My scenario:
I have a sample website hosted on IIS windows 2012 server. When I browse the website it should prompt for credentials of the the Active Directory. I have tried using 'Windows Authentication' it is working fine, It is using NTLM for Windows Authentication
How can I use Kerberos for login to the website instead of NTLM
I have tried the steps in thelink, but it is not working
https://blog.kloud.com.au/2015/06/04/kerberos-web-application-configuration/
Please help me.
Thanks
The below link has the detailed procedure for the above query
http://woshub.com/configuring-kerberos-authentication-on-iis-website/
I recently upgraded to windows 10, and have discovered an issue that I was able to do on Windows 8.1, but seem to be unable to do on Windows 10.
In my ASP.NET web application I have a controller that receives a GET request and then issues it's own GET request to another server and then sends that response back.
When debugging I have added the following to the application web.config:
<system.net>
<defaultProxy>
<proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" />
</defaultProxy>
</system.net>
Which in 8.1 was able to capture both the local server request and the remote server request. However, I haven't been able to get Windows 10 to do the same.
I did exempt all in the WinConfig settings on Fiddler.
WinConfig won't affect anything; it only relates to Metro/Immersive apps.
If you update web.config to point to a bogus proxy (e.g. 127.0.0.1:1111) does it fail? If not, then your app isn't using the configured proxy settings.
If updating web.config doesn't work, you might try editing the appropriate (probably 64bit) machine.config.
How to sign-in to ADFS WIF federation AND Form auth on the same page with login (user/password) text-boxes?
Now I can use a link to redirect to adfs login with a prompt box to input domain user name and password.
Can I use the same (user/password) text-boxes as form auth? So I don't wanna use the prompt box?
ps: another question, how can i do to pass auth automatically when i login in the domain of which supplies the adfs without inputting(SSO) User and Pass?
Thanks!
ADFS supports several ways of accepting user's credentials. The one with "prompt box" is most likely integrated or basic authentication. It is configurable on ADFS side:
http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx
If you need to configure forms authentication as a preferred option change in ADFS Web agent web.config order of local authentication types. Set Forms as a the first:
<microsoft.identityServer.web>
<localAuthenticationTypes>
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
Regarding the SSO, problem. It depends on browser:
in IE you need to add ADFS URL to Trusted Sites or/and make sure that Trusted Sites zone in IE allows to send windows credentials.
See: http://docs.acl.com/ax/310/index.jsp?topic=/com.acl.ax.admin.help/system_administration/t_configuring_internet_explorer_for_integrated_windows_authentication.html
Chrome assumes that any page that contains '.' - dots in address is not secure enough to provide SSO, so probably you'll need to set up a dotless alias for your ADFS host.
in Firefox you need to add ADFS URL network.automatic-ntlm-auth.trusted-uris
See: http://sivel.net/2007/05/firefox-ntlm-sso/
I'm using ServiceStack 3.9.70 on IIS8 - when POSTing invalid user creds to the default authentication provider service at "auth/credentials" a "401 unauthorized" response is returned as expected along with the browser (both chrome and firefox) prompting for "Authentication Required".
This is all in the context of an angularjs app and I'm handling the 401 response accordingly however the browser prompt is quite annoying and I want it gone. How can I prevent the browser from prompting for credentials when a 401 response is returned from my ServiceStack authentication service?
Thanks!
Sometimes a good night sleep makes all the difference. I solved this by simply disabling basic authentication. I made an entry in my web.config but the same change can be made directly in IIS under the site's "Authentication" feature. Now the 401 response can be handled accordingly by my angular app without the browser throwing a prompt.
<system.webServer>
<security>
<authentication>
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
i think the 401 response is appropriate for standard http status code protocol , similar to the 403 Forbidden response.
if you want to avoid the credential handshake and save bandwidth you can include in the HEAD request on the same resource at each RESTful request you sending.
My scenario: I have a public facing web app hosted on Amazon EC2 servers. I have a self-hosted database server behind a firewall. I have self-hosted Web Service servers with a web service for data access. I want to allow only applications I approve (my own living in the cloud) to access the services and I don't want any data passed in clear-text.
From what I can tell reading all the disjointed and maddeningly obfuscated MSDN articles, Stackoverflow threads, Code Project articles, and other blogs. The type of security I need is:
Transport Security mode with Certificate clientCredentialType, using wsHttpBinding. First question, am I right in assuming that? Will that give me enough security? This isn't B2B or anything like that. It is, however, cross domain and I just want to ensure I can trust the caller. My service is running in an AppPool owned by a specific user so I can access the DB with integrated security. I need to make sure only callers to my service that I approve get in. I don't need to encrypt the message anymore than SSL already does I don't believe.
All the scenarios possible make it very very difficult to know if this is what I want. But assuming it is the next question is how do I set up the Certs? I currently have a Certificate on the server, and I can only access with Https. (security mode="Transport", clientCredentialType="None"). But for the life of me I can't figure out what I need to do to change clientCredentialType to Certificate and get it to work.
What do I give the client from the server and where does it go?
What do I give the server from the client and where does it go?
If I have several clients (a web farm) do I have to have a different client cert for all of them, or can they share one cert that my server accepts?
All development articles I read say that Cert setup is an Admin tool and beyond the scope of the article. Well, the WCF stuff is straightforward, it's exactly the friggin cert stuff I need help with, and there are no useful articles that I've found yet. Those that come close show how to do it with makecert.exe and say in production it will be different, but then don't say how to do it in production.
I'm sure my frustration level is showing, sorry about that. But it really makes no sense that there isn't a clear description on how to do what seems like a pretty common security scenario in WCF.
