IIS Passing client certificate to rails - ruby-on-rails

I have an application written in Rails that must be ran behind a IIS server due to restrictions by the client, the government. We have to have SSL authentication. So what I can't figure out in my hours of searching Google is how to get IIS to pass the client certificate to the rails server (thin).
I've seen tutorials on Apache that use:
SSLOptions +ExportCertData
Which then make it available to the request object. Any ideas on how to configure IIS to do the same?

At least in the way that you ask the question IIS cannot provide a client certificate as the client cert would be issued by a third party. So you need to get the x509 cert that your application and then the cert is authenticated as part of the initial connection request with iis.
As to the apache function to provide the ssl cert from the server to the client, this functionality is not exposed by iis.
That's why you were not able to find anything on google

The main reason companies want to run Rails(or Other) applications behind an IIS server is for SSO apart from protecting the resources.
See if this helps.
We have been running our Rails app behind IIS at quite a few customer locations. We run our Rails app in JRuby inside Tomcat.
The steps to install the JK ISAPI redirector plugin are here
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
All Rails contexts are protected in IIS using standard IIS authentication schemes, Integrated Windows Authentication ( Negotiate, NTLM).
Within the Rails app one can get the logged in user's information.
request.env['java.servlet_request'].get_remote_user
The Rails app also connects to Microsoft AD for additional user information like email, department etc.,
Since the Rails is blindly trusting the IIS server for authenticaiton it needs to be prevented from direct access.
1. Disable HTTP ports in Tomcat
2. Enable only the AJP port
3. Add an IP restriction so that it accepts connection only from the IIS server(s)
==
I do not think it is possible for IIS to pass on the certificate details. We tried to extract the Kerboros tokens ( for kerboros authentication delegation ) without much success and realized it is not possible.

After being told this may be impossible. I've finally figured it out! Here are the steps that I took.
Using OpenSSL create your own CA certificate.
Using the generated CA certficate create and sign other certificates with Open SSL.
Open Internet Information Service Manager click on the server, then click on server certificates.
Click Import under the Actions column
After importing click on your site.
In the Actions column click bindings...
Click add, scroll to https, and select the CA certificate that you imported
Click on your site again to get to the menu and click on SSL settings
Check require SSL and then click the radio buttion, require
Click your site again then click on the configuration editor (installed in IIS 7.5 can add-in in 7.0)
Go to system.webServer/security/authentication/iisClientCertificateMappingAuthentication
Set enabled to true
Set manyToOneCertificateMappings to true
Click on the ... box on the far right-end of manyToOneMappings
Click add under actions column, under collections
Add the username and password of the user you created (can be on local machine)
Now, go to the main server and restart.
You should be able to see the certificate using request.headers hash.
Variables for the hash include:
CERT_SERIALNUMBER
CERT_SUBJECT
CERT_ISSUER
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
If you cannot find something you may have to install a module (for like authentication). I don't remember which ones I installed.

Related

Auth0 ADFS - Can't Find Federation Metadata URL - Next Steps

This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.

Free SSL security certificate on Heroku?

