console". Can I set this directry in OpenDJ?
Is this configuration will work on older versions of OpenAM?
Is for web agent work failover similat to https://docs.oracle.com/cd/E19636-01/819-6101/auto20/index.html?
Thanks in advance
kawu
Answer to 1) Yes that's possible. I don't see why you would need conditional login URL feature, 3.0-04 agent might not even support this feature (question 3) If agents can not access CDCServlet or LoginURL feature you need to disable the probing for it ... see OPENAM-3294 You are using LB for OpenAM, so no need for Agent failover.

Error creating a new workspace

I am trying to create a local workspace so I can map it to VisualStudio online account. Here is the command I am trying to run.
tf workspace -new -login:"Windows Live ID"\user,pass -collection:https://shaggyinjun.visualstudio.com/DefaultCollection
For some reason I am seeing an error. The command does have a domain/user,pass. What is this new username and password it is asking me for ?
Federated authentication to this server requires a username and password.
Apparantly this is issue is caused even when using java clients. Here is what Visual Studio Online has to say for it's questionable behavior.
Alternate authentication credentials
Some applications that work outside the browser (including Team Explorer Everywhere
command line client and the git-tf utility) require basic authentication credentials.
Other applications do not properly handle using an e-mail address for the user name
during authentication.
To work with these applications, you need to enable alternate credentials, set a
password, and optionally set a secondary user name not in the form of an e-mail address. > Please note that alternate credentials cannot be used to sign in to the service from a web
browser or outside of these applications.
Here is another question that I posted and was shot down. Just documenting here for future reference
I am able to login using my Visual Studio online credentials via the CLC, but When I try to do the same with a java program, I get an Authentication exception. Is there anything special that needs to be done for Java and / or Visual Studio Online ?
Java Code
public static final String NATIVE_LIBS_SYSTEM_PROPERTY = "com.microsoft.tfs.jni.native.base-directory";
public void connect() {
System.setProperty(NATIVE_LIBS_SYSTEM_PROPERTY, TFS_NATIVE_LIBS_HOME);
Credentials credentials = new UsernamePasswordCredentials("Windows Live ID\\user", "password");
TFSConnection connection = null;
try {
connection = new TFSConfigurationServer(new URI("https://shaggyinjun.visualstudio.com/DefaultCollection"), credentials);
connection.authenticate();
} catch (URISyntaxException ex) {
Exceptions.printStackTrace(ex);
}
}
}
Exception
com.microsoft.tfs.core.ws.runtime.exceptions.UnauthorizedException: Authorization failure connecting to 'https://shaggyinjun.visualstudio.com/DefaultCollection/TeamFoundation/Administration/v3.0/LocationService.asmx' (authenticating as Windows Live ID\user)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:709)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequest(SOAPService.java:473)
at ms.ws._LocationWebServiceSoap12Service.connect(_LocationWebServiceSoap12Service.java:384)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:70)
Caused: com.microsoft.tfs.core.exceptions.TFSUnauthorizedException: Access denied connecting to TFS server https://shaggyinjun.visualstudio.com/ (authenticating as Windows Live ID\venkatram.akkineni#gmail.com)
at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:75)
at com.microsoft.tfs.core.exceptions.mappers.LocationExceptionMapper.map(LocationExceptionMapper.java:32)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:76)
at com.microsoft.tfs.core.clients.framework.location.LocationService.connect(LocationService.java:754)
at com.microsoft.tfs.core.clients.framework.location.LocationService.authenticate(LocationService.java:928)
at com.microsoft.tfs.core.TFSConnection.authenticate(TFSConnection.java:748)
at org.netbeans.modules.libswrapper.Installer.restored(Installer.java:54)
at org.netbeans.core.startup.NbInstaller.loadCode(NbInstaller.java:471)
[catch] at org.netbeans.core.startup.NbInstaller.loadImpl(NbInstaller.java:394)
at org.netbeans.core.startup.NbInstaller.access$000(NbInstaller.java:105)
at org.netbeans.core.startup.NbInstaller$1.run(NbInstaller.java:346)
at org.openide.filesystems.FileUtil$2.run(FileUtil.java:447)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:431)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:451)
at org.netbeans.core.startup.NbInstaller.load(NbInstaller.java:343)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1194)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1017)
at org.netbeans.core.startup.ModuleList.installNew(ModuleList.java:340)
at org.netbeans.core.startup.ModuleList.access$2400(ModuleList.java:118)
at org.netbeans.core.startup.ModuleList$Listener.stepEnable(ModuleList.java:1409)
at org.netbeans.core.startup.ModuleList$Listener.access$1400(ModuleList.java:1007)
at org.netbeans.core.startup.ModuleList$Listener$1.run(ModuleList.java:1231)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.netbeans.core.startup.ModuleList$Listener.run(ModuleList.java:1207)
at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1423)
at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2033)
If you're connecting to visualstudio.com from the cross-platform command line client, you need to set up and use "alternate credentials".
You cannot use a Microsoft Account (Live ID) because - crazy as it sounds - that only works by supplying passwords to that web page and we cannot rely on a web browsers existence on many platforms.

How do I find the Google's OAuth 2.0 client-secret-key for developing chrome-extensions?

I see only the following details in
https://code.google.com/apis/console/b/0/#project:xxxxx:access
Client ID for installed applications
Client ID: 477522346600.apps.googleusercontent.com
Application type: Chrome App
Application ID: gobkdpbocikdfbnfahjladnetpdkvmic
Simple API Access
API key: AIzaSyDC_BSfqa1Uhgh3M6KqYUvzXuKX0lMnMaw
Referers: Any referer allowed
Activated on: Mar 21, 2013 4:35 AM
Activated by: xxx#yyyy.com – you
Now, what's my client-secret value in the above data?
OK, figured it out by myself.
Click the Download JSON link in the Client ID for installed applications section.
Open the JSON in a text-file.
You will find the client-secret.
On Credentials page,
place cursor over Name (Name is not underlined without cursor over it)
once Name is highlighted and underlined, click.
For credentials with Chrome App you won't get a client_secret only the client_id. I suggest creating it as type other instead. This should give you an ID and a secret you can use for your extension.
In case if anyone will step into thi misunderstanding like I did.
If you create OAuth client with Application type "android" (and Chrome App as #Erich answered) you won't get client secret.
Use this (picture) instructions to acquire the key.

Resources