Alright Stackoverflow, after much fruitless research I've ended up here!
I am attempting to get a .NET Core 2.0 site hosted out of IIS with Windows Authentication and SSL, and no matter what I try I continue to get inconsistent/intermittent 403 Access Denied errors.
If there was something dead-wrong, I would expect it never to work. However, it works maybe ~3/10 times if I restart the site and the app pool. There is nothing useful that I can find in the Event Viewer, Application Logs, or IIS trace logs.
Things I have done in no particular order:
The app pool is running as a gmsa account with rights to my database (prod.service$)
Granted log on as a service, and log on as batch to the gmsa account.
Granted IIS_IUSRS, prod.service$, and Domain Users permissions on the web root folder. Currently at full-control out of despair.
Granted IIS_IUSRS, prod.service$, and Domain Users permissions to the certificate.
Enabled Windows Auth, Disabled Anonymous Auth
Set default document pointing to the front-page.
Set the app pool to "Load Profile"
Set the .NET CLR version to "No Managed Code"
Set ForwardWindowsAuthToken to true in the web.config
NTLM has been moved to the top of the list as the first auth provider under Site > Authentication > Right-Click Windows Authentication > Providers
One more detail is that I am trying to authenticate with users from a different domain, where a one-way trust is set up. I am remoting into the host with credentials from the 'other' domain, so it has visibility.
Here is my web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\MCP.MVP.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" startupTimeLimit="3600" requestTimeout="23:00:00" />
<defaultDocument>
<files>
<add value="/home/index" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
<!--ProjectGuid: [REDACTED] -->
From Startup.cs:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.Configure<IISOptions>(options =>
{
options.AutomaticAuthentication = true;
});
From Program.cs
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseIISIntegration()
.UseStartup<Startup>()
.Build();
Using Authorize attributes everywhere:
[Authorize(Policy = "RequireViewerRole")]
Authorization Glue, where Configuration["RequireViewerRoles"] is a comma delimited list of domain groups:
services.AddAuthorization(options =>
{
options.AddPolicy("RequireViewerRole", policy => policy.RequireRole(Configuration["RequireViewerRoles"].Split(',')));
});
Have I entered .NET Core 2.0 bug territory, or am I missing something?
It turned out to be a massive red herring!
It was a 401.2 "invalid server configuration" error. I finally noticed a pattern where the application would work if I opened up the folder security permissions dialogue, which would forcibly hit the domain-controller and cache the group names from the user domain. The application would work fine for about 5 minutes, before refusing to authenticate again with no other changes made.
The issue was solved by configuring the domain name on the group, which is obvious in retrospect. (DomainName\\Domain Users). The fact that it worked at all without the domain name led to a lot of confusion. There was nothing to indicate this error from the IIS logs, and ultimately it was solved by trial and error.
Related
I've deployed a web application into our Azure, using the latest .net core 3.1 stack, the application is divided into 3 virtual apps running under the same Web app deployment and this is what seems to be causing the issue, as I can access the main application located on the root http://mywebapp/index.html but when I attempt to access any of the virtual paths IE: http://mywebapp/virtualapp/index.html the following error is displayed:
HTTP Error 500.35 - ANCM Multiple In-Process Applications in same Process
Common solutions to this issue:
Select a different application pool to create another in-process application.
Specific error detected by ANCM:
Only one in-process application is allowed per IIS application pool. Please assign the application '/LM/W3SVC/1848604257/ROOT/business' to a different IIS application pool.
Troubleshooting steps:
Check the system event log for error messages
Enable logging the application process' stdout messages
Attach a debugger to the application process and inspect
For more information visit: https://go.microsoft.com/fwlink/?LinkID=2028526
Looking through the page referenced by Microsoft the information shown for this error is :
500.35 ANCM Multiple In-Process Applications in same Process
The worker process can't run multiple in-process apps in the same process.
To fix this error, run apps in separate IIS application pools.
So my question is, Is there a way to work with multiple web applications deployed into virtual paths for a single web app in azure under .Net Core 3.1? Or is this a limitation on .Net Core 3.1 and apps are supposed to be deployed into separate web applications?
Thank you
I ended up asking Microsoft about this error and how to resolve this on the Azure platform and they pointed out that the solution is to change your web application as well as any other virtual application deployed from "InProcess" hosting model to "OutOfProcess", you can find more information about what this means here but essentially to achieve this you need to add the following value to each project file (.csproj):
<PropertyGroup>
<AspNetCoreHostingModel>OutOfProcess</AspNetCoreHostingModel>
</PropertyGroup>
After deployment on Azure verify the change has taken place by validating that your web.config has the following settings:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet"
arguments=".\MyApp.dll"
stdoutLogEnabled="false"
stdoutLogFile=".\logs\stdout"
hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
I am working on an application transfer between Windows Server 2008R2 running IIS 7.5 into a Windows 2016 Server running IIS 10. The login system for the application is using Form Authentication with LDAP to allow the user to log in and make changes. The user can login without any issue on the 2008R2 server, creating the necessary cookie for usage. However, on the 2016 Server, the login system authentication seems to break. It seems as though the cookie is created but that the system does not seem to be able to find the user after the cookie is created. Furthermore, on a specific page that does not run any of the login processes, the application appears to be using Windows Authentication rather than the Forms Authentication that it is explicitly being told to use. The settings for the application in the web.config specifically tell it to use forms rather than windows authentication.
