2

I'm trying to connect to a asp.net website we have created. It uses Windows authentication and it denies access to non authenticated users

web.config:

<authentication mode="Windows" />
<authorization>
    <deny users="?" />
</authorization>

The website is in our DMZ. The server is connected to the domain. It's working without problems when I try to connect to the site from our internal network. I get an Authentication Required popup box, fill in my credentials and I can enter the site.

When I connect from an external network, it doesn't work. The browser is connecting to the site but the popup box is never shown. Eventually I get a The connection was reset

Apparently the firewall sees my request as a vulnerability and blocks it. This message can be found in the network package of the firewal:

401 - Unauthorized: Access is denied due to invalid credentials.

That is the same error I get when I connect to the site from an internal location and click cancel or fill in the wrong credentials.

I have already tried this with no luck:

  • Move NTLM to the top of my providers
  • Use Kerberos authentication
  • Check the modules in IIS: Both WindowsAuthentication and WindowsAuthenticationModule are there
  • Adding the DisableStrictNameChecking and DisableLoopbackCheck to the registry
  • Allow anonymous authentication (IIS level)
  • Allow basic authentication (IIS level)
  • Allow all users with windows authentication (in web.config): Basically deleting the authorization node. This uses anonymous and it works. The site can be accessed, but the user is not authenticated and does not see his personal reports (so unusable)
  • Change the application pool user
  • Give access rights on the arp folder to IUSR

Why are there two 401 statusses when I go to the site? This causes the firewall to block traffic and thus never show the Authentication Required popup.

Rubanov
  • 161
  • 2
  • 10
  • It seems clear from what you've stated that the problem exists at the firewall, so why are you changing a bunch of settings on the server? – joeqwerty Jun 20 '14 at 10:45
  • The problem is that the firewall is receiving a number of 401 status codes and thinks it's a brute force attack. I am trying to avoid the 401 messages. It appears there are several 401 statusses before the AUthentication Required box is shown. – Rubanov Jun 20 '14 at 11:18
  • This is normal behavior. At least one 401 is sent as a challenge and then the popup is shown. – MichelZ Jun 20 '14 at 12:56
  • @MichelZ I agree that the first one is normal behavior as it tries to connect anonymously. The second one however is not normal. The popup is never shown. – Rubanov Jun 20 '14 at 13:57
  • Can you try fiddler to see what's going on exactly? Is the site in the intranet zone and it tries to automatically connect with a wrong user? – MichelZ Jun 20 '14 at 14:06
  • 2
    @Rubanov, you're mistaken. The only form of Windows Auth usable across a firewall is NTLM, and that uses 2 401-driven round trips before the successful 200. See http://serverfault.com/questions/254813/why-use-kerberos-instead-of-ntlm-in-iis – TristanK Jun 23 '14 at 12:37
  • And I agree - sounds like you've identified the problem as being the firewall. You could use an SSL tunnel to hide the traffic from it, but otherwise, just fix the firewall. – TristanK Jun 23 '14 at 12:38
  • Thanks @TristanK, that was the answer that I was looking for. I would upvote your comment but I don't have enough reputation. – Rubanov Jun 24 '14 at 08:12

2 Answers2

3

Because we use NTLM, multiple round trips are made with 401 packets. Our firewall saw that as a brute force attack and blocked it. In the end we fixed it by configuring the firewall and allowing several 401 packets before the firewall sees it as a vulnerability. The way our system is set up we can't use Kerberos. Which sends only one 401 package and would not be blocked by our firewall (in his original configuration)

Credits to @TristanK for the answer.

Rubanov
  • 161
  • 2
  • 10
-1

Same issue here but i think i got lucky and found a solution. Looked like a firewall issue here too, but when disabling it there was no change. Acces from localhost worked fine but not from same network or the internet. I have tried changing every value with no luck but finally i have tried editing feature settings of error messages (my server has own error messages) and it seems to solve the problem. I had detailed errors for local and custom for remote. After changing for detailed error, the login popup works just fine!!! :)

Gridley
  • 1