IIS7 - Security

401 - Unauthorized: Access is denied due to invalid credentials.

Sydney2009 — Thu, 19 Nov 2009 07:33:00 GMT

I have this situation.

We have setup IIS authentication as Integrated Authentication
My environment is Windows 2008 Standard (Version 6.0.6001 Service Pack 1 Build 6001), IIS 7.0

All the users are able to login except "user1"

I have tried this.

I grant user1 full permission in the WWWROOT but still the same result
I tried user2 from the same PC (PC1) where user1 logins. It prompted for user2 password. User2 conencted ok..
I tried user1 to login to other PCs. Still same result
I tried user1 to connect from other PC where other users have login.Still the same result.
I tried to install authdiag.exe but it does not start properly. It showed me a help window (of the various command line options).
I enabled "Failed Request Tracing" but the output does not help

What else can I try?

How to configure IIS 7 to communicate with an external Certificate Authority

atlasy — Fri, 20 Nov 2009 20:00:05 GMT

Hi,

I have a web application that require a user certificate. I've hosted this application in ms server 2008. In the other hand, i have my own certificate authority that is setted up in an other server 2008.

From II7 of my web application server, I've create a certificate request. I've copyied the request to my certificate authority server, and then, i've issued the web app certificate.

The users can get their "user certificate" from CA server.

The problem is: My IIS 7 cannot verify the user certificate if it's valid or not! I'm wondering how can I configure my Web App Server (IIS 7) to communicate the my CA Server to validate the user certificate??

thanks for your help

How to configure IIS7 to communicate with an external Certificate Authority

atlasy — Fri, 20 Nov 2009 19:28:56 GMT

Hi,

Reporting IIS7 Windows 2008 bug

joled0 — Mon, 24 Aug 2009 18:26:10 GMT

I read in some articles in this forum to report bugs here since a number of MS employees monitor this forum. There is a bug in IIS 7 where a website will lose a binding to an SSL certificate. This has happened about 4 times in the past 2 weeks.

We have Windows 2008 server, IIS7, ColdFusion 801, there are about 6 websites defined as well as the default site. Some of the sites use SSL and we have purchased certificates for those sites. One of the websites will occasionally lose its binding to the SSL certificate. All of a sudden users are not able to get to any secure pages and sure enough when I go into IIS7 > Server > Sites > Site_in_question > Bindings > edit https port 443 the SSL certificate is not selected. Selecting the cert clears everything up. We have not recently changed any files for this website. Unfortunately this is not something I can reproduce at will, it happens sporadically.

let me know if you would like to report this via other channels or want me to try something.

Regards,

Joe

IIS7 IP restrictions on shared configuration (2008 server)

abadon — Thu, 19 Nov 2009 22:48:28 GMT

Hello,

I have a setup of two servers using NLB and a shared configuration file on windows 2008 server and IIS7.

I have installed IPv4 restrictions and set it up as "deny all but listed", added the exception, but I can still access the site from unlisted locations.

Please help.

nt authority\network services in iis7

sryan@seewolf.com — Mon, 16 Nov 2009 15:50:34 GMT

Hey folks -- I'm getting this error when i try to view reports remotely ...

when i'm on the server, the reports load - from my dev machine i get

thanks for the help - sandy

Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 11/16/2009 8:46:06 AM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: SWCVI1.seewolf.com
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2009 8:46:06 AM
Event time (UTC): 11/16/2009 3:46:06 PM
Event ID: a64f331a1f9c4f21b1f56d06940202b4
Event sequence: 35
Event occurrence: 3
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/3/ROOT-1-129028596527246330
Trust level: Full
Application Virtual Path: /
Application Path: C:\inetpub\CVIPhase3\
Machine name: SWCVI1

Process information:
Process ID: 1320
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: LoadSaveReportException
Exception message: An error has occurred while attempting to load the Crystal Reports runtime.

Either the Crystal Reports registry key permissions are insufficient or the Crystal Reports runtime is not installed correctly.

Please install the appropriate Crystal Reports redistributable (CRRedist*.msi) containing the correct version of the Crystal Reports runtime (x86, x64, or Itanium) required. Please go to http://www.businessobjects.com/support for more information.

