HTTP Commander common FAQ
Windows authentication version related questions
How can I update my existing installation
with the latest version without losing config and settings?
Answer:
Please refer to the
Upgrade section of documentation.
I got a "Request for the permission of type 'System.Web.AspNetHostingPermission..." error
Answer: Problem related to Windows Server security.
You need to
unblock HTTPCommanderAJSx.x.x.zip (distribution archive) file because
it came from another PC (Internet) and then
extract it to HTCOMNET folder again.
Restart the application after this (close w3we.exe process).
See
Installation section how to unblock files.
I got a "Compilation Error ... Compiler Error Message: CS1501: No overload for method 'AsHash' takes 0 arguments" error.
Answer: You must add a section
system.codedom
in the Web.config file with the latest version of the compiler.
See
Update Manual.
After auto-upgrade, i got a "Compilation Error ... Compiler Error Message: CS0009: Metadata file '...' could not be opened -- Illegal tables in compressed metadata stream." error.
I got a "Could not find part of the path '...\bin\roslyn\csc.exe'" error.
Answer: You must copy the bin\roslyn folder from the distribution
to the bin folder with the HTTP Commander application installed.
I can't install the application. Is there anybody why can help me?
Answer: You can run
Diagnostics and look for known problems.
If you can't run the application or configure folders, we offer
free installation assistance for both trial and commercial licenses.
You can get help via email, instant messenger or via remote access to your server.
You only need a few minutes to get
online help.
How can I restart the application?
Answer: To restart the application, click the "Restart" button in the Admin panel.
Also to restart the application, you can make some changes in the
Web.config file
(e.g. add a spacer in any comment). The Application will restart automatically.
For
full application restart (only if you have some system errors!):
How can I change the logo or top header?
Answer: You can add a logo to the toolbar or to the top panel (at the top of file manager window)
Click here to read more about setting your logo.
How to branding of e-mail for sending public links?
How does HTTP Commander control user's count?
Answer: HTTP Commander controls user session count and unique user's names.
A new session is created for every visitor. Each user can have a few sessions
if he doesn't clicked logout button. But after 1 hour, the session is closed automatically.
To terminate existing sessions by yourself, you need to
restart the application.
How can I use HTTP Commander with SSL?
Answer: HTTP Commander works both with http and https protocols.
http protocol works out of box.
To enable https protocol, you need to install an SSL certificate on IIS.
The instructions below describe how to order a certificate
from a globally recognized certificate authority (recommended option)
and how to create a self-signed certificate.
A self-signed certificate will allow you to use the https protocol,
but the web browser will warn that
the certificate is not valid since it comes from an unknown authority.
To get a certificate that passes verification, you need to either order a certificate at
a globally recognized certificate authority, or establish a trusted authority
inside your corporate network.
Order certificate at a globally recognized certificate authority
As an example we consider ordering a certificate at
Thawte.
You may choose any other authority you trust.
-
Select a certificate for your web site:
SSL certificates.
-
Generate a Certificate Signing Request as described in
Key and CSR Generation Instructions.
You'll need it later.
-
Click the Buy button to order the chosen certificate. You'll fill out a number of web forms in the process.
At one step you'll have to specify the Certificate Signing Request.
- Track the status of the certificate in Thawte Certificate Center.
- Install the SSL certificate according to Thawte manual.
- Backup the certificate (optional).
Install Self-Signed certificate
- Open IIS manager, select the server node in the connections tree
- Open the Server Certificates feature
- On the actions pane click the "Create Self-Signed Certificate" link
-
Specify a friendly name of the certificate in the opened dialog box.
That may be any name. Click OK button.
- The certificated is created, you should see it in the Server Certificates list.
- Select the web site that contains HTTP Commander in the connection tree
- Click the Bindings link on the actions pane
- In the Site Bindings dialog click the Add button.
- Select https protocol in the type box in the "Add Site Binding" dialog box
- Select the SSL certificate you created earlier in the "SSL certificate" box
- Change any other settings in the dialog box, if changes are needed, click the OK button.
- Click the Close button to close the Site Bindings dialog.
- You're done now, you can use the https protocol to connect to HTTP Commander.
