locked
IIS10 on Server2016 & Forcing Cookies to us SSL RRS feed

  • Question

  • User-2110467856 posted

    Hi,

    I have a need to force a site to transmit cookies over SSL only.  I tried editing the web.config file for the site by adding

    <httpCookies requireSSL="true" />

    as I had read in some posts.  However this just broke the site. 

    What do I need to do?

    Thanks

    Wednesday, August 16, 2017 8:25 PM

All replies

  • User690216013 posted

    I have a need to force a site to transmit cookies over SSL only.

    What exactly is the error? If your whole site is not SSL enabled, merely setting this attribute won't help at all.

    Thursday, August 17, 2017 4:30 AM
  • User-460007017 posted

    Hi YourPublic1dentity,

    Could you provide the error message for the broken site? To force the cookies to us SSL, you also need to use SSL to secure the whole website. Please ensure your website has set the https binding and SSL. Otherwise, only use SSL will break the website. In addition, please ensure you were not using something like SSL-offloading.

    Best Regards,

    Yuk Ding

    Thursday, August 17, 2017 5:31 AM
  • User-2110467856 posted

    Windows Update Services 12072, 12052, 12042, 12022, 1032, 12012, 12002, 13042, and the wsus console will no longer connect to the service/server.

    Thursday, August 17, 2017 7:03 PM
  • User-2110467856 posted

    Yes, I have an SSL cert bound to the site on a separate port.

    Thursday, August 17, 2017 7:03 PM
  • User-460007017 posted

    Hi YourPublic1dentity,

    Is there any error message in IIS log or failed request tracing log? In addition, where did you set the httpcookie, site level or server level. Also you could check whether wsus support this configuration.

    Best Regards,

    Yuk Ding

    Friday, August 18, 2017 8:59 AM
  • User-2110467856 posted

    Yuk Ding,

    Here are some IIS log clips from just after I made the change to the web.config of wsus.  Thank you.

    #Software: Microsoft Internet Information Services 10.0
    #Version: 1.0
    #Date: 2017-08-18 18:09:55
    #Fields: date time s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
    2017-08-18 18:09:55 server-name ::1 GET /selfupdate/iuident.cab - 8530 - ::1 HTTP/1.1 - - - server-name:8530 500 19 13 515
    2017-08-18 18:09:56 server-name ::1 POST /reportingwebservice/reportingwebservice.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:09:57 server-name ::1 POST /ApiRemoting30/WebService.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:09:58 server-name ::1 POST /ServerSyncWebService/serversyncwebservice.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:09:58 server-name ::1 POST /ClientWebService/Client.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 15
    2017-08-18 18:09:58 server-name ::1 POST /SimpleAuthWebService/SimpleAuth.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:09:58 server-name ::1 POST /DssAuthWebService/DssAuthWebService.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:09:58 server-name ::1 GET /Content/anonymousCheckFile.txt - 8530 - ::1 HTTP/1.1 - - - server-name:8530 500 19 13 0
    2017-08-18 18:11:12 server-name ::1 GET /selfupdate/iuident.cab - 8530 - ::1 HTTP/1.1 - - - server-name:8530 500 19 13 0
    2017-08-18 18:11:12 server-name ::1 POST /reportingwebservice/reportingwebservice.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 15
    2017-08-18 18:11:12 server-name ::1 POST /ApiRemoting30/WebService.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:11:12 server-name ::1 POST /ServerSyncWebService/serversyncwebservice.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 15
    2017-08-18 18:11:12 server-name ::1 POST /ClientWebService/Client.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:11:12 server-name ::1 POST /SimpleAuthWebService/SimpleAuth.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:11:12 server-name ::1 POST /DssAuthWebService/DssAuthWebService.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:11:12 server-name ::1 GET /Content/anonymousCheckFile.txt - 8530 - ::1 HTTP/1.1 - - - server-name:8530 500 19 13 0
    2017-08-18 18:12:43 server-name 10.10.2.219 POST /ClientWebService/client.asmx - 8531 - 10.10.2.217 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - server-name.domain.local:8531 500 19 13 46
    2017-08-18 18:18:47 server-name 10.10.2.219 POST /ReportingWebService/ReportingWebService.asmx - 8531 - 10.10.2.217 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - server-name.domain.local:8531 500 19 13 0
    2017-08-18 18:19:17 server-name 10.10.2.219 POST /ClientWebService/client.asmx - 8531 - 10.10.2.217 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - server-name.domain.local:8531 500 19 13 15
    2017-08-18 18:19:59 server-name ::1 GET /selfupdate/iuident.cab - 8530 - ::1 HTTP/1.1 - - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 POST /reportingwebservice/reportingwebservice.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 POST /ApiRemoting30/WebService.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 POST /ServerSyncWebService/serversyncwebservice.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 POST /ClientWebService/Client.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 POST /SimpleAuthWebService/SimpleAuth.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 POST /DssAuthWebService/DssAuthWebService.asmx - 8530 - ::1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - - server-name:8530 500 19 13 0
    2017-08-18 18:19:59 server-name ::1 GET /Content/anonymousCheckFile.txt - 8530 - ::1 HTTP/1.1 - - - server-name:8530 500 19 13 0
    2017-08-18 18:27:18 server-name 10.10.2.219 POST /ReportingWebService/ReportingWebService.asmx - 8531 - 10.10.2.217 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - server-name.domain.local:8531 500 19 13 0
    2017-08-18 18:29:10 server-name 10.10.2.219 POST /ReportingWebService/ReportingWebService.asmx - 8531 - 10.10.2.217 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - server-name.domain.local:8531 500 19 13 2