I pushed a Spree Rails app to Heroku and I see it's using ssl withhttps:// and has a yellow padlock in the browser. Clicking on this shows "Identity verified" and the Certificate Information says Issued To: *.herokuapp.com
This is great. With no configuration or expense at the Heroku end, my app is using SSL with a valid looking certificate. Ok it's a yellow rather than green padlock but hey, not bad for free.
I'm sure this is a stupid question..but how can I run another Rails app on Heroku with a verified certificate without paying for the SSL add-on and purchasing my own certificate?
The TLS/SSL connection your browser is establishing is due to the fact the you are connecting to your app via appname.herokuapp.com. This is standard and will automatically work for any app you create out of the box. Heroku provides SSL encryption as you may be sending sensitive information to the server and it is better practice to encrypt data that you may not necessarily deem sensitive, but your client may. All reputable providers (SAS, Web Hosts, Email Providers) will have a wildcard SSL certificate installed to the base domain (*.herokuapp.com) as it is a single certificate that is relatively inexpensive and will secure all the sub-domains automatically.
That being said Apps are SSL-enabled already and can be accessed simply by using https, e.g., https://appname.herokuapp.com, but you would want to go with the SSL endpoint option when you want to establish the trusted relationship with your clients. Both ways are as secure as the other, but with the wildcard SSL (also referred to as a shared SSL certificate) the trust is established between the client via their browser and Heroku not your App/Site. With the SSL signed to your domain.com the clients can connect to your domain and not the Heroku sub-domain and see your site's information in the connection information on the browser. If your site is needing disambiguation from Heroku then is when you will want to proceed with an SSL setup outside the default.
As for what SSL type and issuer to use I would not recommend https://www.startssl.com/ as they do not offer SSLs with high browser ubiquity as they are not fully signed by an external root authority. Comodo and the consumer standard Rapid/GeoTrust are the best choices as far as assurance, recognition, and easy of use and concerned. You only need a DV (domain validated) SSL and they can be had for a few domains a month.
More on this and the Heroku SSL configuration can be found here
I recently spent some time setting this up. It can be done using CloudFront and a proxy to Heroku. This is probably best used for small projects but seems to be working great so far! See my post here:
http://ksylvest.com/posts/2014-05-06/setup-free-ish-ssl-tls-on-heroku-for-ruby-on-rails-or-any-other-framework
A few things have changed since this question was first answered, notably the advent of Let's Encrypt and new Heroku SSL endpoints, which together make it possible to add SSL for free. I've created a gem to generate and add certificates automatically: https://github.com/KMarshland/heroku-ssl. Once you've added heroku_ssl to your gemfile, you can simply run:
rake heroku_ssl:update_certs
Alternatively, if you don't want to use the gem, you can do these tasks manually:
1. Generate the SSL Certificate
Follow the instructions in https://github.com/unixcharles/acme-client to generate your certificates. You'll need to register your email, authorize the domain, and then finally get your certificates. When authorizing the domain, if you only have one server running, you can simply stick the authorization file in your public folder; if not, you'll either have to set up a dedicated controller and route or add a text record to your DNS zone file.
2. Add the certificate to Heroku
After downloading your certificates, you can either use Heroku's web interface or just run
heroku certs:update fullchain.pem privkey.pem
3. Configure your DNS
You need to set a CNAME record in your DNS zone file that points to [yourdomain].herokudns.com. The DNS zone file specifies what urls get mapped to what servers on the domain name you own. If your site is already pointed to your Heroku app, there will already be a CNAME record; you just need to change where it points to. If not, you'll need to add a new line:
[subdomain] [TTL] IN CNAME [yourdomain].herokudns.com.

WebAPI + Azure WebSite + Client WebSite + SSL - how many certs do I need?

I have a WebAPI solution hosted in an Azure Web Site (appnameapi.azurewebsites.net) that has some endpoints exposed to regular http right now.
I also have a client application hosted in a separate Web Site under appname.azurewebsites.net.
I purchased appname.com from hover and am forwarding appname.com to appname.azurewebsites.net with masking. The client application makes requests to appnameapi.azurewebsites.net right now, but not encrypted.
My goal is to get SSL working on the web client so that users see SSL in the browser bar, and so that anything that goes from the client to the api endpoints is encrypted.
I went to rapidSSL and purchased a certificate for appname.com. Now I'm not sure if I need to put this in my WebAPI web site, or my client web site. I've found some documentation on setting up SSL in Azure but nothing that's given me a good grasp of what needs to be done in this scenario.
What's the next step? Do I need one cert per site, and if not, where does the single cert go?
You client web site is appname.azurewebsites.net. You have appname.com mapped to this. Your SSL certificate is for this domain. So, you will need to put the certificate with the client app. As an end user, if I go to appname.com, the certificate your application will present to my browser will be the one you purchased for appname.com. This is for the pages rendered by the client web application.
Now, as the browser renders the page from the client web application, say it needs to make jQuery AJAX calls to your web API site appnameapi.azurewebsites.net. You can use a domain name for this one as well, some thing like api.appname.com but regardless, this will be a cross-origin call, BTW. If this call is also through HTTPS, then for this case also, a valid cert must be presented to the browser. Assuming you have api.appname.com which is a sub-domain of appname.com, you can use the same certificate you bought from rapidSSL with web API site as well provided it is a wild-card cert, which is obviously more expensive. Otherwise, you will need one more certificate for the web api site (or the domain name if you plan to use one for API) and install that new cert in the api app.