The web.config for the application contains the following information for the connection strings:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://OURLDAPSYSTEM"/>
</connectionStrings>
The LDAP item for this system is only used for validation not permissions.
and the authentication and membership:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/" timeout="60" slidingExpiration="true" protection="All"/>
</authentication>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
In the controller that performs the login process:
userLoginSuccess = Membership.ValidateUser(model.UserName, model.Password);
//Make call to another DB to check permissions for usage
FormsAuthentication.SetAuthCookie(model.UserName, true);
On the IIS on the server, the authentication for the application appears as follows:
Authentication for the application
While the authentication for the entire Web Site appears as follows: Authentication for the Site
Each of these match what is already located on the Windows 2008R2 server.
Anyone have any ideas what would have changed on the Windows 2016 server that would prevent the authentication from working the same as 2008R2? And if so, how would I fix this issue?
Same thing here - just spent all day looking at this.
Found this: https://www.itnota.com/enable-secure-httponly-cookies-iis/
<system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL="false" />
...
</system.web>
We added the to the web.config and it worked.
I published an aps.net core 2.0 mvc app to a shared web hosting server that uses Plesk as control panel. The app works fine. However, I got the following error message when trying to access the web statistics:
This example.com page can’t be found
No webpage was found for the web address: https://example.com/plesk-stat/webstat/
HTTP ERROR 404
I contacted their support and got the answer "the .net core application settings aren't allowing the webstats to load. We recommend you consult with an experienced website developer to customize the web.config code accordingly for the website.", but they don't know how to configure the web.config file.
I really want to make the webstat to work. Any suggestion will be appreciated.
If URL Rewrite is blocking the access, try adding this string to the <conditions> section of the rule which is affecting webstat page:
<add input="{REQUEST_URI}" pattern="^/(plesk-stat/webstat)" negate="true" />
If that does nor help, configure failed request tracing to find which exact module is performing a redirect.
Along with changes in the web.config of the ASP.Net Core site itself to send the /plesk-stat/ url to IIS, a web.config must be added in the following directory:
C:\Inetpub\vhosts\{domain.tld}\.plesk\statistics\{domain.tld}\
(replace {domain.tld} with your domain), with the following contents:
<configuration>
<system.webServer>
<handlers>
<remove name="aspNetCore" />
</handlers>
</system.webServer>
</configuration>
This has to be done by the hosting provider on the server. Maybe you should contact the support of your hosting provider.
I inherited a project that I was asked to look at. It's an ASP.NET website that is deployed on a clients intranet server. They gave me VPN access and the source code. They are using Active Directory for authentication.
So here's my setup: Code running locally, connected to their db on their db server.
In the web.config I see that authentication mode=Windows and identity impersonate is true. However, when I run the project I get this error:
Could not create Windows user token from the credentials specified in
the config file. Error from the operating system 'The security
database on the server does not have a computer account for this
workstation trust relationship.
The username for the identity line (web.config) is a service account. All this runs fine in production. Any ideas as to why this app is not authenticating? Thanks!
If your dev machine is not joined to their domain, then it might not work. But maybe it's possible.
As a start, try disabling Kerberos and forcing NTLM using this in the web.config:
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
If you are hosting locally in IIS, then you can do the same in IIS Manager. Select the site -> Authentication -> Right click Windows Authentication -> Providers -> Remove 'Negotiate' from the list, leaving only NTLM.
I have developed a .NET REST web service in C#. While I have plenty of C# experience, I unfortunately do not have much understanding in deploying such a service in a web hosting environment.
Due to the environment, I do NOT have access to IIS.
The advice I have been provided with by the support services of the hosting provider is as follows:
Create a subdomain of the main domain to achieve a dedicated application pool (this a requirement of the host provider)
Create a Bin folder to hold my compiled libraries of source code
Add the following to the Web.Config file:
<system.web>
<httpHandlers>
<add type="ReportRESTWebService.Service, ReportRESTWebService" verb="*" path="report" />
</httpHandlers>
</system.web>
<system.webServer>
<handlers>
<add name="report" path="report" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0,bitness32" />
</handlers>
<directoryBrowse enabled="false" />
</system.webServer>
The above would have the effect of creating a handler mapping for the report resource on all HTTP verbs and forwarding any HTTP traffic on that resource to my ReportRESTWebService.dll for handling.
The point I am unclear on is whether the above will be satisfactory and how do I test whether the advice I am given is correct. I know that I have the site running locally but I have access to IIS so I have control over the configuration.
Hopefully somebody can help.
Thanks
If you are using Wcf Rest,then you can probably consider hosting it as as windows service
or self hosted service.
Windows Service
http://blogs.msdn.com/b/juveriak/archive/2009/03/15/rest-endpoint-hosted-in-a-wcf-windows-service.aspx
Self hosted Service
http://www.c-sharpcorner.com/uploadfile/dhananjaycoder/self-hosted-wcf-rest-service-or-hosting-wcf-rest-service-in-console-application/
It would seem, after a day of exhaustive testing, that the steps I had taken (detailed in the question) would be satisfactory.
One point to watch out for is the matching Managed Pipeline Mode for your application pool. Failure to match this up correctly with your Web.Config will result in pain.