    Friday, August 18, 2017 6:40 PM
  • User-2110467856 posted

    Just to be clear, my requirement is simply to force session cookies to be encrypted for transmission.

    Friday, August 18, 2017 7:00 PM
  • User-2064283741 posted
    You have a 500.19 error. You have something wrong with your config files. Turn on detailed error messages for you site and open it up in the browser to see the line number where it occurs
    Friday, August 18, 2017 8:15 PM
  • User-2110467856 posted

    I tried h t t ps://blog.martincostello.com/ensuring-your-asp-net-website-is-secure/

    <configuration>
      <system.webServer>
        <rewrite>
          <rules>
            <rule name="Redirect to HTTPS" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
                <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                <add input="{HTTP_HOST}" negate="true" pattern="localhost" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
            </rule>
          </rules>
        </rewrite>
      </system.webServer>
    </configuration>

    but got the same result

    Friday, August 18, 2017 8:23 PM
  • User-2064283741 posted
    Have you installed the urlrewriting module?
    Friday, August 18, 2017 8:52 PM
  • User-2110467856 posted

    Rovastar,

    Thanks for looking in.  Yes, I have the url-rewriting module installed.  I have the 500.19 because I tried to insert the statement

    <httpCookies requireSSL="true" />

    into the web.config file.  Apparently this statement is no longer valid in IIS 10/Server 2016.  What I need is to find a way to force all cookies to be sent over SSL that is valid for IIS10/Server 2016.

    Thanks again

    Thursday, August 24, 2017 4:45 PM
  • User-460007017 posted

    Hi YourPublic1dentity,

    Did you access the website with https? If you were running with https it should not return 500.19. But if you access the site via http and set the httpcookie to requireSSL, then it could return 500.19.

    Best Regards,

    Yuk Ding

    Tuesday, August 29, 2017 2:55 AM
  • User-2064283741 posted
    To be honest if your whole site is https anyway there is very little need to force cookies to be SSL only
    Tuesday, August 29, 2017 9:45 PM
  • User212314535 posted

    <httpCookies requireSSL="true" /> you try change <httpCookies requireSSL="false" />

    Thursday, September 7, 2017 4:08 AM
  • User1681401606 posted

    Have you found a resolution to this issue?  We have a new 2016 RDS solution with 2016 IIS and are having the same issue.  We failed PCI scan for HTTPONLY cookies on our /RDWeb/Pages URL.  When we add the httpcookies requiressl = true, the site no longer functions.  Specificly with the error - Cookies must be enabled on the browser (note: cookies are enabled).

    I have an open MS support incident(REG:117110216601629), but they have not been anywhere even close to being able to help.  They have been able to reproduce the error, but no solution.

    Thanks

    -Rich

    Wednesday, November 22, 2017 4:44 PM
  • User690216013 posted

    Like others commented, you need to show clearly the 500.19 error page, so as to locate the cause.

    httpCookies tag is supported by IIS 10, so if you get an error, you probably put the tag at the wrong place.