Request information:
Request URL: https://172.16.0.185:443/Common/Reports/OrderReportAdmin.aspx
Request path: /Common/Reports/OrderReportAdmin.aspx
User host address: 172.16.0.6
User: xxxxxxxxx.com
Is authenticated: True
Authentication Type: Forms
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at CrystalDecisions.CrystalReports.Engine.ReportDocument.CheckForCrystalReportsRuntime()
at CrystalDecisions.CrystalReports.Engine.ReportDocument..cctor()

Custom event details:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ASP.NET 2.0.50727.0" />
<EventID Qualifiers="32768">1309</EventID>
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-11-16T15:46:06.000Z" />
<EventRecordID>897</EventRecordID>
<Channel>Application</Channel>
<Computer>xxxxxx.com</Computer>
<Security />
</System>
<EventData>
<Data>3005</Data>
<Data>An unhandled exception has occurred.</Data>
<Data>11/16/2009 8:46:06 AM</Data>
<Data>11/16/2009 3:46:06 PM</Data>
<Data>a64f331a1f9c4f21b1f56d06940202b4</Data>
<Data>35</Data>
<Data>3</Data>
<Data>0</Data>
<Data>/LM/W3SVC/3/ROOT-1-129028596527246330</Data>
<Data>Full</Data>
<Data>/</Data>
<Data>C:\inetpub\CVIPhase3\</Data>
<Data>SWCVI1</Data>
<Data>
</Data>
<Data>1320</Data>
<Data>w3wp.exe</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
<Data>LoadSaveReportException</Data>
<Data>An error has occurred while attempting to load the Crystal Reports runtime.

Either the Crystal Reports registry key permissions are insufficient or the Crystal Reports runtime is not installed correctly.

Please install the appropriate Crystal Reports redistributable (CRRedist*.msi) containing the correct version of the Crystal Reports runtime (x86, x64, or Itanium) required. Please go to http://www.businessobjects.com/support for more information.</Data>
<Data>https://172.16.0.185:443/Common/Reports/OrderReportAdmin.aspx</Data>
<Data>/Common/Reports/OrderReportAdmin.aspx</Data>
<Data>172.16.0.x</Data>
<Data>xxxxxxxxxxx</Data>
<Data>True</Data>
<Data>Forms</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
<Data>7</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
<Data>False</Data>
<Data> at CrystalDecisions.CrystalReports.Engine.ReportDocument.CheckForCrystalReportsRuntime()
at CrystalDecisions.CrystalReports.Engine.ReportDocument..cctor()
</Data>
</EventData>
</Event>

Disable SSL v2 in IIS7?

firestormo — Thu, 18 Sep 2008 05:20:35 GMT

I saw and read http://support.microsoft.com/kb/187498

It states that it is the same for IIS 7 on 2K8, but when I looked in the registry I only saw the Key for SSL 2.0 and no other versions, then expanding that key there is a client subkey but no server subkey. So I created the server subkey and added the Enabled DWORD with a value of 000000 (aka 0) like the kb article states, rebooted, and SSL V2 is still working. Anyone have ideas?

Thanks in advance

Problem Binding an SSL Cert

KBelmont — Thu, 24 Apr 2008 16:34:27 GMT

I'm having a strange issue with IIS7 on Windows 2008 Server trying to install a wildcard SSL cert. This cert installs on Windows 2003 without issue, and can be enabled on IIS 6 sites without a problem.

On the 2008 box, I'm able to launch the MMC and place the SSL cert into the local computer repository without issue. The chain of trust appears intact, and the General tab of the properties window says the cert is good for server authentication.

When I go into the IIS Administrator is when I start seeing the problems. I'll select the web site, then go to SsL Settings, then select BIndings from the right hand side. When adding a new binding, my cert shows in the drop down. I get the following error:

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

Clicking ok on the window, and the binding of course doesn't show. Close the Bindings window and reopen it, and the binding to 443 shows properly. However, you cannot open a connection to that port on the server. It's not listening.

Interestingly, if I create a self-cert, the process works fine and I can create a connection to port 443 on the server. Due to this, I think it's a problem with the wildcard cert-but I'm not sure how to fix it, or even find what's wrong.

