Authentication of JRun&IIS

After I connected JRun and IIS on the same machine, and tried
to open a html
page I always see a popup window asking me to provide the
username and
password. But if I only use IIS(no connection to JRun) I am
able to open
that page in web browser without any problem. Does anyone
know why I get the
login prompt window?
Thanks a lot.

It turned out to be a NTFS permission issue.
After I assigned the permissions of the targeting folders and
files to the designated users it's working fine now.
Thanks.

Similar Messages

JRun 4 Windows Authentication

Hi ALL
I am trying to configure windows authentication on Jrun 4 web server.
I configured windows authentication on Tomcat successfully using NtlmHttpFilter.
Is there any possiblity I can do it in JRun4.
or any ideas or suggestions...
Please help me..
Thanks
Edited by: ncbn on Jul 10, 2009 6:39 PM

Thanks, i don't really understand, <init-param>
          <param-name>jcifs.netbios.wins</param-name>
           here goes the AD server name or IP
           <param-value>adserver</param-value> 123.45.67.89
          </init-param> here is it put my ip address?
And this part <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>NYC-USERS</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.username</param-name>
        <param-value>somenycuser</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.password</param-name>
        <param-value>AReallyLoooongRandomPassword</param-value>
    </init-param> Can i change the username and password? I try to run the script i got this error
java.net.UnknownHostException: NYC-USERS
     jcifs.netbios.NameServiceClient.getAllByName(NameServiceClient.java:307)
     jcifs.netbios.NbtAddress.getAllByName(NbtAddress.java:463)
     jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:79)
     jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:157)
     jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:121)
Can you please kindly help me ?

SSO from JSP to IIS

Security gurus,
I am trying to implement a simple Single Sign-on solution and have been having pretty hard time getting it to work! I am wondering if you would be able to help me out..
The description of the problem and the attempts I made are presented below.
We have a web app that is restricted and hosted on IIS (windows 2000) server.
Now, I have a JSP that has the following link:
Secure Page
When the users click on it, they need to be able to access the Secure Page without being prompted for windows challenge (uid/pwd) window. mysite.com is configured to accept both 'BASIC' and 'Intergrated Windows Authentication'.
In the JSP, I know the username, password and domain. Somehow, I need to pass this authentication info to IIS, so that it does not prompt for uid/pwd pop-up.
Some of the approaches tried:
1) <form name="postForm" action="http://username:[email protected]" method="post" target="_blank" >
</form>
Secure Page
This thows an HTTP 405 (page expired) error. Even trying to access www.yahoo.com gives 405 error. Even if this worked, the uid and pwd will be visible in the browser and so, it is not acceptable.
2) Tried setting HTTP headers (appropriately Base64 encoded) but that did not work either. Here, I am not sure if I am soing the right stuff. Tried using the WWW-Authenticate and Authenticate headers.
3) The following link that has a good thread, but it does not address my prob. It is related, but not of direct help.
http://www.jguru.com/forums/view.jsp?EID=393110
Any leads that you could provide, would be of HUGE help. This has been giving me sleepless nights for a week! It shouldn't be that hard to accomplish this. Not sure where am I doing it wrong.
Thanks,
Anant

If the secure page needs basic authentication (that mean, if you configured it to be protected like that), sending the right HTTP headers should work.
You need to send your headers like this:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
The puzzled string is the Base64 coded username:password. See
http://www.zvon.org/tmRFC/RFC1945/Output/chapter11.html#sub1
for details.
--pn

ColdFusion 10/IIS 7.5 Authorized Access Issue

I've installed ColdFusion 10 on my Windows VPS, running IIS 7.5. The VPS is managed through Plesk 11.
Everything works great if I'm just trying to access an HTML file as shown here: http://broncotime.info. However, if I try to access a .cfm page, I get a login screen that prompts for my User Name and Password, see http://broncotime.info/index.cfm
If I hit cancel while logged in locally on the server, I'll see the error message:
HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.
Error Code: 0x80070005
Physical Path: C:\Inetpub\vhosts\econsummit.secureserver.net\broncotime.info\index.cfm
From everything I've read, including the on-page 'likely causes', it's an issue where the user doesn't have the correct permissions. However, I've updated all the files within C:\Inetpub\vhosts\econsummit.secureserver.net\broncotime.info\ and c:\ColdFusion10\cfusion\wwwroot to have read\execute permissions for everyone. So I'm unsure where the permission issue could be since it seems like I covered all my bases there.
I've also updated the Anonymous Authentication (within the IIS settings) to point to Application pool identity as specified by other folks who have experienced this. To no avail!
So my question is: How do I make my ColdFusion pages viewable to the public?
One more not since this may factor in somewhere...none of the user accounts set up for the server actually work for the prompted authentication.
Thanks,
Aaron

I did find this page entitled Coldfusion, IIS7, Plesk and 401 Authentication that seems to address the issue but like the comments from the users at the bottom of that page, I don't have ColdFusion listed in the Plesk reconfigurator.

