I'm using haproxy to load balance more than one .net applications. IIS servers cofigured for running https and haproxy too. There are only one self signed certificate, and it's subject contains all of iis servers ips, domains, and haproxy servers too. I'm using ntlm to authenticate user and I want to switch it to kerberos.
I made an spn record for iis and ha proxy servers. And start all iis for same user.
When I want to go to IIS server directly, i can see the kerberos ticket on the traffic. But when i want to go with haproxy, i cannot see kerberos ticket. Is there any configuration for haproxy to pass kerberos?
Related
So we're finally moving to Windows Server 2019 from 2008 R2 and the new ADFS requirements are that ADFS stays behind a firewall and the Web Application Proxy will be exposed and forward any authentication requests to the actual ADFS server. So far so good.
But our initial ADFS setup did not use subdomains. So we don't have the luxury of just moving eg. sts.domain.com to a new server. Our web server, database server and ADFS server were all responding to www.domain.com. ADFS v2 was an application under IIS after all. Poor planning, but here we are.
So now we have 2 new production servers both running Windows Server 2019. One exposed to the internet running the Web Application Proxy and the actual ADFS server behind a firewall. All the settings, relying party trusts and claims providers have all been migrated with Microsofts bundled scripts. All good. But our ADFS is behind a firewall and the ADFS is configured to respond to www.domain.com and the federation service identifier is equally www.domain.com/adfs/services/trust.
If i set it all up with sts.domain.com externally pointing to the WAP and internally they both think the ADFS is sts.domain.com it works just fine. I can connect, it fetches metadata and lists Claims Providers.
But when i try the same trick with www.domain.com it fails.
So I've been trying to fool the ADFS server and edited hosts files so the ADFS server thinks it's www.domain.com and the web app proxy also thinks that the ADFS server is www.domain.com internally. But obviously still responding to web requests on www.domain.com on the external interface. But when i do that the WAP refuses to connect to the ADFS server.
What gives?
I'm currently working on a script that will test the health of an ADFS service. The ADFS service uses the same domain name (split brain DNS) for both intranet access, as well as for public DNS (for internet connections through the proxy servers). If I'm logged into an intranet device and I attempt to perform an SSL connection to the ADFS service, my device will use the intranet IP of the service. If I do the same from a device that is not in the intranet, I will connect to the public facing IP.
I want my script to test the health of both the internal and external service, but I haven't found a way to perform an SSL connection to a certain hostname/fqdn, and use an specific IP depending on the test I'm trying to perform (intranet vs extranet). Connecting directly to the internal/external IP address is not an option, since the ip addresses are not part of the SSL cert subject alternative names.
One option I found Is to create a PS Session to a remote host that has public DNS servers configured, and execute my Extranet test through that PS Session, but Ideally, I would like to run both tests from one single server.
I'm trying to find an option that works in the context of my PowerShell session only, I don't want to change the DNS settings of the server or the global DNS cache since that will result in problems on the server, because it depends on that ADFS service for other services to work.
Any help will be appreciated
I could not find a way to achieve exactly what I asked, so instead, what I did was to deploy a small Rest API in Azure which calls my ADFS service. When I call that Rest API, ADFS receives the query from the Internet, allowing me to achieve test the health of my ADFS service from the internet.
We have a cluster that runs a number of dotnet apps, one of which runs the identity server. All the other apps need to authenticate with the identity server. If the identity server was external this wouldn't be an issue as it would have an HTTPS endpoint, but internally they are all running HTTP.
With istio adding MTLS security to all the comms, do all the apps just get set with RequireHttpsMetadata = false?
Is this the correct way to setup the network with internal requests being sent as http://auth-server.default.svc.cluster.local/...?
or should they be sent as https://auth-server.default.svc.cluster.local/..., if so how?
I'm trying to host web pages using Win Server 2016. Currently, I have Jira and my personal web (IIS) servers. Using AWS, I currently have "myec2.com:port1" and "myec2.com/port2" running fine. And I'm planning to buy a domain "myname.com" to be connected to "myec2.long.name.com"
What I hope to do is "myname.com/jira" and "myname.com/mypage" or "jira.myname.com" and "mypage.myname.com" can redirect to Jira server and the IIS server. Is there a way I can achieve this goal?
Thanks in advance.
If you buy a domain like myname.com you will be able to configure any number of sub-domains such as jira.myname.com or mypage.myname.com as you like.
Usually what you would do is point those sub-domains to your server's IP then handle requests to those domains by setting up a web server (like apache or nginx) and configuring a virtual host (apache) or a server block (nginx) for each one of those sub-domains.
While running two app servers (which has mobilefirst servers hosted 7.1 version) from ibm http server, only one server runs successfully on keeping only one of the Route attribute active in the plugin-cfg.xml of the http server. In the server which is not running, the following error is seen in the messages.log.
CWWKS4001E: The security token cannot be validated. This can be for the following reasons
1. The security token was generated on another server using different keys.
2. The token configuration or the security keys of the token service which created the token has been changed.
3. The token service which created the token is no longer available.
Kindly guide in resolving the error above.
Thanks.
Sounds like your two servers have not exchanged/shared LTPA keys and IHS and the WAS Plugin are a red herring.
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_ltpa.html
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_sso.html
Note: For SSO to work across Liberty servers, full profile servers, or both, set the following resources:
The servers must use the same LTPA keys and share the same user registry.
Sounds like communication issue between two servers. Are the inbound ports opened on another server to communicate with HTTP server? if they are opened use telnet and test whether both servers (HTTP and app server) are communicating with each other.
On HTTP Server, open command prompt and enter below command.
telnet <app server ip> <app server port>
If this is not successful then you need to open ports on app server.