    Wednesday, November 22, 2017 6:20 PM
  • User1681401606 posted

     I will check for the IIS logs this afternoon when I am onsite for the 500.19.  Here is the system.web section of the web.config file.  Note the last line is inserted at the location that seemed appropriate.  MS also confirmed that the syntax/location was correct.  It is currently set to False as that is the only way the production webpage will load.  If we set it to True as required by the PCI scan, the webpage stops functioning.  Note:  Except for the one line we added, this is the default web.config created by the RDWeb installation.

      <system.web>
        <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
          <!--
              To turn on Windows Authentication:
                  - uncomment <authentication mode="Windows"/> section
                  - and comment out:
                  1) <authentication mode="Forms"> section.
                  2) <modules> and <security> sections in <system.webServer> section at the end of the file.
                  3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                     Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                     click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
          -->

          <!--
          <authentication mode="Windows"/>
          -->
          <authentication mode="Forms">
              <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
          </authentication>

          <webParts>
              <personalization defaultProvider="TSPortalProvider">
                <providers>
                  <add name="TSPortalProvider" type="Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider" />
              </providers>
              <authorization>
                  <allow users="*" verbs="enterSharedScope">
                  </allow>
              </authorization>
            </personalization>
          </webParts>
          <httpRuntime targetFramework="4.5" />
            <httpCookies domain="" httpOnlyCookies="false" requireSSL="true" />
      </system.web>

    Wednesday, November 22, 2017 6:30 PM
  • User690216013 posted

    The actual 500.19 detailed error page is required so as to locate what's exactly the culprit. The error and the line number can be easily read from the page.

    Wednesday, November 22, 2017 8:45 PM
  • User1681401606 posted

    Not sure if I am looking at the wrong log or not, but c:\inetpub\logs\w3svc1 shows the following when we attempt to connect:

    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 301 0 0 25
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/ - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 302 0 0 29
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/en-US/Default.aspx - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 302 0 0 92
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/en-US/login.aspx ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 200 0 0 37
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/en-US/login.aspx ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 - 200 0 0 36
    2017-11-22 21:47:17 192.168.1.225 GET /favicon.ico - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 302 0 0 31
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 301 0 0 36
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 301 0 0 31
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/ - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 302 0 0 41
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/en-US/Default.aspx - 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 302 0 0 26
    2017-11-22 21:47:17 192.168.1.225 GET /RDWeb/Pages/en-US/login.aspx ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 443 - 23.30.34.202 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/62.0.3202.94+Safari/537.36 https://remote.nelson-kennard.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx 200 0 0 30

    Wednesday, November 22, 2017 9:55 PM
  • User1681401606 posted

    Below is what we see when connecting.  If i turn the HTTPONLY to False the site works.  (tried a screenshot, this interface would not let me upload it)

    Your browser has cookies disabled. Go to your browser's settings to enable cookies.

    Wednesday, November 22, 2017 9:59 PM
  • User-1166160987 posted

    Hi,

    Even i have the  same issue. We have deployed Rd Web access. once we enable httponly cookie, sites breaks down saying cookies must be enabled i browser. Do you have any resolution for this?

    Regards,

    Anuja 

    Wednesday, January 16, 2019 3:27 PM
  • User1681401606 posted

    Microsoft support basically said this is working as designed.  In order to get around the issue we blocked inbound port 80 on the firewall to the gateway/broker, therefore all cookies are forced through the SSL port.  Our auditors accepted this solution as well.

    Thanks

    -Rich

    Wednesday, January 16, 2019 4:58 PM
  • User-1166160987 posted

    Hi,

    Rd web access is already on https & inbound 80 port is also blocked. So you mean to say that after enabling httponly cookie this is expected behavior of microsoft?

    Is there any other way to achieve this as incoming port 80 is already blocked.

    Thank you.

    Anuja

    Thursday, January 17, 2019 4:59 AM
  • User1681401606 posted

    There is no other way we have found to achieve it, if you set the HTTPONLY setting, the site will always fail.  Microsoft stated if it is set to default, the site will works over SSL, and the cookies are delivered that way because it is the open port. 

    I have attached the txt from the MS support engineer below.

    "Hello Rich,

     

    I checked for the articles with internal teams but we do not have any public article for the same.

     

    At this point since we are able to repro this and based on our internal database this is by design.

    We confirm that our RDWEB is configured to work on HTTPS.

     

    Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.Mar 6, 2014

    Securing Cookies with HttpOnly and secure Flags - InfoSec Resources

    //resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/

     

    Unfortunately there is no public article that we can share with you however you can consider this email as a confirmation from our side.

     

    Regards

    Shirish"

    Thursday, January 17, 2019 5:14 PM