A self-signed certificate is untrusted by definition.
The web browser will warn you about the problem when
you try to open a web site with untrusted certificate.
Screenshot
WebDAV over https with invalid certificate works unreliably.
While web browser will warn you about the problem and allow you to proceed,
WebDAV may refuse to connect to the web folder with a misleading error message.
You may circumvent the problem by installing self-signed certificate into the trusted authorities container
on the client machine.
Install untrusted certificate into trusted authorities container
- Open Edge (or IE) with administrative rights
-
Open target site using https
Screenshot
-
Confirm that you want to proceed in spite of the security problem
Screenshot
-
Click "Certificate Error" Security report on the address bar,
then click the "View certificates" link in the pop-up window.
Screenshot
-
Click the "Install Certificate" button in the certificate properties window.
Screenshot
-
Click "Next" in the Certificate Import Wizard. On the next step, "Certificate Store",
select "Place all certificates in the following store", in the "Certificate store" field
select "Trusted Root Certification Authorities". Click "Next".
Screenshot
-
Click Finish to close the Certificate Import Wizard
Screenshot
Can the first loading process be faster?
Answer: The HTTP Commander has AJAX and 100% Javascript interface so it works rather
quickly like a local application.
When a visitor logons the HTTP Commander for the first time,
it takes some time to load *.js, *.css and *.svg (image/svg+xml mime type) files.
Such files are stored in a browser cache for some months, so the next logons will be much quicker.
HTTP Commander have caching enabled by default for /Images, /Scripts folders and for styles.css. styles-min.css files.
Max-Age used to control caching of these resources and it set to 365 days by default.
Caching is not enabled for whole application to prevent caching of downloaded files.
If you want to disable caching, you need to find and remove following sections from web.config file :
Please note, that profiles of caching section is cleared to make IIS correctly
send Cache-Control header in response. If this section is not cleared,
IIS still adding no-cache attribute to Cache-Control header.
You can make even the first loading process faster if you enable gzip compression in the IIS settings.
With gzip enabled, the loading is 4-5 times faster.
You need to enable gzip for static and dynamic content
(*.js, *.css and *.svg (image/svg+xml mime type) files).
See
article how to enable compression in IIS.
Download the trial
HTTP Sniffer to test if the compression works successfully.
Screenshots
Can I make the application faster (increase performance)?
Answer: Yes. There are a few things that can help you make the application faster.
You can do all or just some of them:
- It is recommended to enable gzip compression
-
You can setup content expiration for the Images\ folder
so images will be loaded for the user once and requests
"if-modified" will not be sent again during the next logon.
This can increase performance in some cases because application uses many images.
To setup content expiration expand the HTCOMNET\Images\ folder,
then in the right panel open "HTTP Response Headers".
Choose action Set common Headers... and set content
expiration on 2028 year (for nearest 10 years).
-
You can disable the tree view or make it not auto collapsible.
This makes the application faster because no requests for tree updates are needed.
To disable tree set the HideTree
parameter in the Application settings to "false" or
set the parameter TreeView
value to NotAutoExpandable.
-
Don't use a lot of columns for the files grid at
DisplayedDefaultColumnsInList
parameter of Application settings.
Rendering files grid takes some time at the users side if there are many files in the folder.
-
Note! Don't test application performance with IE 11.
This version works ineffectively with java scripts and HTML objects.
More popular browsers like Chrome, Firefox, Edge are a few times faster.
Loading of folders/files list is very slow (specially for a network folder) and takes several seconds.
It could be related to usage of NTFS alternate streams by
HTTP Commander to store/read custom metadata on files and folders.
They used to store such information as Labels, Comments, File history,
downloads counting and custom details fields.
By default HTTP Commander configured to display in file list some information
stored in metadata for each file, e.q. existance of comments or other metadata and labels.
If you do not plan to use mentioned functionalities feel
free to disable them by configuring following parameters:
Configuring these parameters is enough to disable load of metadata
for each file during load of file list for folder, which may significantly
speed up loading for network folders.
While you still will be able to see downloads count (if download counting is enabled),
comments, description and other custom metadata fields
in file properties window and in file details panel.
