SOAPUI says access denied but service works fine in IE - web-services

I'm using SoapUI 5.2.1 and accessing a IIS hosted web service on my domain. The web service has windows authentication enabled.
When I browse to the wsdl using internet explorer, it asks for my credentials, then shows the wsdl.
When I do the exact same with soapui, it prompts for my details, then fails and when I check the http log it sayus 'unauthorised: access is denied due to invalid credentials'.
But I'm entering it correctly, I've even tried various permutations of domain\username, username, leaving the domain text box blank or entering it there.
Any ideas?

I needed to provide a lot more info than would fit into a comment...
The other setting that I was referring to is detailed here : https://www.soapui.org/soap-and-wsdl/authenticating-soap-requests.html. If you are sure its windows credentials authentication, then use the NTLM setting. You may have to restart for the settings to take effect.
"Domain – add this for NTLM authentication challenges. If you are authenticating NTLM, make sure to note the following in your configurations:
File > Preferences > HTTP Settings tab > uncheck Authenticate Preemptively preference
for NTLM v2 provide your username as "DOMAIN\USERNAME" or at least as "\USERNAME""
If you still have issues, you can use BURP suite or Fiddler or similar proxy tools for proxy setup. BURP is an extensive security testing tool and may even be an overkill. Fiddler is a proxy. Check out these two links:
Burp : Testing web service with SoapUI and Windows authentication
Fiddler: Using fiddler with Windows Authentication

Related

How to remove the HTTPS requirement for SAML configuration in WSO2

The application I am using with WSO2 is running under HTTP in a development environment. A cookie with samesite set to strict will soon be lost due to browser security udpates during the scheme change to WSO2 (HTTP to HTTPS). This cookie is required for a particular piece of functionality upon the redirect to the app I'm using.
I'd like to test SAML configuration in a non-HTTPS secured dev or testing environment with this app but cannot because I can't figure out how to disable HTTPS for the samlsso endpoint.
I've found tutorials on how to do this for the admin console, but that does not apply to other endpoints. I am using WSO2 version 6.0.0 at the moment but can update if necessary. Any help is appreciated.

Azure AD authentication with auth code, only if third party cookie is enabled

We are using Azure AD and have an application registered for authentication. The application is a ASP.net server side and Angular client side application. Initially this was setup with an implicit flow, but that rocked the web browsers cross site cookie protection. The authentication worked, but only if the browser was explicitly allowing third-party cookies.
Microsoft documentation specifies that Single Page Applications can overcome this issue when using Authentication Code Flow. To make this work we implemented angular-auth-oidc-client (instead of msal-angular which is yet to support auth code) with a configuration that is closely matching their provided sample program. The ASP.net application uses Microsoft.Identity.Web and its settings have been changed to have a code response type.
The Azure AD Application Registration was amended in line with the Microsoft documentation. I have included a screenshot of the page highlighting the implicit flow is disabled and the SPA Redirect URI is eligible for Authorization Code Flow with PKCE.
However when blocking third party cookies in the browsers, the authentication fails basis the CORS policy (Safari, Chrome and both in private browsing). When allowing third party cookies in the browsers the authentication is successful.
Question What could we investigate as the cause for not complying with the CORS policy?
Microsoft.Identity.Web configuration:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "organizations",
"ClientId": "removed_our_azure_ad_client_id",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/signout-callback-oidc",
"ResponseType": "code"
},
Based on the images you have shared the redirecturi http://localhost:5000 is for SPA applications and http://localhost:5000/signin-oidc is for web application.
But In your configuration file CallbackPath is for web application.
Authorization Code Flow with PKCE is designed to work only for single page applications. Please go through Prerequisites
Please use CallbackPath with URL given for SPA application to fix the issue.

Web API calls Authentication in WSO2 IS

I have tried searching for samples in implementing authentication using WSO2 Identity Server for web API calls residing in other servers but cant seem to find one. I can only find authentications on WSO2 IS API calls. Can you refer some links for examples or tutorials
You can get all the admin APIs using following way.
Start the server using -DosgiConsole flag, i.e. ./wso2server.sh -DosgiConsole or ./wso2server.bat -DosgiConosle
Then after the server start you will get the osgi console. Enter listAdminServices and you will get the list. ex:
osgi> listAdminServices
Admin services deployed on this server:
1. ProvisioningAdminService, ProvisioningAdminService, https://10.150.3.140:9443/services/ProvisioningAdminService/
All the commands such as listAdminServices are listed by typing help from the osgi console.
By default, these admin APIs are hides, you have to enable them. To do that, change <ESB_HOME>/repository/conf/carbon.xml file.
<!-- If this parameter is set, the ?wsdl on an admin service will not give the admin service wsdl. -->
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
Note: All servers expose Web Service APIs which can be used for to gain access to back end functionality.

Error Occurred when verifying security for the message in MonoTouch using BasicHTTPbinding with SSL

We are currently looking to use MonoTouch to develop a iPad app. We have an existing web service and client that connects fine, using basic httpbinding with a mProxy.Security.Mode of TransportWithMessageCredential (HTTPS).
We then add the client credentials using:
mProxy.ClientCredentials.UserName.UserName = "Username";
mProxy.ClientCredentials.UserName.Password = "P#ssword";
However when we migrate this code to MonoTouch its errors verifying the security. We looked at the raw message recieved in both the windows and monotouch version and the monotouch version does not have any security credentials. I've read we will have to build these in manually. Is that the proper approach? Is there an easier way, or am I missing an easier way to do this. Please advise.
As of today, MonoTouch does not support WCF's Message Security mode. They do mention that it is a work in progress.
I had the same requirement as you did and ended up following a recipe that uses basicHttpBinding, Transport security, basic credentials, and a custom HTTP module that uses the basic credentials in the HTTP "Authorization" header to authenticate a user (against the ASP.NET Membership Provider).
You can find implementation details here:
How To – Use Username Authentication with Transport Security in WCF from Windows Forms

401.2 error only with Anonymous Access

I have a web service which the home page is displayed and runs if I turn on Integrated Windows authentication. Now if I turn that off and Anonymous Access is on I can not even get to the wsdl page. I get the error
Access is denied.
Description: An error occurred while accessing the resources required to serve
this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration.
Verify that you have permission to view this directory or page based on the
credentials you supplied and the authentication methods enabled on the Web server.
Contact the Web server's administrator for additional assistance.
Version Information: Microsoft .NET Framework Version:2.0.50727.3625; ASP.NET
Version:2.0.50727.3634
The IIS I am working with is 5.1
I gave IUSER access to the directory, full control for now.
I am out of ideas. Thank you for your help
The root cause of this issue had to do with the website requiring Windows Authentication but the switch for HTTP-keep alive in the IIS Manager was unchecked.