Using Web Service to localhost in IIS works, but remote W/S to IIS does not

I have built an Air application that connects to a MS CRM web service (port 5555) and it works fine when I am on the server (the web service recognizes the user credentials in .NET function calls), but when I run the AIR app on a workstation and try to connect, the server responds with a 50x error ( authentication). I have tried adding the username and password to the URL and that did not get me any closer to figuring out the problem. I have tried different authentication methods on IIS without success. The client machines are all located in the same Windows Active Directory Domain / local area network with the server - no routing.
We are not exposing any ports to the Internet.
I am using the Web Service classes that are generated using the Flex Builder Data/Import
I am using Flex Builder 3 with the 3.5a version of the Flex framework.
I have installed Flash player with the latest version
the Windows server is running IIS 7 on Server 2008
How do I get a connection that works? (samples anyone?)
Is this an Air configuration issue, or a limitation of the framework?
Does my Air app need to use Anonymous connections to IIS only?
Is there a way for a web service on IIS to identify the user from their Active Directory connection?

Hello,
In principle, if a web service can be accessed from localhost, it could also be accessed from remote. So perhaps the traffic was blocked by the firewall. Please check the firewall setting of your machine, especially the Windows firewall. You could turn off the firewall for a while and have a try.
And you can use some web service client tool (like soupUI) to test if the web service is accessible to the remote.
Thanks,
Yang

HOW TO CREATE WINDOWS AUTHENTICATION USER IN SQL SERVER AFTER INSTALLING SQL SERVER 2008

I had an error while executing asp.net appcation from IIS as follows
Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
Description:
An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
[SqlException (0x80131904): Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.]
Can the above problem be solved by CREATING WINDOWS AUTHENTICATION LOGIN FOR
'IIS APPPOOL\ASP.NET v4.0' ?
If yes, how to create the login?
If no,what is the best possible solution?
Please reply as soon as possible as i am unable to run my project which I had done in my lab,in my home system.

Hi Praveen,
To fix this issue, you need to change the Identity of your website's Application Pool to use the
NetworkService account (or the less secure LocalSystem account). By default, IIS7 seems to set the Application Pools Identity to 'ApplicationPoolIdentity' instead of NetworkService or LocalSystem.
Here's a step-by-step guide for determining your websites Application Pool, then changing its Process Model Idenitty in IIS7:
1.Open Internet Information Services (IIS) Manger.
2.In the Connections sidebar, drill down into Default Web Site and click on your website.
3.Now in the Actions sidebar (on right side), click on Advance Settings... In the popup box, under General you will see your Application Pool listed for your website (in my case the app pool is: ASP.NET V4.0).
4.Click Cancel... If you choose, you can change the Application Pool here, but for the sake of this example we just wanted to find out what the website's App Pool was.
Then change the app pool's (Process Model) Identity to 'NetworkService', the steps are showed as below:
1.Open Internet Information Services (IIS) Manger.
2.In the Connections sidebar, click on Application Pools.
3.Now right-click on theApplication Pool that your website is using (in this case my site is using the ASP.NET v4.0 application pool), and select Advanced Settings... from the menu.
4.In the Advanced Settings pop-up box, locate the Process Model -> Identity section and click on the Application Pool Identity.
5.In the Application Pool Identity pop-up box, change the Built-in account to NetworkService (or if you want LocalSystem), then click OK, and click OK again to save your Advanced Settings changes.
Hope this helps.
Best Regards,
Peja
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Calling web service with basic authentication from EP "unauthorized"