If I map a folder I get the error "The folder you entered does not appear to be valid..."?
Answer: First, try to map folder
"https://demo.element-it.com/windows/hcwebdav" (without quotes).
If it doesn't show the error and asks for credentials then it works (you can use demo/demo credentials).
If mapping demo folder works but it doesn't map your application link,
then the problem is with the application or WebDAV configuration.
Check
web folders mapping setup or
contact us.
You cannot map folders in
Server OS like Windows 2008, 2012, 2016 or 2019 by default.
So, please test mapping from a non-server PC.
For Servers 2008, 2012, 2016, 2019:
Click
Start → Administration Tools → Server Manager → Features → Add Features →
check
WebDAV Redirector (or
Desktop Experience for Windows 2008-2012)
and click
Next and
Install buttons
Screenshots
I got an "Access to path '...' is denied" error.
Answer: The problem is related to the NTFS permissions.
Check the NTFS permissions for HTCOMNET, data and your main content folders.
See the
NTFS Permissions section of the Documentation.
I got The page cannot be found error (error 404) when
I open http://localhost/HTCOMNET/default.aspx or any other page.
Answer: If you are sure that the path http://localhost/HTCOMNET/default.aspx
exists but you are still getting the error, it means that the IIS doesn't execute ASP.NET code.
This problem occurs if your IIS was installed after the .NET Framework installation.
Reinstall the .NET Framework (v4.7.2 or above)
or execute the following commands as administrator:
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i
and (for 64-bit systems):
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i
I see the page with ASP.NET tags at the top e.g.
"<%@ Page Language="C#" %>".
Answer: ASP.NET has not started on the server and you have opened pages like clear HTML.
See the "Application Install" section.
I got a "Required permissions cannot be acquired" error.
I got a "
Request for the permission of type
'System.Security.Permissions...
" error.
Answer: Both errors can be related to "Full trust" level.
Check if "Full trust" is enabled for HTCOMNET application.
See the
Application Install section.
Also, check the permissions for
IIS APPPOOL\DefaultAppPool"
user on the HTCOMNET folder as well.
See the
NTFS permissions section.
I got a "Internet Explorer cannot download Download.ashx from [domainname]"
error while a file was being downloaded.
Answer:
If you are using SSL, check Internet Explorer settings:
Tools → Internet Options → Advanced → Security →
uncheck "Do not save encrypted pages to disk".
By default this option is unchecked.
If the option is checked, the files cannot be saved from any SSL website.
I got a "Server Application Unavailable" error.
Answer: There are two reasons for such error:
-
The problem can appear because ASP.NET 4.5 and ASP.NET 2.0
applications are being used by the same pool. Check all your applications
in IIS and set one application pool for the applications running under .NET 4.5
and another pool for applications running under .NET 2.0.
-
There are not enough NTFS permissions to HTCOMNET folder.
See the NTFS permissions section of the Documentation.
-
There can also be some other reasons.
You can try to restart the application.
I got the Error "500.19" at web.config file ("modules" section).
Answer: This error can occur if you you have disabled some features of Web.config to delegate.
In most cases it occurs with the "modules" feature.
You should open IIS, click the server root in the left tree.
At the right panel, open "Feature Delegation", then Select "Modules" and change its delegation type to "Read/Write".
If you have the error with other features, then set the delegation type for the other features.
Screenshot
Does HTTP Commander support Web garden or Web farm?
Answer:
No. HTTP Commander is running but does not work correctly if you have web garden or web farm enabled in IIS.
Check if you have enabled web garden in the application pool settings and disable it or create a new pool for HTTP Commander.
You should use only one worker process for the application.
Is HTTP Commander supports file solutions like
DFS folders, UNC folders,
ABE, NAS?
How Can I configure documents management features like
Google Docs, MS Office and OpenOffice online edit?
Answer: All info related to documents management features is described in the
Application settings section.
Can I pass some settings in URL?
Answer: Yes, you can pass some settings in the URL:
- Use "Default.aspx?Language=English" to pass default language.
- Use "Default.aspx?theme=themename" to view interface with specified theme (see StyleThemeName parameter).