Integrated Windows Authentication is still prompting me

altjx — Sun, 15 Nov 2009 01:19:06 GMT

I have windows authentication integrated on my IIS server

what i want to do is that, anyone who is already logged on with authenticated credentials, i would like them to bypass the login prompt. why is it still prompting me for the login?

for example, if i want "charlie" to have full permission to my web server. he has full NTFS permission but if he's logged in as charlie, it still prompts him for some reason

Getting 401 error when calling a website using IPAddress or Host Name. But, works fine when called using localhost

pmd_Areef — Wed, 18 Nov 2009 09:21:46 GMT

Hi,

We are using Windows Server 2008 64bit and IIS 7. When we call a page in our application by using http://locahost in the server itself everything works fine and we get the page displayed.

But, when I call the page using http://<IPAddress> or http://<machine name> it does not return the page and throw the 401 error. We use Windows Authentication to display the page.

Anyone has seen this behavior? Any suggestion to help on this?

Thanks,

Areef

NTFS permissions with IIS FTP 7.5

TheMocoMan — Wed, 18 Nov 2009 14:43:10 GMT

Hey everyone,

I have a real simple question (I hope) I've never had the request but one of my users wants an account that can upload, create folders, modify files, but never be able to DOWNLOAD them.

The user logs in with FTP to my IIS server and can do almost everything except download the file. I think others will use this account to upload graphics and they don't want the users who share this one account to be able to download the images. Protecting intellecatual property?

Who knows. What I need to know is the delicate balance of NTFS permissions to set in order to achieve this.

~THANKS IN ADVANCE~

FTP: Using NTFS Folder Permissions instead of IIS FTP Authorization Rules

chrigil — Tue, 29 Jul 2008 16:08:04 GMT

Is it possible to have IIS use the NTFS folder permissions instead of the FTP Authorization Rules when determining who has access to a particular folder? I have tried setting the permissions on the folder using NTFS to Read (with no write permissions) and then not adding any user in the FTP Authorization Rules area of IIS but this doen't allow the user to login at all.

Using the old IIS you could simply set the permissions on the folder and leave it at that. Have a group for read only people and a group for read/write and then add the desired users to the desired group. But now it seems that FTP Authorization Rules overrules whatever settings you have for the folder even though you seem to be obliged to add users.

Any ideas?

Thanks, Chris

Where is Windows Authentication??

ITPartTimer — Wed, 01 Aug 2007 00:06:32 GMT

I have an asp.net app set up on an XP machine with IIS5.1 and it works fine with Windows Auth and NO Anonymous Auth. The app is used only on an intranet.

I am not setting up the same app on a Vista Home Premium machine. After the app is set-up, there is NO Windows Authentication listed in Features View > IIS > Authentication.

I put a check next to everything, except CGI stuff, when I added the IIS functionality to Vista thru the Turn Windows features On/Off area of the control panel.

Using the help link in IIS, it took me to a page that clearly explains how to turn it on in the Authentication section. Made sense, but Windows Authentication is NOT listed. I only have:

Anonymous Authentication - Disabled, ASP.NET Impersonation - Enabled, Basic Authentication - Disabled, Forms Authentication - Disabled

Where is it? Thanks

ASP.net script to launch batch file doing nothing

ashortt — Wed, 18 Nov 2009 00:45:29 GMT

Hi,

I posted this question on an ASP.net forum but I think it's probably more of a security issue so I thought I'd see what you guys think.

I'm working off IIS7 on Windows Server 2008.

I want to execute a program on the server-side using a web service. This program reads in some text files, runs some code and writes the results to file. I'm trying to launch the (GAMS) program using a batch file containing the necessary shell command. Here's the contents of the .bat file:

gams c:\gams\stage1.gms idir C:\GAMS\inputs Wdir=C:\GAMS

When I launch the .bat file in windows a command window flashes up and the results file is written to disk. Excellent.

So, now I tried to execute this batch file using a simple ASP.net Web Service. Here's the code:

<%@ WebService Language="C#" class="HelloWorld" Debug="true"%>

using System.Web.Services;

[WebService(Namespace = "http://tempuri.org/")]
public class HelloWorld : WebService
{
    [WebMethod]
    public string ExecuteTest()
    {
        System.Diagnostics.Process proc = new System.Diagnostics.Process();
        proc.StartInfo.FileName="C:\\GAMS\\GAMS_stage1.bat";
        proc.Start();
        return "bat file executed";
    }
}

When I run this in a browser, I get the xml response:

<?xml version="1.0" encoding="utf-8" ?>
<string xmlns="http://tempuri.org/">bat file executed</string>

However, the GAMS program either never executes or something goes wrong as the output of the GAMS program is never written to disk. I presumed there was a permissions issue but I've given full control permissions to the NETWORK SERVICE user on the affected directories and I'm not seeing ACCESS DENIED messages in Process Monitor.