jasig asp.net mvc cas client page is not redirecting properly

I have been using jasig .net cas client. I have setup cas server on my local computer which can be assessed using https://localhost:8443/cas-server-webapp-3.4.12/login
I have set authorize attribute on Account controllers logon action.
i am following everything given in this url https://wiki.jasig.org/pages/viewpage.action?pageId=32210981
when i run the application, it does go to cas login page but after authentication it returns with http://localhost:1672/ and then in browser it gives error as "The page isn't redirecting properly".
i don't know how i am getting this error, everything is setup properly in web.config.
Please help
when i use http://localhost:8080/cas-server-webapp-3.4.12/login (non secure url) instead of https://localhost:8443/cas-server-webapp-3.4.12/login(secure url) it works.
I think i have a problem with self signed certificate. Is it possible to create valid certificate and use it. At least i should try creating a valid certificate and try. But i don't know how to create valid certificate. Please also tell me how to create valid certificate. I tried google but not successful to find how to create valid certificate so that browser doesn't display "self signed certificate error".
For my own experience, other than getting the self-signed cert to work:
I have to install the self-signed cert from the SSO server to my Windows 2008 Server hosting the webapp).
Install the certificate under Trusted Root Cert Authorities on BOTH the user account and the machine account.
You can do this under MMC and then Add the certificate Snap-in.
Test your setup using IE to browse to the sso server in question.You should not see anymore warnings about the cert. Remember use IE to check, other browser does not seem to care about the Trusted Root Cert setup.
Next, when deployed the ASP MVC, I have to use classic Application Pool and
for my cas config setup in web.config leave both the proxyTicketManager and the gatewayStatusCookieName as empty string.
I am connecting directly to the sso server so these two be taken out, or else protocol error and infinite loop.
Then no more infinite redirect loops complains.
I found what the problem was. When we are using secure connection we need to have SSL certificate on both side, at CAS server side and at our webapplication side.
so at CAS server side it has to be
https://localhost:8443/cas-server-webapp-3.4.12/login
and at our web application side it has to be
https://servername/mywebapp
If you are using a self-signed certificate be sure that the server running CAS trusts the certificate of the web application.
you should specify the return url after success login in the web.config (just the server not the entire url)
example: you app is on http://localhost:8080/someWebApp/
when you go to the login page, you can see on the query string parameter the return url encoded
<casClientConfig casServerLoginUrl="https://localhost:8443/cas-server-webapp-3.4.12/login"
casServerUrlPrefix="https://localhost:8443/cas-server-webapp-3.4.12/"
serverName="http://localhost:8080"
notAuthorizedUrl="~/notAuthorized.html"
cookiesRequiredUrl="~/CookiesRequired.html"
redirectAfterValidation="true"
renew="false"
singleSignOut="true"
ticketValidatorName="Cas20"
serviceTicketManager="CacheServiceTicketManager"/>

TFS 2010 - Access Denied to Administrator for '/tfs'

I'm trying to set up a TFS2010 (with SP1) server and I keep running into hurdles.
The latest prevents me from doing anything useful as every HTTP request to "https://tfs.myserver.com/tfs" results in a HTTP 401. It doesn't matter if these requests come from the TFS Administration Console or from a web-browser. Every time I'm prompted to authenticate I enter the domain Administrator's fully-qualified username and password and I always get this error message:
Team Foundation Server
TF30063: You are not authorized to access https://tfs.myserver.com/tfs. - The remote erver returned an error: (401) Unauthorized.
Only a few settings in the Administration Console work (such as "Change URLs") but others, like "Group Membership" (either on the Application Tier node or on a Team Project Collection) results in the same prompt-then-fail.
The SSL certificate is valid, and the URLs seem consistent. I can't think what I'm missing out on.
EDIT: There is nothing relevant in the usual Event Logs. The Security log does show my Audit Failures, but I don't understand them because I'm entering the usernames and passwords correctly (the very same I use to access the servers over RDP):
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
What's different about Group Membership & security dialogs is they go through the client APIs and access via IIS. All others such as change server urls go through the server model straight to the DBs. That means IIS cannot authenticate on your domain for some reason ...
From the description, it seems like a domain joined machine. Does IIS have access to the domain controllers? (is it connected to the domain network) The wizards verify you can reach AD but if you disconnect afterwards ... If IIS can't reach AD it will not be able to authenticate. TFS relies on IIS for windows authentication. It appears it can't do that.
Some other things to try:
On the application tier panel of the admin console, try changing the account (domain account) that the server runs as.
Did you choose Kerberos authentication in the advanced wizard? If you do that with a domain user as the service account, there's a pop-up dialog telling you that you need extra AD administration. If you did that, you can change to NTLM from the admin console.
Try to access it via http://machinename:8080/tfs (instead of FQDN) both locally and remotely. Try http://machinename:8080/tfs/web from the web browser as well. make sure you're not having a proxy server issue (routing NTLM through proxy servers can be problematic - if you have bypass local in IE settings then address without dots won't route through the proxy and takes that out of the troubleshooting picture). You can also completely disable proxy in IE just for troubleshooting.
Create another web site manually with a hello world aspx running as the same account with anonymous & basic auth disabled and integrated windows auth enabled. Ensure it works.
After growing frustrated with trying the helpful suggestions people made but not getting anywhere I decided to start-over and try again. I completely uninstalled TFS, SQL Server, and SharePoint services and reinstalled from scratch.
This time it worked fine - no meddling with security was necessary and the system just worked out-of-the-box.
Looking back, I think the problem was that I set-up TFS with the advanced option to use SharePoint, and then I probably fiddled around with settings I wasn't familar with and ended up making a hash of things.
Note to future self: practice in a VM before deploying in production.

Resources