Capture outgoing ASP.NET traffic from windows 10 with Fiddler - fiddler

I recently upgraded to windows 10, and have discovered an issue that I was able to do on Windows 8.1, but seem to be unable to do on Windows 10.
In my ASP.NET web application I have a controller that receives a GET request and then issues it's own GET request to another server and then sends that response back.
When debugging I have added the following to the application web.config:
<system.net>
<defaultProxy>
<proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" />
</defaultProxy>
</system.net>
Which in 8.1 was able to capture both the local server request and the remote server request. However, I haven't been able to get Windows 10 to do the same.
I did exempt all in the WinConfig settings on Fiddler.

WinConfig won't affect anything; it only relates to Metro/Immersive apps.
If you update web.config to point to a bogus proxy (e.g. 127.0.0.1:1111) does it fail? If not, then your app isn't using the configured proxy settings.
If updating web.config doesn't work, you might try editing the appropriate (probably 64bit) machine.config.

Related

tomcat localhost url return ERR_CONNECTION_REFUSED

I developed a spring MVC app in eclipse and trying to test in my laptop tomcat localhost. This URL works http://localhost:8080. It brings up the tomcat admin page. But when i call http://localhost:8080/mywebsite, as part of spring security port mapping it forwards to https://localhost:8443/mywebsite, but i get
This site can’t be reached
localhost refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
This is definitely not firewall issue, as i uninstalled all my antivirus, disabled firewall in windows defender
I have also changed the server location to "use tomcat installation" in eclipse
I have cleaned up deployment folder multiple times and reinstalled app and restarted server multiple times. The server started successfully i can see the logs
I am using tomcat 9 and JDK-19
I dont see any calls in access logs, only a 302 when it redirects from http://localhost:8080/mywebsite to https://localhost:8443/mywebsite
I have been trying this for 2 days and it wont budge an inch. I need help please
As #nitin pointed out in the comment above, I had not configured SSL connector. My bad I thought SSl cert is not needed for localhost testing. But it is required. I following the steps in
https://medium.com/beingcoders/setup-ssl-on-apache-tomcat-in-just-10-minutes-step-by-step-guide-706484094bb2

IdentityServer3 Unable to get document from

I'm using the IdentityServer3 Version (2.5.4) for the current project, everything works fine on my local machine (with IIS and IIS Express).
The customer has a Windows7 Embedded machine (without SP1!) with .NET 4.5 installed, we created a selfsigned SSL cert (with the current hostname, NOT localhost), but its not working. I'm always getting the error "Unable to get document from: https://xyz/.well-known/openid-configuration"
what is wrong with the configuration?
I found the Solution, it has nothing to do with the Configuration. The Installation of the Windows 7 SP1 has fixed it.
In a couple of cases where we had this issue, it is mostly to do with network connectivity.
Few things which helped us figure out the root cause -
Access the "https://xyz/.well-known/openid-configuration" route from a browser on the server.
If you are not able to access the url then it means that the server is unable to connect to the Idserver installation. This is a network level issue.
If you are able to access the url from the server where the relying application is hosted, but the relying application is throwing an error -> it means that, a proxy is configured on the server. The browser automatically uses the proxy, where as you have to set the proxy in the relying party application as below in the startup.cs
var request = WebRequest.Create(uri);
var myProxy = new WebProxy {Address = new Uri("proxy uri")};
request.Proxy = myProxy;
var response = request.GetResponse();
This will ensure that all the http requests originating from the code will also use the same proxy.
If the above doesnt help, Check if the IIS where Idserver is installed, allows TLS 1.0 and 1.1. THis is disabled on some servers for security purposes. If that is the case, use the below code to make ur application use tls 1.2 and the call will succeed
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Circumventing web security limitations between two sites on the same server

I'm using Eclipse to develop an app that consists of an Angular 2 front end and a Java REST back end.
For the front end, I'm using the Angular CLI plugin, which starts the app by issuing an ng serve command to the CLI. This command sets up an http server on port 4200.
For the back end, I'm using an in-company framework that launches in Jetty within Eclipse in port 8088.
While both these ports are configurable, by nature of the frameworks and plugins in use, they'll always be distinct.
Authentication works via an OAuth2 service that is also deployed to port 8088, as part of the framework. This service sets a cookie which certifies the browser session as authenticated. I have verified that this service works correctly by testing it against a Swagger instance of the REST API (also running in 8088 as part of the same framework).
The problem is that when the browser is aimed at the Angular 2 app on :4200, its internal REST API requests to :8088 aren't carrying the authentication cookie. Presumably, this is because of cross-site protection.
Is there any way for the app or the framework to tell the browser that these two "sites" are actually part of the same system?
Alternatively, if I have to configure the dev browser (Chrome) to work, I can live with that too. However, I've tried the --disable-web-security --user-data-dir recommendation, but the cookie still doesn't show up on the requests.
Lastly, I have Apache installed on the dev machine. If I can set up appropriate vhosts and use it as a proxy so that the browser thinks it's all the same, that would probably work too. It would just be a matter of intercepting all /swagger and /api requests and sending them to :8088, and all forwarding all other requests to :4200. However, I've been banging my head against mod_rewrite and mod_proxy and haven't been able to come up with anything that works.
I think what you're looking for is
withCredentials = true
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

IIS Arr not passing windows credentials on the same server

I have a self-hosted owin web api service on a test environment, and to give it a better name I use a domain alias, and ARR.
My web api runs on port 8888, and uses Windows Authentication. I have configured my arr to run under testserver:80 with anonymous authentication. I want to deploy a service on the box that will pool the webapi for data. When I try to visit testserver from my web browser on my desktop it works fine. However, when I remote into that box and try to hit testserver it prompts me for credentials. Even if I type them correctly it still will issue me a 401. If I go to localhost:8888 the site will work.
Since, I'd prefer to use the pretty name for the server in my service how do I correct this issue. How do I get it to pass credentials on the same box through ARR?
You might have have an issue with LSA loopback checking.
You get the 401 because ARR forwards your Windows Authentication to localhost, which is not allowed (default setting).
Try to disable LSA loopback checking (restart most probably required). If that works you can limit the disabling of loopback checking to specific websites (to prevent security holes).
See You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version for more information on the LSA loopback check and how to disable it completely or only for specific hostnames.

Asp.net 3.5 Deployment issue

For deploying my website in server by using IIS 5.1,,i created virtual directory,,i browsed in to my application and selected
asp.net 2.0 tab(application is framework3.5)..I reset framwork configuratio 2,0 Runtime security Policy Enterprise,Machine,User
tab,,What ever things i can do i did
Still also application is working properly,,but i am not able to deploy it in IIS
i am getting this error
If i browse Login.aspx i am getting
**
Server Application Unavailable
The web application you are attempting to access on this web server is currently unavailable. Please hit the "Refresh" button in your web browser to retry your request.
Administrator Note: An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur.
**
Is it with IIS 5.1??
Here my machine is acting as server ,It has xp professional 2002 service pack 2 and IIS 5.1
Any body knows how to create application pool in IIS 5.1
I don't think you can ... Creating Application Pools in IIS
IIS 5.1 and earlier: The AppCreate3
method, the IIS WMI provider, and
Application pools are not available,
and therefore this topic does not
apply.