Am I giving permissions to the wrong user for ASP.net on Windows 2008? Is this something to do with application pools?

How do I know if the program executed at all? I believe that the program would be running on an invisible desktop so I can't see anything. I'm sure I probably need more code as well. I tried to add proc.WaitForEnd() for example, but that caused an error.

Any ideas?

Thanks for your help

Aonghus

Windows Server 2008 IIS7 - Web site sub site windows authentication causing post back issues

mdhill — Tue, 17 Nov 2009 09:12:40 GMT

I'm not sure if this is in the correct forum but...

One of our clients hosts their own external website configured to allow anonymous access. Within this site is xxxx/intranet that is set to use windows authentication and basic authentication. Within in the root website are a number of areas that are not working such as search facility and text resize, if the xxxx/intranet site is accessed. This has been tested both internally and externally, if /intranet is not accessed at all the searches etc. work all OK.
These use a post back method. apparently, there is a known issue with IIS where windows or basic authentication are used within a root site, causing the authentication token to raise the issue when going back to the root domain. Only example we can find is http://www.eggheadcafe.com/software/aspnet/32246978/empty-post-request .aspx . we have tried the solutions suggested on this site, and this has made no change.
They are using Windows server 2008 32 bit, service packed and all patches applied, IIS7.

Any ideas?

This has already been posted here: http://forums.asp.net/t/1491424.aspx

but they have pointed me in your direction in case you know of any web server sidde issues that may cause this behaviour?

IIS 7 load user profile with domain account

waaromikniet — Fri, 13 Nov 2009 14:00:41 GMT

Hello,

I am running an ASP.NET 3.5 app under IIS 7. The app pool account is a domain account. The load user profile is set to false.

When I open the app I get the error:

Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed

When I set the load user profile to true the site works. When I no set the option back to false the site keeps working?

The app pool domain user is a member of IIS_IURS group. This group has rights on c:\windows\temp % temp asp.net files

Anybody any idea?

Authentication breaks

jakb — Mon, 16 Nov 2009 10:09:40 GMT

My framework 4 asp.net app using forms authentication runs fine in Cassini and in IIS7.5 on the local box but on a public facing box with IIS7.5 in the DMZ (running cookieless session state) the authentication breaks without returning any error - the forms authentication simply does not work.

I have modified the register.aspx.cs entry to accept the cookieless state thus without effect:

FormsAuthentication.SetAuthCookie(RegisterUser.UserName, true);

Can anyone advise why the login is failing?

Could not create SSL/TLS secure channel

bryanc — Tue, 07 Apr 2009 21:14:28 GMT

Hi all,

We have some code that does a post to a https address using HttpWebResponse. It works fine on server 2003 with iis 5.x or whatever, but when we try to run it on 2008 with IIS7, it gives us the following error:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

I suspected it was a certificate issue or something, so i added the ServicePointManager.ServerCertificateValidationCallback and just returned "true" but the issue still persists.

this is the relevent code:

      HttpWebRequest Req = ((HttpWebRequest)(HttpWebRequest.Create(("https://secure.[siteaddress]?" + postData))));
   Req.AllowAutoRedirect = true;
   Req.Timeout = 150000;
   Req.ProtocolVersion = HttpVersion.Version11;
   Req.ContentLength = postData.Length;
   Req.ContentType = "application/x-www-form-urlencoded";
   Req.KeepAlive = false;
   postData = "";
Req.ContentLength = postData.Length;
   Req.AllowWriteStreamBuffering = true;
   string result;

ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(ValidateCertificate);

HttpWebResponse objResponse = Req.GetResponse() as HttpWebResponse;

any ideas as to why this is happening?

also, if we just paste the request into the address bar of a browser on the machine, it works with no errors.

Error 500.19

benbeadle — Sat, 14 Nov 2009 18:00:42 GMT

When changing my site's directory from C:\inetpub\wwwroot to a folder in my document, going to localhost in the browser gives me the following error:

Error Summary

HTTP Error 500.19 - Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.