Hello,
I need to call a .NET web service with basic authentication on the IIS from my portal application (no http proxy between portal and IIS). But always I get the following exception:
<b>com.sap.engine. services.webservices.jaxm.soap.accessor. NestedSOAPException:
Problem in server response: [Unauthorized].</b>
I'm using the following code for calling the .NET web service:
<b>...</b><i>Licence_GetList lParameter = new Licence_GetList();
lParameter.setStatus(CEnvironment.TransformStatus_WebService(search));
ILicenceManager lLicMan = (ILicenceManager) PortalRuntime.getRuntimeResources().getService("LicenceManager");
ILicenceManager lLicManSecure = lLicMan.getSecurisedServiceConnection(request.getUser());
Licence_GetListResponse lGetListResponse = lLicManSecure.Licence_GetList(lParameter);</i><b>...</b>
I've also configured a http system in the portal system landscape using the following parameters:
<i>Authentication Method : Basic Authentication
Authentication Type : Server
User Mapping Type : admin,user</i>
The user mapping is also personalized for this system!
What's wrong? Please help! This is really urgent!
Kind Regards
Joerg Loechner

Hello Renjith,
here is a small cutout of my "portapp.xml";
<services>
<service alias="LicenceManager" name="LicenceManager">
    <service-config>
      <property name="className" value="de.camelotidpro.
             pct.xi.scm.webservice.LicenceManager"/>
      <property name="startup" value="false"/>
      <property name="WebEnable" value="false"/>
      <property name="WebProxy" value="true"/>
      <property name="SecurityZone" value="de.camelotidpro.
             pct.xi.scm.webservice.LicenceManager/
               DefaultSecurity"/>
    </service-config>
    <service-profile>
      <property name="SystemAlias" value="LicMan_NET"/
    </service-profile>
</service>
</services>
I'm using a http system created in the system landscape (alias LicMan_NET). But it seems that this system is not used by the web service call (No error, even if I delete this system!). The code used to call this web service can be found at the top of this threat...
Regards
Joerg Loechner

WCF service setup with certificate authentication error

I have a WCF service setup and I need to use a certificate with it and are getting numerous errors when I attempt to browse it. The 1st error I get is "Security settings for this service require 'Anonymous' Authentication but it is not enabled for
the IIS application that hosts this service."
This sounds like a straightforward error message and setting the authentication method in IIS to anonymous resolves being able to browse the service. But I need to use a certificate and setting authentication to anonymous is obviously not right since we
only want those with the proper certificate to access the service. I have all authentication methods in IIS set to disabled when I get the above error message. I have the SSL settings in IIS for the service set to require a certificate as well. I am using
IIS 8.5 as well.
Here is my config file in hoping someone could point me in the correct direction. The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding. I have searched the web but no solution
is working. Any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<section name="HEALookupProxy.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</sectionGroup>
</configSections>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="None"></authentication>
</system.web>
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
<baseAddressPrefixFilters >
<add prefix="https"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<services>
<service name="HEALookupProxy.HEALookupService" behaviorConfiguration="HEALookupServiceBehavior">
<endpoint address="" binding="wsHttpBinding" contract="HEALookupProxy.IHEALookupService" bindingConfiguration="HEALookupConfig" />
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="HEALookupConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HEALookupServiceBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" findValue="certnameremoved" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />

<directoryBrowse enabled="false" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="user1, user2" />
</authorization>
</security>
</system.webServer>
</configuration>

Hi spark29er,
>>The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding.
For creating the HTTPS WCF service, first please change the mexHttpBinding to
mexHttpsBinding as following:
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />
For more information, please try to refer to:
#Seven simple steps to enable HTTPS on WCF WsHttp bindings:
http://www.codeproject.com/Articles/36705/simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi .
Then please try to check the following article about how to do the certificate authentication on HTTPS WCF Service:
http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx .
Besides, setting the
includeExceptionDetailInFaults as false can give us more detailed error information.
Best Regards,
Amy Peng
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Performance tuning & Securing MX 7 on IIS 6

