Security

Multiple SSL one server, multiple site or multiple virtual directories

yanky999 — Fri, 20 Nov 2009 20:01:31 GMT

Ok, I have searched and could not find the exact scenario I may have. Current configuration example setup:Host A record External IP NAT TbSrv Int IP:port IISrvsite:ports subdomain site

Client123 xx.xx.xx.123 yy.yy.yy.200:81 Site123:81 no SSL clientt123.mysite.com

Client456 xx.xx.xx.456 yy.yy.yy.200:82 Site456:82 no SSL client456.mysite.com

Client789 xx.xx.xx.789 yy.yy.yy.200:83 Site789:83 no SSL client789.mysite.com

Client007 xx.xx.xx.007 yy.yy.yy.200:84 Site007:84 no SSL client007.mysite.com

I am looking to secure Client123,Client789, Client007 with a Multiple Domain SSL, although I am using just different subdomains at this time.

I don’t believe I need to have a Host A record added by our ISP.

Do I add entries into my NAT table like this?

Host A record External IP NAT Table Srv Int IP:port Srvsite

Client123 xx.xx.xx.123:443 yy.yy.yy.200:443 Site123:81 SSL port 443

Client789 xx.xx.xx.789:443 yy.yy.yy.201:444 Site789:83 SSL port 444

Client007 xx.xx.xx.007:443 yy.yy.yy.202:445 Site007:84 SSL port 445

Note the change in the Int IP address for Client789 and Client007(I currently have only two NIC in the server, I would need to add a third?)

Is there a better way to configure using just one SSL(443) site?

In the NAT table, can I have 3 entries for port 443 point to the same IIS site 443? Like below.

Client123 xx.xx.xx.123:443 yy.yy.yy.200:443 SiteSecure:85 SSL port 443

Client789 xx.xx.xx.789:443 yy.yy.yy.200:443 SiteSecure:85 SSL port 443

Client007 xx.xx.xx.007:443 yy.yy.yy.200:443 SiteSecure:85 SSL port 443

Then, within that one site(SiteSecure), use a virtual directory structure to access each individual client data.

Sorry again for the length question.

Yanky999

SSL problem using 3rd party root certificate

rppoor — Thu, 19 Nov 2009 20:48:42 GMT

We are using DoD and ECA certificates on one of our IIS 6.0 websites. We are having a problem with IIS not providing the ECA Root CA 2 (2048 bit) certificate in the list of acceptable client certificate CA names when it is negotiating an SSL session. We have 'Require client certificates' enabled and we are not using a CTL. The DoD Root CA 2 certificate works just fine. Both certs are installed in the 'Trusted Root Certificate Authorities' store. I'm pulling my hair out on this. Has anyone any idea what the problem and how to resolve it?

Thanks,

Bob

Mulitple sites at 443 - assign certificate problem

wuwu — Wed, 18 Nov 2009 13:54:04 GMT

Hello,

i have two sites with ssl at the same port, 443 and to different certificates.

I have installed the first WebApp, assign the first Certificate, Set Bindings for hostheather, assign ip-adress -> open the page, he shows me the page with the right certificate.

I configurate the secound WebApp with site. Assign secound Certificate (different to first one) to IIS Site, set bindings for hostheather, set ip-adress. When i open the page, he shows me the page with the right certificate (the secound one).

After i make an IIS Reset and open the first page, he shows me the certificate from the secound page (secound certificate), why that?

Windows Server 2003, IIS 6

best regards,

Horst

IIS Showing the user full connection string on deadlock?

rusware — Thu, 19 Nov 2009 22:48:17 GMT

Sometimes on a website i built IIS will show this error to the client

Data Source=??????;Initial Catalog=????;Persist Security Info=True;User ID=????;Password=????
Transaction (Process ID 109) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

The server is Windows 2003 with debugging off and Web.config set to custom errors on.

Anyone able to help me on this??