Detailed Error Information

Module	IIS Web Core
Notification	Unknown
Handler	Not yet determined
Error Code	0x80070005
Config Error	Cannot read configuration file due to insufficient permissions
Config File	\\?\C:\Users\Ben Beadle\Documents\Website\Website 3.0\web.config

Requested URL	http://localhost:80/
Physical Path
Logon Method	Not yet determined
Logon User	Not yet determined

Config Source

   -1: 
    0:

Links and More Information This error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error.

View more information »

I have tried many things, spending hours googling for the answer, but to no avail - it still gives me the error. I am using Windows 7.

530 User cannot log in, home directory inaccessible

CyberIT — Sat, 14 Nov 2009 13:46:34 GMT

Hi All. Thanks in advance for your help.

I am using Windows Server 2008 Standard with the downloadable version of IIS7.5. My problem is Domain Users are not able to login to my FTP server. I have followed all posts that I could find for help but still no resolution. All admins are able to login.

If I add a user to the Domain Admins group in Active Directory, then that user is able to login. Then if I take that user back out of the Domain Admins group, the user is then not able to login.

I used the process monitor to see what is happening in the background when a normal domain user tries to login. The only error I saw was ACCESS DENIED, but I do not know what access was denied. The path is correct as the same user can login if added to the Domain Admins group.

Any suggestions?

Thank you.

error 401 in IIS 7???

cluceOSI — Tue, 06 Oct 2009 13:57:06 GMT

we have just upgraded our server to a 64 bit versionWindows server 2008 R2 and I transfered all my websites over and every web site I access I get the following error message:

401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

any ideas? Thanks

Frustrated.. Opening a file keeps prompting for username/password

JRArseneau — Fri, 13 Nov 2009 18:28:50 GMT

Hi everyone,

I've been hitting my head against the wall with this issue for a few months now (ever since we deployed 2008/2008R2) and I have yet to find a fix (or any indication of why my issue is happening)..

Scenario is..

Site secured behind Digest Authentication via AD login.

Everything works as expect, however, we have PowerPoint (.ppt) and Doc files (.doc/.docx) that people often need to open via the web. When prompted with the dialog box from IE to Open/Save the file, clicking "Save" allows them to save the file without issue. Clicking "Open" however causes PowerPoint or Word to launch and to CONTINUALLY prompt for the user's credentials (through a Windows Security dialog box). The only way they can access the file is to hit Cancel on the Windows Security dialog box and the file opens normally.

This isn't an ACL issue (otherwise they wouldn't be able to save the file). I have no idea why this is happening, nor can I find any documentation on how to fix it. Our clients are extremely frustrated (we have thousands, so getting the word out is difficult) that they have to hit the cancel button to open the file.

The logs files don't show anything other than the user is attempting to access the file. Again, if the file is first saved and then open, there is no issue, it's simply when they try to open it directly.

Does anyone have ANY suggestions as to why this is occurring?

Disable Anonymous Authentication Scenario

Folder — Thu, 12 Nov 2009 19:30:33 GMT

Hi,

I created a web application and deployed it to a folder on a server. I was checking authentication using IIS Manager. I know that enabling anonymous authentication mean that a user outside of the domain can visit the web application as an anonymous user. I wonder what would happen if I disable anonymous authentication? Will a user be prompted to enter credentials? Let me know, thanks in advance.

DoS Attack

web2000 — Fri, 06 Nov 2009 19:26:29 GMT

Is there any built in feature/capability in IIS 7 which can detect DoS attacks?

Can someone point me to good resources relating to IIS 7 and preventing DoS attacks.

Directory Enumeration possible on Web Server

sunitha4ever — Tue, 10 Nov 2009 06:22:54 GMT

Hi,

My web application runs on Windows Server 2008 and IIS 7. During penetration testing, we found that it was possible to determine the existence of directories within the web root on the system through messages returned by the access control code. This could enable an attacker to target particluar areas of functionality that they otherwise may not be aware of.

Eg: 1. Directory : /includes/ - Return Code: 403 ; Conclusion:- Forbidden. This directory exists but access has not been granted.

2. Directory : /Views/ - Return Code: 403 ; Conclusion:- Forbidden. This directory exists but access has not been granted although access is granted to subdirectoires for example /Views/xyz/abc.aspx

3. Directory : /mwr/ - Return Code: 404 ; Conclusion:- Not Found. This directory does not exist in the web root

Could you please help me to prevent this enumeration of directories such that a resource that the current user does not have access to should yield an identical message to the one displayed if that resource does not exist.