6 Replies - 1540 Views - Last Post: 28 November 2016 - 06:37 AM

#1 depricated  Icon User is offline

  • Nero


Reputation: 2283
  • View blog
  • Posts: 5,918
  • Joined: 13-September 08

Configuring IIS for Active Directory authentication

Posted 22 November 2016 - 03:08 PM

So the title is what I'm trying to accomplish.

I have a web server with Windows Server 2012 R2 installed, and an application we purchased that I'm trying to configure on said server.

Communication between my laptop and the server is stable, and the server is serving HTTP requests without issue. However, the program I'm standing up requires HTTPS (and given the nature of the data it handles, that's what I desire anyway).

Servers aren't my strong suit, at all. I've never really done a whole lot on the server side, so this is a first for me.

Unfortunately, I can't really find anything anywhere on how to do what I'm trying to - at least, not with the search terms I'm using. So my guess is that I'm looking at this from the wrong angle. I'm not even sure what information is relevant.

I need to set my environment up to fit the program - if I set it up right I should be able to just change the endpoints to match the environment, and be good to go.

If it helps, here are the bindings as delivered:

<bindings>
      <wsHttpBinding>
        <binding name="ServiceRoot" closeTimeout="23:00:00" openTimeout="23:00:00"
          receiveTimeout="23:00:00" sendTimeout="23:00:00" maxReceivedMessageSize="2147483647"
          messageEncoding="Mtom">
          <readerQuotas maxArrayLength="2147483647" />
          <reliableSession enabled="false" />
          <security mode="None" />
        </binding>
        <binding name="ServiceRoot_Alt" closeTimeout="23:00:00"
          openTimeout="23:00:00" receiveTimeout="23:00:00" sendTimeout="23:00:00"
          maxReceivedMessageSize="2147483647" messageEncoding="Mtom">
          <readerQuotas maxArrayLength="2147483647" />
          <reliableSession enabled="false" />
          <security mode="Transport" />
        </binding>
        <binding name="WSHttpBinding_IMisc" closeTimeout="00:01:00" openTimeout="00:01:00"
          receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
          transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="None">
            <transport clientCredentialType="Windows" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="Windows" negotiateServiceCredential="true" />
          </security>
        </binding>
        <binding name="WSHttpBinding_IChartDocs" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="None">
            <transport clientCredentialType="Windows" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="Windows" negotiateServiceCredential="true" />
          </security>
        </binding>
        <binding name="WSHttpBinding_IED" messageEncoding="Mtom">
          <security mode="None" />
        </binding>
      </wsHttpBinding>
    </bindings>


I've spent most of the day puzzling over this configuration and getting things wrong left and right. Right now the error I get indicates that HTTPS is required - after setting up an HTTPS binding, I get an error that a trust relationship could not be established. When I look into this what I find is all about SSL - but I'm fairly sure at this point that SSL is not what I'm trying to do. I shouldn't have to rewrite anything in the application.

Is This A Good Question/Topic? 0
  • +

Replies To: Configuring IIS for Active Directory authentication

#2 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 13347
  • View blog
  • Posts: 53,157
  • Joined: 12-June 08

Re: Configuring IIS for Active Directory authentication

Posted 22 November 2016 - 03:30 PM

Isn't that pretty much logging into the server, firuing up IIS, on the web app heading under the 'sites', go to 'ssl settings' and click 'require'? Maybe binding a ssl cert to the top level web server (also in IIS under 'server certificates').
Was This Post Helpful? 0
  • +
  • -

#3 depricated  Icon User is offline

  • Nero


Reputation: 2283
  • View blog
  • Posts: 5,918
  • Joined: 13-September 08

Re: Configuring IIS for Active Directory authentication

Posted 22 November 2016 - 03:50 PM

That's what I thought earlier today when I said I was trying to figure out SSL, but the error I get is:

That's the error thrown when I attempt to call a service through https

System.ServiceModel.Security.SecurityNegotiationException
mscorlib
Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Messaging.IMessage)

Could not establish trust relationship for the SSL/TLS secure channel with authority '192.168.101.234'.