ASPNET user Account got locked ..

sasikumarg1983 — Wed, 18 Nov 2009 01:59:11 GMT

Hi,

We have lots of servers in the production environment which has more than 300 applications hosted on the same. Some applications are also load balanced. Recently we are getting the issue like "ASPNET user is locked". This is happening nowadays in all the servers. The OS installed is Windows server 2003 and IIS 6.0. Please help me to find the issue. Thanks in advance.

Anonymous Access on IIS 6.0 error 401

peteoc — Thu, 19 Nov 2009 09:10:44 GMT

Hi,

I'm having problems trying to configure an IIS website to work without requesting login credentials.
I've setup anonymous access and unchecked the tick box for integrated access in the bottom section.

I've even set the user for anonymous access to have full control of the directory to see if this helped but it doesn't, I still get a 401 error.

If I check the box for integrated security it them prompts for a password, if I enter my windows login details it works, if I click cancel I get error 401.

Any help would be appreciated!!

cheers

Pete

Third-party Cryptographic Service Provider

Ken Hui — Thu, 19 Nov 2009 09:04:03 GMT

Hi all, I have tried ACOS5, which uses CSP, on Outlook for smart-card based digital ID. I would like to ask if third-part CSP product can be applied on IIS's SSL web site too? My idea is: to store the SSL's certificate inside the smart-card. Thanks for advice. Best regards, Ken.

SSL Certificate Renewal, Windows Mobile Acess and iPhone Access

edwardwagner — Wed, 18 Nov 2009 21:12:56 GMT

I recently renewed my Verisign SSL certificate and installed it successfully; however the two handheld devices - Samsung Windows Mobile device (with latest version of Windows Mobile) and iPhone (latest OS) - cannot communicate with the Exchange 2003 (Windows 2003 SP2) server once I check the "require SSL" box. The Samsung gives a "0x85010014" error code, and the iPhone just states that it cannot communicate with the server.

I can still use OWA fine. If I do not require SSL on the server end, while still requiring it on each handheld device, everything is happy (except, of course, you can login into the OWA with http:). I spent a long time with the Verisign tech support and did not find anything to solve the problem. We did solve a related issue, which was that the Samsung device could not communicate even without SSL - needed to download a new certifcate to that phone since some models did not have the latest security certificate version that Verisign started using (which has apparently been in use for several years and the iPhone had already).

I did not change any settings on either device (they have always required SSL), nor the server - other than installing the certificate - but now the handheld devices won't connect if SSL is selected on the server, so I have to have it turned off in the IIS for now. Also, SSL was on until I inserted the certificate, so I'm wondering if something else (besides the SSL was perhaps reset). I have read that ActiveSync does not really use SSL, but it had no problems with the server requiring SSL until I installed the new certificate.

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

alexscript — Wed, 18 Nov 2009 19:34:17 GMT

My Server is running on Windows XP Professional IIS 5.1 and I am getting the HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

All images stored in "C:\WebsiteRoot\Portal\Content\Library\Users\[username]\" cannot be viewed (These are user uploaded images). However, all images stored in "C:\WebsiteRoot\Portal\Content\Library\Groups\[groupname]\" can be viewed. So it only applies to the first folder example and subdirectories.

It's causing missing images on my site.

I would like to add aswell, and I hope this may indicate something about the user roles that CAN and CAN'T access these images. I have server side methods that can access these files and return them to me. It is only when I use the link "[domain]/Content/Library/Users/[username]/[filename]" that I get the 401.3 error.

I've done so much to try to allow access to these images, that I'd like to start fresh with recommendations from anybody here on the IIS community site.

Thank you for any help, Alex

IIS 6.0 and Firefox issues

Ireneabraham — Wed, 18 Nov 2009 02:51:56 GMT

Hi, I am having a website published via IIS 6 and I have checked 'Digest Authentication Windows domain servers' to enable Active Directory security for logging on to the site. The users enter the user id and password when prompted and gets access to the site when they use Internet Explorer and have no problems in any way. But When they use Mozilla Firefox the user credentials are prompted again and also when they click on different links within the website they will eventually get error messages when they try to login and also wouldn't accept the login credentials. The web page is developed using .Net(.aspx ) Please can anyone help me.I couldn't find any solution on my web search so far. Please throw your ideas on the forum so that I can try them.