Any and all help appreciated,
Ken
Short Answer
The type of security I need is: Transport Security mode with
Certificate clientCredentialType, using wsHttpBinding. First question,
am I right in assuming that?
Yes. Message security would also work assuming you do not use WCF streaming features, but with transport security you can benefit hardware acceleration.
how do I set up the Certs?
Please see the detailed answer below.
What do I give the client from the server and where does it go?
If I have several clients (a web farm) do I have to have a different
client cert for all of them, or can they share one cert that my server
accepts?
You need 3 certificates :
a client certificate (the same for all clients).
a server certificate.
a certificate authority (CA) certificate, by whom the client and server certificates
were issued.
The client needs:
The client certificate installed in the Personal Certificates store.
The CA certificate installed in the Trusted Root Certification Authorities store.
What do I give the server from the client and where does it go?
The server needs:
The server certificate installed in the Personal Certificates store.
The CA certificate installed in the Trusted Root Certification Authorities store.
The client certificate installed in the Trusted People store.
Detailed Answer
In this scenario (communication between web farm and self hosted web services), you own both client and server machines. There is no need for third-party issued certificates (you trust yourself, right?). Which means you can safely use home-made certificates.
Here is a quick guide I hope will help you (or someone else), achieve this. If you already own certificates as your question suggests, feel free to skip step I. Furthermore, you may already have bought third-party issued certificates, in that case the root certificate authority (VeriSign, Microsoft, etc) certificate may already be installed on your client and server machines.
I. Create certificates
As explained in this msdn article, use makecert to generate 3 certificates:
A root certificate authority certificate, let's call it MyRootCA, and its revocation list.
A server SSL certificate. The name must be the domain name your web farm clients will use to call the web services. For example, if your clients use the following url: https://mywebserver.myprivatedomain.com/service1.svc, then your certificate CN (Common Name) will be mywebserver.myprivatedomain.com.
A client X.509 certificate, let's call it MyAmazonClient.
Here is a simple batch that achieves those 3 steps:
REM 1: MyRootCA
makecert -n "CN=MyRootCA" -r -sv "MyRootCA.pvk" "MyRootCA.cer"
makecert -crl -n "CN=MyRootCA" -r -sv "MyRootCA.pvk" "MyRootCA.crl"
REM 2: mywebserver.myprivatedomain.com
makecert -sk "mywebserver.myprivatedomain.com" -iv "MyRootCA.pvk" -n "CN=mywebserver.myprivatedomain.com" -ic "MyRootCA.cer" -sr LocalMachine -ss My -sky exchange -pe
REM 3: MyAmazonClient
makecert -sk "MyAmazonClient" -iv "MyRootCA.pvk" -n "CN=MyAmazonClient" -ic "MyRootCA.cer" -sr LocalMachine -ss My -sky signature -pe
This batch will create 3 files in the current folder:
MyRootCA.cer: contains the public key of the root CA certificate.
MyRootCA.crl: contains the certificate revocation list.
MyRootCA.pvk: contains the private key of the root CA certificate.
The 2 other certificates (client and server) are installed in local computer certificate store.
Using the Certificates MMC Snap-in, export them into .pfx files:
Locate LocalMachine > My > Certificates.
Right click MyAmazonClient > All Tasks > Export.
Right click mywebserver.myprivatedomain.com > All Tasks > Export.
II. Install server certificates
On your server machine (the one exposing the web services), copy the following files:
MyRootCA.cer
MyRootCA.crl
MyAmazonClient.pfx
mywebserver.myprivatedomain.com.pfx
Using the Certificates MMC Snap-in on the server machine, install the certificates in the following locations:
MyRootCA.cer and MyRootCA.crl into Local Computer > Trusted Root Certification Authorities > Certificates
MyAmazonClient.pfx into Local Computer > Trusted People > Certificates
mywebserver.myprivatedomain.com.pfx into Local Computer > Personal > Certificates
Grant your IIS AppPool access to the private key of the mywebserver.myprivatedomain.com certificate. In MMC Certificates Snap-in, right click mywebserver.myprivatedomain.com > All Tasks > Manage Private Keys... Then add the identity your AppPool is running with. Note than when using ApplicationPoolIdentity (by default), identity name is IIS AppPool\YourAppPoolNameHere.
III. Configure IIS to support SSL
Using IIS Manager, locate your website and add an https binding with your mywebserver.myprivatedomain.com certificate. See Step 4: Configure Your Temporary Service Certificate in IIS to Support SSL.
IV. Configure the services (web.config)
<system.serviceModel>
<protocolMapping>
<add scheme="https" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<!-- configure wsHttp binding with Transport security mode and clientCredentialType as Certificate -->
<binding>
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
V. Install client certificates
On each client machine (web farm), copy the following files:
MyRootCA.cer
MyRootCA.crl
MyAmazonClient.pfx
Using the Certificates MMC Snap-in on the client machines, install the certificates in the following locations:
MyRootCA.cer and MyRootCA.crl into Local Computer > Trusted Root Certification Authorities > Certificates
MyAmazonClient.pfx into Local Computer > Personal > Certificates
Grant your IIS AppPool access to the private key of the MyAmazonClient certificate (same steps as II).
VI. Configure the clients (web.config)
<system.serviceModel>
<client>
<!-- this endpoint has an https: address -->
<endpoint address="https://mywebserver.myprivatedomain.com/service1.svc"
behaviorConfiguration="endpointCredentialBehavior"
binding="wsHttpBinding"
bindingConfiguration="Binding1"
contract="MyWebApp.IServiceContract"/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialBehavior">
<clientCredentials>
<clientCertificate findValue="MyAmazonClient"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<!-- configure wsHttpbinding with Transport security mode
and clientCredentialType as Certificate -->
<binding name="Binding1">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
And that's it.