I never had much at all to do with Coldfusion and have just been asked to look into making some security and performance suggestions for a small Windows 2003/IIS 6 server farm using Coldfusion MX 7.
This is what I was planning;
Configure all IIS websites to use a seperate IIS application pool (security)
Configure all IIS websites to use a seperate windows user account for authentication (security)
Configure IIS content expiration (performance)
Configure IIS file compression and static file caching (performance)
Use 3rd party anti leech tool (security/performance)
Problem is although I am familiar enough with IIS, I don't really have a good understanding of how Coldfusion MX 7 hangs together. From what I've read to date (which is pretty limited) it appears as if Coldfusion doesn't use IIS for much more than serving HTTP requests. Is this an accurate summation?
If so, then how does Coldfusion interact with IIS? Particularity in relation to the points I mentioned above? I read a guide on securing Coldfusion MX 7 on IIS from the Adobe website and it makes no mention of doing the segregation I listed above, and one of my colleagues told me that Coldfusion doesn't even use IIS application pools or worker processes (not sure how this would even be possible) and handles content compression and caching itself as well as security.
Basically, any pointers/advice on how Coldfusion MX 7 interacts with IIS 6 and if the points I made are valid in an IIS/Coldfusion environment would be greatly appreciated.
Cheers!

Distributed Mode is what you are after.
http://www.adobe.com/support/coldfusion/administration/cfmx_in_distributed_mode/
Although written a few years ago, it'll still point you in
the right direction.
Andy

Trusted Authentication using QUERY_STRING

Hi All,
We are trying to configure the Trusted Authentication using Query_String in XIR3.1
We have customer portal ,where in login to custom web page and click on the link which routes to Infoview.We are configuring sso to bypass the credentials from webportal to Infoview home page.
We have created a paramerter to pass the user information.We have made all the required changes for configuring trusted authentication,like:
1) Enable Trusted Authentication in cmc.Enter shared secret in cmc
2) Make changes to the web.xml file
3) Create TrustedPrincipal.conf file
In web.xml file we gave "trusted.auth.user.retrieval" as "QUERY_STRING" & "trusted.auth.user.param" as the parameter value we are using to pass the user information.
If the parameter we are using is "MyUser" to pass the user information ,After configuring, we noticed that ,when we launch the url, "http://host:8080/InfoViewApp/logon/logon.do?MyUser=<username>" we can directly login to Infoview without giving any credentials.We are not sure if we are moving in right direction? Is this how the QUERY_STRING work?
We also noticed that,instead of giving any username if we give any other value the infoview home page opens up with Guest account?
Thank you,
Bill

You should disable guest when using any method of SSO. Then anything placed in the URL other than a proper user would fail. And yes this is exactly how query string works (the username must be supplied in the URL). If looking for a more dynamic/secure method you will need to combine with a front end authenticator such as IIS, siteminder, etc and use one of our other methods such as remote_user, http_header, etc
Regards,
Tim

Exchange 2010 Virtual Directory Authentication Settings

Is it normal for authentication settings to be different in IIS Manager and Exchange 2010 Management Console? OWA and ECP are set to forms based in EMC, but IIS shows OWA and ECP as basic = enabled and everything else = disabled. IIS shows
OAB as windows = enabled and everything else = disabled.

Hi,
Here is a reference about the default IIS authentication settings and default
Secure Sockets Layer (SSL) settings for the Client Access and Mailbox server roles:
http://technet.microsoft.com/en-us/library/gg247612(v=exchg.141).aspx
It is recommended to manage your Exchange virtual directories authentication settings in Exchange Management Console or Exchange Management Shell instead of IIS manager. Some authentication changes in IIS require an IIS reset. If you are using Exchange management
tools, you will see a warning that would tell you to reset IIS if needed.
Thanks,
Winnie Liang
TechNet Community Support

Https Client Authentication

i'm posting the data using HttpsURLConnection to IIS 5.0 web server. The code is working fine for server authentication. Now i want to enable the client authentication option in IIS. How do i send the client certificate from the Java program to the IIS web server

There are 2 things you need to do:
1. Turn on "Require client certificate" on IIS.
2. Either use HttpsURLConnection or if you're using SSLSocket, you have to send at least 2 lines
GET / HTTP/1.1
Host: iis-server
The Host HTTP header line is key.
Without that line, IIS won't send CertificateRequest during SSL handshake.
With that line, IIS force the client to connect again, on the second handshake, IIS send the CertificateRequest command correctly!

