Archive

Archive for the ‘ADX’ Category

ADX Portal – Forgot Password – ‘Invalid Party Object Type’ Error

February 21, 2020 Leave a comment

Few of our ADX portal users encountered an unhandled exception while resetting the Password using native ‘Forgot Password’ feature.

ADX_FgtPwd_1

Reason:

  • Its a sporadic issue only with few portal users.
  • When checked the ‘Event viewer’ logs on Portal’s web server, there was this following warning with ‘Invalid Party Object Type 9’ exception message.

ADX_FgtPwd_2

  • In CRM, ‘Object Type 9’ denotes OOB ‘Team’ entity and the issue turns out to be with the ‘From’ field of ‘Send Password Reset To Contact‘ ADX process.
  • In our requirement, we were setting ‘From’ field of ‘Send Password Reset To Contact’ process to owner of the ‘Portal User’ (i.e.,Contact).
  • Portal user’s (i.e.,Contact) who owned by teams encountering this issue while triggering ‘Forgot Password’. As Email can’t be delivered when a ‘Team’ set as ‘From’.

Fix:

  • Modified the ‘Send Password Reset To Contact‘ process by setting ‘From’ field to a ‘System User’ with Mail Box enabled. This made sure no ‘Team’ renders in ‘From’ field.

ADX_FgtPwd_3

🙂

 

ADX Portal – Display ‘Message’ during maintenance window

February 14, 2020 Leave a comment

There might be times when your Portal is under scheduled maintenance or is down due to temporary outage. When a user accesses the portal during maintenance, unpredictable behavior and intermittent unavailability might be experienced.

In ADX portal we can display a message to users during a maintenance activity by following below steps:

  • Create a HTML page with the message you would want to display.
  • Save it as ‘App_Offline.htm‘.
    • Make sure the name of the file is exactly same.
  • Place this file in root folder of ADX website.

Portal_Maintainence_1

  • ADX always opens ‘App_Offline.htm’ page, if it finds in root folder.
  • Hit the portal URL and you would get the ‘App_Offline.htm’ page, which displays your maintenance message.

Portal_Maintainence_2

🙂

 

Categories: ADX Tags: ,

ADX Portal – Prevent URL redirection

January 28, 2020 Leave a comment

Recently our ADX portal underwent Penetration testing (Also called ‘Ethical hacking’) and we got a following recommendation:

Prevent on-domain URL redirection. All URL redirection should be validated to only redirect to approved domains and/or URLs.

Reason:

  • In ADX portal, when ever you signed out or the session expires from a particular ‘web page’, Portal will take you back to the ‘web page’ you were before you signed out.
  • ADX portal achieves this behavior by appending ‘ReturnURL‘ parameter to the URL. ‘ReturnURL’ contains the web page path before you signed out.

ADX_Redirect_2

Whats the harm with this behavior?

  • ADX portal, will try to redirect to the URL formed in ‘ReturnURL’.
  • An attacker can redirect users from portal to a specific URL (Phishing).
    • As an example, attacker can mail you a link with Portal URL along with ‘ReturnURL?myphishingsite.com‘.
    • If the user think, its a genuine Portal URL and sign-in, ADX portal would redirect you the myphishingsite.com as the same was mentioned in ‘ReturnURL‘.

How to handle this in ADX website?

  • We modified the ‘Login’ logic to ignore ‘ReturnURL’ and redirect Users to portal’s Home page always.
  • All we need to do is
    • Set returnUrl=”/” on ‘LoginController.cs -> Login’ function.

ADX_Redirect_1

  • We can also modify the logic to allow redirection only to a set of URLs.

🙂

 

Categories: ADX Tags: , ,

Obsolete Secure Communications Protocol Supported – InfoSec – Fix

December 9, 2019 Leave a comment

Last week our web application (i.e., ADX portal website) underwent Penetration testing (Also called ‘Ethical hacking’) and we got following recommendation:

Disable all affected protocols identified above. If possible, implement TLSv1.3, or TLSv1.2 otherwise.

Reason:

  • In our application’s web server (IIS), TLSv1.0 and TLSv1.1 communication protocols were enabled.
  • TLSv1.0 and TLSv1.1 were deprecated in major browsers as of Q1 2019 and will be disabled completely in early 2020.

Fix:

  • We’ve used IIS Crypto tool to disable TLSv1.0 and TLSv1.1 protocols.
  • IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Servers.
  • Download the IIS Crypto GUI tool in your windows server where your application is hosted.

IIS Crypto_1

  • Open the tool and un-check TLSv1.0 and TLSv1.1 options.

IIS Crypto

  • You must restart the server for changes to take effect.

🙂

 

Categories: ADX, Misc Tags: , ,

BotDetect Captcha – 404 error – images are not loading

November 29, 2019 Leave a comment

Recently we leveraged BotDetect libraries in our Aspx MVC application to generate CAPTCHA.

After configured all the steps, CAPTCHA images were not showing up on web page.

CAPTCHA_1

Using browsers F12 option, we could notice there were 404 (i.e., Not Found) error codes.

CAPTCHA_2

Fix:

  • Issue in our case was all the BotDetect requests getting routed, which should not be.
  • Add below statement in your project’s ‘RouteConfig.cs’ file, which prevents BotDetect requests routing.

// BotDetect requests must not be routed
routes.IgnoreRoute(“{*botdetect}”,  new { botdetect = @”(.*)BotDetectCaptcha\.ashx” });

CAPTCHA_3

  • Rebuild the project and run and you should get the CAPTCHA code.

CAPTCHA_4

Refer article for the steps to configure CAPTCHA in MVC application.

🙂

Categories: ADX Tags: , ,

ADX Portal – Prevent unauthorized access of custom pages

November 26, 2019 Leave a comment

For one of our requirements, we built a custom .aspx page and placed under ‘Areas’ folder of OOB ADX website’s ‘MasterPortal’ project.

ADX_Prevent_UnAuthAccess

Issue:

  • The .aspx page was accessible without signing in to the portal by using the following URL convention
    • https://base_portal_url/Areas/folderName/Pages/filename.aspx

Fix:

  • On Page_Load of the aspx page, check whether the request is from authenticated user or not.
  • If unauthenticated request, set 401 error code (i.e., Unauthorized error) to the Response object and redirect to portals ‘SignIn’ page.
  • Below is the code snippet need to be placed in Aspx page’s ‘Page_Load’ event, which redirects unauthenticated requests to Portal’s ‘SignIn’ page.

protected void Page_Load(object sender, EventArgs e)
{
if (!Request.IsAuthenticated)
{
Response.StatusCode = 401;
Response.End();
}
}

🙂

Categories: ADX Tags: , ,

ADX/Dynamics portal – Setting up password policies

November 21, 2019 Leave a comment

If you want to imply password policy (i.e., Certain length, must have a digit, etc…) during the portal registrations, following entries need to be added to ‘Site Settings’ entity.

ADX_PasswordPolicy_1.PNG

Name Value
Authentication/UserManager/PasswordValidator/AlphanumericUserNames TRUE
Authentication/UserManager/PasswordValidator/RequireDigit TRUE
Authentication/UserManager/PasswordValidator/RequiredLength 9
Authentication/UserManager/PasswordValidator/RequireLowercase TRUE
Authentication/UserManager/PasswordValidator/RequireNonLetterOrDigit TRUE
Authentication/UserManager/PasswordValidator/RequireUppercase TRUE

If the password does not meet any of the configured setting values, you gonna get OOB validation error as follows:

ADX_PasswordPolicy

For more ‘Authentication’ related settings, refer the article

Refer this article for portals client scripting.

🙂