Multiple Webapplications - same Port - NLB

wuwu — Wed, 11 Nov 2009 18:27:04 GMT

Hello,

i have configured Multiple Web Applications at the same Port - 443.

http://forums.iis.net/t/1162225.aspx -> with the option, different IP-adresses -> at one server.

How can realise this case Multiple - Webapplications on Port 443 with servers in NLB.

I do not really know how can configure this with the DNS entry from NLB and set ip-adresses for the detail web applications.

We need this for our different web applications at our SharePoint Farm with three Webfrontend Server.

I hope somebody understand my problem and can help me,

thanks Horst

Login as different user in asp.net as in share point

dharam_hbtik — Mon, 16 Nov 2009 08:12:13 GMT

Hi everybody, My request out here is Urgent, though i have passed through what I could access in this forum and others also, but cannot finding a working solution. I have designed an ASP.NET application, at our organizational intranet, I have used Windows Authentication and it worked very efficiently. My problem is, I want my application to ask for re-entering of employee's credential when he clicked on a log out control ( it could be anything - i didn't decided what will trigger log out yet ). I want it to be like Sharepoint page where you can log as another user in the same machine. I m using following code but not working properly protected void Page_Load(object sender, EventArgs e) { if (!this.IsPostBack) { _User = User.Identity.Name.Replace("Domain\\", ""); Label1.Text = _User; } } protected void LinkButton1_Click(object sender, EventArgs e) { Response.StatusCode = 401; Response.StatusDescription = "Unauthorized"; Response.End(); Response.Redirect("Default.aspx"); } and HTML is Untitled Page

Hello

I am waiting ... Thanks.

Integrated Windows Authentication

altjx — Sun, 15 Nov 2009 02:36:22 GMT

why does this not work? what am i doing wrong? i have NTFS permissions for people on a particular domain to have access to this web server... I enabled integrated windows authentication but even the people that have permission are still being prompted for usernames and passwords. what's with this?

TLS renegotiation bug

Michael089 — Fri, 13 Nov 2009 09:42:19 GMT

Hi all,

in the beginning of November, a TLS renegotiation bug has been published, which allows MITM attacks. (http://www.ietf.org/mail-archive/web/tls/current/msg03928.html) Since its a protocol flaw, IIS is affected as well. So my questions:

- is there an official statement from the MS IIS team concerning this bug?
- are there any community-proofen workarounds?
- how about setting SSLAlwaysNegoClientCert ? - this would prevent renegotiation

Cheers,

Michael

Anonymous authentication "inherently insecure" ?

mac12 — Thu, 29 Oct 2009 22:53:14 GMT

I have a client who is insisting they won't allow anon access by policy. We don't authenticate at the web server - rather we use an isapi connector to Tomcat which does the (forms based) user password auth.

Of course this means we use Anonymous access on IIS. My claim is that there's nothing inherently insecure about using Anonymous auth in IIS give you follow best practices for limiting access/execute rights.

Does my client have a legitimate concern, or do they "just not get it". I guess they were hacked via the IIS Anon account in the past.

I'd be grateful for any authoritative statements on the matter.

Generating certificates and enabling SSL in IIS 6.0

murali gopal — Fri, 23 Oct 2009 19:27:57 GMT

I am pretty new (2 months old) to IIS.

I have a site http://test.pharma.com after enabling SSL it should be https://test.pharma.com --> Thats what I need to do.

I never enabled SSL. I dont know how to generate a certificate and enable it in IIS 6.0.

Any help is appreciated.

Mulitple sites with 443

sheldondesouza — Tue, 10 Nov 2009 16:35:39 GMT

Hello, Have 2 virtual directories in the IIS6, one of them is the default website with port 80 and then a test folder with port 81. The default website has 443 for SSL port. When i add 443 for the test website it tells me that 443 is already being used. I added host header for the test website but that did not solve the issue. Both sites are using Unassigned IP address and the server has only one NIC.