Federated authentication application that also reads Forms cookie

At our company we are planning to move our IIS applications from forms based authentication to federated authentication. We want to move one application first (big bang is difficult). All applications currently share a forms cookie (in the same domain,
same IIS server). I am looking for a way to move one application to federated authentication while still supporting users that are logged in with forms authentication.
I am thinking about the following scenario's:
IIS application 'A' has federated authentication configured (ADFS)
IIS application 'B' has forms authentication.
User request page in iis app 'A' -> authentication mechanism checks if a forms cookie from app 'B' exists. (form cookie exists because user has already logged in via username/password webform in app 'B')
If yes, the info in this cookie is used to build a valid claim (custom code), federated cookie is set with this claim. User session can start
If no, claim is obtained via ADFS server, federated cookie is set with claim. User can start session.
In this way, users that are authenticated via Forms authenticated are supported in an application that is configured for ADFS claims. That gives us the possibility to gradually move all users from our custom security system (based on .net forms) to AD.
How can this be done?
Bert-Jan

The legacy forms logon (non-federated) with the cookie is independent of the federated logon process. You can always stand-up a separate IIS website (federated) to point to your application in a side-by-side capacity, thereby meeting the requirement for
federated logon (assuming the application supports that) and legacy forms, but crossing trust boundaries between the legacy and federated logon for SSO purposes is not possible OOTB. If you want AD FS to issue claims from the "classic" forms logon
alternate, then that forms logon provider would need to also be a trusted claims provider and possess its own Security Token Service. In general I try, and emphasis on the word try ;-), to shy away from customizing AD FS logon screens, primarily because it
can come back and bite you. While AD FS 2.0 provided some latitude for these sorts of practices, AD FS 3.0 (and beyond) does not ...
http://blog.auth360.net

Cant access msmdpump.dll setup in IIS from a box other than localhost

I configured access to SQL Analysis Services via IIS on one of my machines, as per the following instructions:
http://mglaser.bloggingabout.net/2008/08/15/configuring-http-access-to-sql-server-2008-analysis-services-on-microsoft-windows-server-2008/
I tested using Excel on the same machine and it works fine. I access using the following url (I can access without using localhost on that machine):
http://10.3.29.79/OLAP/msmdpump.dll
But when I try it from any other machine on the same network using Excel it does not work. Now I know you cant use IE for testing but I just watned to see if I could resolve to even the error you normally get in IE. Something along the lines of:
- <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- <soap:Body>
- <soap:Fault xmlns="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode>XMLAnalysisError.0xc10e0002</faultcode>
<faultstring>Parser: The syntax for 'GET' is incorrect.</faultstring>
- <detail>
<Warning WarningCode="1090584599" Description="The 'Invariant Language' locale for UI is not supported." Source="Unknown" HelpFile="" />
<Error ErrorCode="3238920194" Description="Parser: The syntax for 'GET' is incorrect." Source="Unknown" HelpFile="" />
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>
But all I get when I access from other machines is an error 500, internal server error. I'm not worried about it not working in IE as I know it cant, but I do think there's an issue accessing from any box except the host.
Thanks for any advice!

Hi Rmccabe,
Try Turning off the Friendly errors in IE and then launch this URL to find the exact error.
Try changing the Authentication Mode in IIS XMLA Virtual Directory to Anonymous Aurthentication and try launching the URl.
you can even try connecting the Analysis Server With SSMS by giving the XMLA URL "http://10.3.29.79/OLAP/msmdpump.dll"
in the Server Name Text box.
Try Disabling Firewall- It it works then Add the Proper port no to get rid of this issue.
Since you are able to access the cube with the Local Server (Localhost). These are the common reasons for these error.
Please vote as helpful or mark as answer, if it helps Regards, Anand

LDAP Trusted Authentication XI 3.1

Does anyone have updated documents for XI 3.1 to use Trusted Authentication with LDAP. We are looking into the Configuring Trusted Authentication using the IIS/Tomcat Bridge, but the document is designed for XIR2. On page 6 it says the Trusted Authentication will work with any authentication method but while trying to configure it with LDAP I am getting the error: LDAP Authentication has not been configured to use single sign on. Please contact your system administrator. (FWM 00008)
Thanks for the help.

Does anyone have updated documents for XI 3.1 to use Trusted Authentication with LDAP. We are looking into the Configuring Trusted Authentication using the IIS/Tomcat Bridge, but the document is designed for XIR2. On page 6 it says the Trusted Authentication will work with any authentication method but while trying to configure it with LDAP I am getting the error: LDAP Authentication has not been configured to use single sign on. Please contact your system administrator. (FWM 00008)
Thanks for the help.

Authentication of JRun&IIS

Similar Messages

Maybe you are looking for