We have an MVC application hosted on IIS 6 web server. It uses integrated authentication. It's been hosted there since last 5 years. Recently our IT department had installed some patches on the server. After the patch installation, suddenly our application started prompting for credentials. When user enters his credentials, it again prompts for credentials. It keeps on repeating and user will not be able to get into the application. When user cancels the credentials window, it gives the below error:
401 - Unauthorized: Access is denied due to invalid credentials.
Can somebody, please guide me to understand why it might have occurred and how to fix this?
We actually ran into this about 8 months ago. It brought down our entire environment for 3 days. At that time we came to find that it was a Microsoft patch that was applied to our web servers in regards to NTLM authentication. I will look and see if I can find the documentation on exactly what KB it was. Our solution was (at the time) to temporarily roll back the patch. Long story short is the underlying cause turned out to be that the patch that was installed had specific dependencies on other patches being installed on the web server AND our domain controllers. I will follow up and edit my answer when I get into the office, but I recommend checking the server to see what patches got installed and take note of if any in regards to NTLM.
Try remoting into the server. Then while you are in, minimize your screen and try hitting the website again. I bet I will work and authenticate. If that is the case, then you are seeing the exact same thing we were. I will follow up in a little bit with more specifics.
Related
I have developed an ASP.NET MVC 5 application and it is hosted on shared hosting - IIS 10.
For authentication, I am using identity to check authentication.
I'm logging in and out multiple times in my application. After 6 or 7 attempts, it directs me to the 403 error page.
After clearing the cache from the browser, it works fine again.
Please assist me to find a solution.
I updated the machine key as well. still getting the same issue.
The error initiates from the dynamic compression module when we check the tracing
I got an answer from the Hosting team. They have installed (ModSecurity)WAF to block requests from understanding the behavior of requests. After disabling this works fine now.
It will definitely help someone.
Thanks.
I have a Azure website consisting of a WCF endpoint and a MVC website running on Azure. It runs on a basic medium/large tier - so no cap in CPU as Free or Basic has. This has been running perfectly for 6 months probably, with regular deployments and updates. And performance has as expected kept consistent. But now suddenly it takes forever to load the MVC website.
The flow is as follows; we receive a call via the WCF endpoint and then we direct people to a URL that is the MVC web site. All resides on same "web site" inside Azure.
The strange thing is that I can see no difference in my log files. The WCF endpoint responds as quickly as always and from what I can see the heavy lifting inside the MVC also responds as expected, but still the user is left waiting forever on the specified URL?
As said I can't see anything in the performance logs for the MVC controllers, so somehow it seems to be the https request itself that takes ages, but how do I debug or measure this?
I am in the process of getting Visual Studio 2015 to see the remote profiling that can be generated through KUDO - but somehow I don't think that the problems resides here. I am kind of blanking so any thoughts on what could be wrong and how to debug would be appreciated. Also if anyone knows that Azure has released something within the last couple of weeks that might have slowed the application down.
Any chance that you have Application Insights turned on for the MVC site? It has a feature that will track dependency calls and should be able to give you a good idea of what is taking a long time.
https://azure.microsoft.com/en-us/documentation/articles/app-insights-asp-net-dependencies/
I've been beating my head for hours on this request.
I have an on-premise installation of an Azure MultiFactor Authentication Server. I'm building a new ASP.Net MVC 5 application that will do an LDAP lookup for users in Active Directory (also on-premise) with no ADFS configured.
I've gone through the sdk for MFA Server and can easily enable SMS requests to be sent. I get the otp code from calling pf_auth.pf_authenticate(authParams, out otp, out callStatus, out errorId);
This works for test. But I need to direct this request to my on-site MFA Server. I can't find anything that tells me where I can set this value.
I know that if I login to a machine on that domain it automatically sends the SMS text to my phone and I can enter it into the next screen to complete a login (the default user portals set up with MFA). I would assume that this would possibly work when I call ValidateCredentials on my application's newly created PrincipalContext. But how do I submit the sms code without some sort of RequestId to synch up the communication.
I'm sorry if this doesn't make much sense. It's just all the examples I can find are for using MFA with a local ADFS. I only have Active Directory which is causing me to do the custom LDAP lookup.
Any help or direction is greatly appreciated.
OK, sorry for the delay in responding to this post. After getting no responses I moved on but have recently noticed that there have been 45+ views since my post and thought I should update for others who might be experiencing a similar issue.
Turns out that when using MFA on premise you can point multiple applications to a single MFA server, like Remote Access, VPN, etc.
However if you are attempting to setup a Web Application hosted on IIS you need to install a copy of the MFA server on the IIS server hosting the application.
When installing you can point to the existing MFA setup so that both machines are in the same configuration. This local install also adds a custom IIS Plugin that does the request interception and directs it through the MFA pipeline. If everything looks good the request is then forwarded to your web application like normal.
This is really pretty straight forward but the documentation for MFA setup was sorely lacking. Hopefully in the future there will be a decent sample app provided by Microsoft that demos this process using local MFA and not just the Azure hosted solution.
I have just deployed an MVC 3 site to my Windows 2008 Web Edition (IIS 7) server, and am trying to set up Basic Authentication so that it will not allow unauthorized access. This seemed to work at first, but once I was troubleshooting a problem and making changes, now that this issue is fixed, my basic authentication for some reason no longer works -- it's letting anybody on.
Under my Authentication settings in IIS7, I have Basic Authentication enabled, and all other forms of authentication disabled. I've also tried other various combinations, and so far, everything I've tried is leaving the site wide open.
I wondered if it was caching my credentials, so I tried from a different browser from which the site has not been accessed, and it's still leaving it open.
Am I overlooking something obvious here? I thought all I had to do was leave all forms of authentication disabled, except for Basic? Any ideas what could be going on?
If not, any ideas on what I could do to troubleshoot? Is there anything I could see in Firebug to see what may be going on?
Thanks in advance.
Ultimately, this was what I was trying to accomplish, I just wasn't sure how to articulate it. After reading the article linked in that answer, I'm going to try to figure out a different way to limit access to this site (either by IP or using my single-level authentication).
I believe that we can allow Firefox to sent NTLM data to SharePoint sites to do automatic authentication, and I think that this is doable with IIS.
I'd like to do the same thing with an internal Rails site.
Does anyone know of way that I could authenticate NTLM type user information through a Apache/mongrel setup (provided of course that it's already running on a Windows box inside of an Active Directory domain)?
I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.
There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.
Bit of extra info in case anyone stumbles across this.
I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.
Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.
So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.
I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?
You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.
I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.
If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.
If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.
Hope that gets you started on the right track :-)
You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.
Old question I know but I came across this looking for a similar answer.
you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.
This particular project looks promising and is looking for contributors:
Rack middleware for transparent authentication with NTLM.
I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.
Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).