URLScan with HTTPS

Patrick12345 — Wed, 04 Nov 2009 17:14:33 GMT

After much wailing and gnashing of teeth it would appear that the solution is this:

Problem: HTTPS stopped working once URL Scan 3.1 installed on XP machine running IIS5.1

Solution: Move the URL Scan ISAPI filter to below the sspifilt ISAPI Filter

Can anyone tell me if this is the *correct* solution to the problem, i.e. that there will be no unwanted side effects?

Thanks,

Patrick

NTFS Permissions Ignored when using FTP

Gumby — Thu, 05 Nov 2009 23:08:47 GMT

Hi all.

I am trying to setup an FTP server that has different permissions for each folder within the root folder of the site. Whichever option(s) I choose (Read/Write) they get set site wide regardless of the NFTS/Active Directory permissions granted to a user or group on a given subfolder.

I did not set any user isolation when creating the ftp site as I want all users to be able to read from the root directory.

I simply want the FTP site to obey NTFS/Active Directory user and group permissions. Is this possible?

Thanks in advance for your response.

SSL on CLUSTER

tilak1980 — Fri, 30 Oct 2009 05:18:18 GMT

Hi,

Can you please tell me, Is it possible single SSL certificate to configure on multiple server's.I have one cluster server i have configured SSL certificate on Active node and i want copy that SSL certificate and restore the same in passive node. Is it possible please tell me if possible then what are the steps. I have tried but it's showing "x" this symbol it's not valid. Please suggest how can we do this. waiting for your reply.

Thank you,

Regards,

Tom Edward

Integrated windows authentication - Why am I getting login prompt?

altjx — Fri, 06 Nov 2009 15:23:46 GMT

I have Integrated windows authentication enabled, and I have "enable anonymous authentication" DISABLED. On the NTFS permissions, I have myself granted full control.

When I try to access the site from another computer using the same name that I granted access, it tells me:

The website declined to show this webpage
Most likely causes
- This website requires you to login

When I removed myself from the NTFS permission, it prompts me for login credentials, and no credentials work.

I am setting up an internal website and I just would like to allow specific people on a domain, access to the internal website.

Can someone tell me what I'm doing wrong?

Kerberos Authentication

Kelvin.uk — Thu, 05 Nov 2009 08:58:19 GMT

When users try to connect to websites hosted on our intranet server they get the following authentication error in Internet Explorer:

"HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials"

We get the error with all accounts; even aq\administrator (our domain admin account). This seems to be happening on only some computers. Interestingly if we use the intranet servers IP address rather than host name, authentication works. For example: http://192.168.0.16/website. We have not made any changes and have never had this problem in the past.

Our Setup
Domain name: AQ and AQ.COMPANYNAME.CO.UK

Domain Server:
Host name: AQ-AD
Windows Server 2003 R2
Service Pack 2
IIS 6 (anonymous access enabled)

Intranet Server:
Host name: AQWEB
Windows Server 2003
Service Pack 1
IIS 6 (anonymous access enabled)

Clients:
Windows XP SP2/3
Tested on IE6/7/8

The Errors
Client error (from the event viewer)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/aqweb.aq.companyname.co.uk. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (AQ.COMPANYNAME.CO.UK), and the client realm. Please contact your system administrator.

Domain server errors (3 errors that keep appearing in the event viewer)

1) There are multiple accounts with name HTTP/aqweb of type DS_SERVICE_PRINCIPAL_NAME.