Server stack trace: 


I mean, unless I'm missing something. I have a certificate, used in the HTTPS binding properties, which is listed under the 'server certificates.' Unfortunately, I don't know enough about IIS to know what settings I might be missing. I just enabled the "Require SSL" setting and still get the above error. Googling the error gives me insight into that - but it's the fixes I find are all about installing certificates on client machines, which this shouldn't require.

Actually, hold up. I just realized that I'm on my local machine account and NOT a directory account. That might be why it's erroring. It might be because I'm not authenticated with the domain to begin with (though I thought it would then prompt me to log in to the domain).

This post has been edited by depricated: 22 November 2016 - 03:46 PM

Was This Post Helpful? 0
  • +
  • -

#4 depricated  Icon User is offline

  • Nero


Reputation: 2283
  • View blog
  • Posts: 5,918
  • Joined: 13-September 08

Re: Configuring IIS for Active Directory authentication

Posted 22 November 2016 - 03:57 PM

happens on a logged in domain account too so I'm wrong, that wasn't it
Was This Post Helpful? 0
  • +
  • -

#5 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6538
  • View blog
  • Posts: 30,609
  • Joined: 10-May 07

Re: Configuring IIS for Active Directory authentication

Posted 22 November 2016 - 07:07 PM

** disclaimer ** I don't know shit about Microsoft IIS

In Linux, you have to accept the SSL from the server, & then it's stored under "known hosts". Is it possible that you previously accepted the SSL from '192.168.101.234' & it's been updated? That would cause a conflict on Linux until it is cleared out so the current one can be accepted.

Second idea, is the server providing a forbidden version of TLS? This was an issue with a Java developer at my previous place of employment. The SAS server was offering TLS 1.0 & while that was acceptable on the Dev's dev environment, it was rejected in production.
Was This Post Helpful? 0
  • +
  • -

#6 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1769
  • View blog
  • Posts: 5,640
  • Joined: 15-January 14

Re: Configuring IIS for Active Directory authentication

Posted 23 November 2016 - 09:23 AM

My experience with recent versions of IIS is limited, but that error message makes it sound to me like it is a self-signed certificate and it's still trying to verify the certificate authority. When it's self-signed then the server is also the certificate authority (as opposed to a trusted CA like Verisign, Comodo, etc), so the trust fails because it doesn't recognize the authority. There might be an option to skip the CA validation part so that you can use a self-signed cert.
Was This Post Helpful? 1
  • +
  • -

#7 depricated  Icon User is offline

  • Nero


Reputation: 2283
  • View blog
  • Posts: 5,918
  • Joined: 13-September 08

Re: Configuring IIS for Active Directory authentication

Posted 28 November 2016 - 06:37 AM

Looks like the problem is that it's using a self-signed certificate. I'm looking to see what I can do to fake it or bypass it for the time being. I'll revisit this problem if I still can't figure it out once I get the certificate issue resolved.

Thanks guys!

Edit to add:
Also looks like I'm gonna be rewriting the web.config and app.config - they were written for IIS6 and we're using IIS8.5. The goal is to make as few edits as possible, but that's one that will have to be done. Either way, this helped me figure out that the error I was encountering was due to a certificate issue.

for those interested, below is the (C#) code I used to bypass the certificate error. I'm including my comment because I feel this is the kind of thing that needs to never go into a prod environment.
            /* DIRTY HACK - REMOVE - DO NOT GO LIVE WITH THIS - THIS IGNORES CERTIFICATE VALIDATION - WE ARE ONLY USING THIS BECAUSE OUR DEV TEST CERTIFICATE IS SELF-SIGNED */
            System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

This post has been edited by depricated: 29 November 2016 - 06:14 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1