2) A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 14:17:15.0000 11/4/2009 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: AQ.COMPANYNAME.CO.UK
Server Name: host/aq-ad.aq.companyname.co.uk
Target Name: host/aq-ad.aq.companyname.co.uk@AQ.COMPANYNAME.CO.UK

3) A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 14:14:11.0000 11/4/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: AQ.COMPANYNAME.CO.UK
Server Name: DNS/ns0.bt.net
Target Name: DNS/ns0.bt.net@AQ.COMPANYNAME.CO.UK

No errors to report on the intranet server (AQWEB)

Authentication and Access Control Diagnostics (Microsoft tool to diagnose IIS security)
Kerberos configuration failures on AQ-AD:
Wrong credentials for AppPoolIdentity (currently Network Service)
Service principal name (SPN) for user 'aq\admin' not found in Active Directory
Service principal name (SPN) for user 'aq\administrator' not found in Active Directory

Kerberos configuration failures on AQWEB:
Wrong credentials for AppPoolIdentity: (currently Network Service)
Service principal name (SPN) for user 'aq\administrator' not found in Active Directory

SPN Setups
using "setspn setspn -l <hostname>" in the console (Windows Resource tool kit needed) I can view our current SPN mappings:

SPNs for AQWEB:
http/AQWEB
MSSQLSvc/AQWEB.AQ.COMPANYNAME.CO.UK:1433
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/AQWEB.AQ.COMPANYNAME.CO.UK
HOST/AQWEB
HOST/AQWEB.AQ.COMPANYNAME.CO.UK

SPNs for AQ-AD:
MSSQLSvc/aq-ad.AQ.COMPANYNAME.CO.UK
ldap/aq-ad.AQ.COMPANYNAME.CO.UK/LimitLogin.AQ.COMPANYNAME.CO.UK
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/aq-ad.AQ.COMPANYNAME.CO.UK
GC/aq-ad.AQ.COMPANYNAME.CO.UK/AQ.COMPANYNAME.CO.UK
HOST/aq-ad.AQ.COMPANYNAME.CO.UK/AQ.COMPANYNAME.CO.UK
HOST/aq-ad.AQ.COMPANYNAME.CO.UK/AQ
ldap/80ad2477-baa1-4c58-b419-8df53c616709._msdcs.AQ.COMPANYNAME.CO.UK
ldap/aq-ad.AQ.COMPANYNAME.CO.UK/AQ
ldap/AQ-AD
ldap/aq-ad.AQ.COMPANYNAME.CO.UK
ldap/aq-ad.AQ.COMPANYNAME.CO.UK/AQ.COMPANYNAME.CO.UK
DNS/aq-ad.AQ.COMPANYNAME.CO.UK
E3514235-4B06-11D1-AB04-00C04FC2DCD2/80ad2477-baa1-4c58-b419-8df53c616709/AQ.COMPANYNAME.CO.UK
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/aq-ad.AQ.COMPANYNAME.CO.UK
SMTPSVC/aq-ad.AQ.COMPANYNAME.CO.UK
SMTPSVC/AQ-AD
HOST/AQ-AD
HOST/aq-ad.AQ.COMPANYNAME.CO.UK

This sounds like we have a Kerberos authentication issues but I am not sure how to fix them, I have never come across this before. Any help would be great!

Thanks.

Anonymous Authentication Problem

c0mpshades45 — Sun, 01 Nov 2009 04:41:35 GMT

I haven't used IIS in a while and am having trouble adding security to my server's directories. I created a new username and pass for the use of security, however, when I go to apply this to anonymous authent with this new user and pass, it doesnt prompt me in the web browser. I've restarted the server many times, refreshed, etc.. no luck... any hep/suggestions?

PHP 5.2 on IIS 6 Authentification issue

openriver — Wed, 04 Nov 2009 20:42:51 GMT

i installed php 5.2 on an iis6.0 server but when i try to view http://preview.seismicmicro.com/php/phpinfo.php it is requiring a log in to see it. what am i missing?

liannemr@verizon.net

IISADMPWD , Security Issue: any user can change other user password

aacable — Tue, 03 Nov 2009 10:50:44 GMT

Hi,

I am using IIS6 / iisadmpwd module to give user option to change there password via web.

But the issue is that any user can change other user password , for example

John can change smith's password if he knows his password. (In our orgnaization, we have one common password for all users)

How to restrict users to change there account password only ?

Regard's

Syed Jahanzaib
N.A.E.i
http://www.nae.com.pk