- Use "Default.aspx?folder=foldername" to open a specific folder first.
- Use "Default.aspx?file=path/to/file" to open a folder with the file and highlights it.
- Use "Default.aspx?isEmbeddedtoIFRAME=true" to show interface for iframe mode (with small icons). See IsEmbeddedtoIFRAME parameter.
- Use "Default.aspx?hideTree=true" to hide (or show by default if value is "false") tree panel with folders on left side (see HideTree parameter).
- Use "Default.aspx?TreeView=disabled", "Default.aspx?TreeView=enabled" or "Default.aspx?TreeView=notautoexpandable" to change view of tree panel with folders on left side (see TreeView parameter).
-
Use "Default.aspx?defaultGridView=thumbnails",
"Default.aspx?defaultGridView=tiles" or
"Default.aspx?defaultGridView=detailed"
to show file list in thumnails or detailed mode
(see DefaultGridView parameter).
How can I add Static Content Role service at IIS7?
Answer: To add
Static Content role go to
Start → Administrative Tools → Server Manager → Roles.
Find in the right list the
Web Server (IIS) role and
click the
Add Role Services link.
In the new window check
Static Content,
and then click
Next and then
Install buttons.
Screenshots
How do I protect configuration files (prevent them to be retrieved by users)?
Answer:
HTTP Commander stores configuration data on the server in a number of files.
For security reasons, it is recommended to prevent users from retrieving them,
since they expose sensitive information about the application. Configuration files are:
Web.config, HttpCommanderSettings.config, .xml, .db files in the
Data folder.
Web.config, HttpCommanderSettings.config files are protected by default.
.xml and .db files in
Data folder
are protected via the following section in Web.config file
(in case of trouble make sure these settings are present in the configuration file).
...
<location path="Data">
<system.webServer>
<handlers>
<clear />
<add name="HttpForbiddenHandlerXml" path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
<add name="HttpForbiddenHandlerDb" path="*.db" verb="*" type="System.Web.HttpForbiddenHandler" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".xml" />
<add fileExtension=".xml" allowed="false" />
<remove fileExtension=".db" />
<add fileExtension=".db" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</location>
...
In IIS configuration is restricted to Web.config file.
To test the settings, try to download the configuration files with a browser
(http://server/HttpCommander/Data/Accounts.xml). You should see:
Screenshots
See also,
how to prevent files download from Data folder.
Can I use SSO?
HTTP Commander includes examples of Single Sign-On (SSO) both for
Basic Authentication and authentication via Form (for Active Directory users).
Summary
-
HTTP Commander with Windows Authentication (Windows or Basic Authentication in IIS,
and ASP.NET Impersonation is turned on).
You may delegate authentication to the application by means of asynchronous
HEAD request to Default.aspx page. The request should possess valid credentials.
-
HTTP Commander with Forms Authentication (Anonymous and Forms Authentication in IIS).
The application may use its' own account database (Accounts.xml file in Data directory) —
Forms Authentication mode or use windows accounts — "Forms with Windows users" authentication mode.
There are two options to delegate authentication to HTTP Commander.
-
Pass the user name and password to the Default.aspx page in query string or in POST request.
For example, HttpCommander/Default.aspx?username=User1&password=Passw*rd.
- Forms authentication across applications
-
Shibboleth authentication. HTTP Commander delegates authentication to
Shibboleth.
See Shibboleth integration for more details.
Details
In all cases except Forms authentication across applications,
you should have valid credentials to authenticate in HTTP Commander.
Thus SSO topic breaks up into two subtopics:
obtaining credentials and authenticating in the Web file manager.
-
Basic authentication on the other site:
If you have a web site configured for Basic authentication,
then you can pass these credentials to HTTP Commander so users will be authenticated in it as well.
To authenticate in HTTP Commander, you need to send an AJAX request with credentials to the application.
HTTP Commander distribution archive includes an example page
BasicLoginExample.html in the Manual folder.
To enable SSO you need:
-
Add the HttpCommanderAuthModule module in IIS to your main web site:
-
Open for editing the BasicLoginExample.html file.
Copy its content to any page of your site where users will start HTTP Commander.
File includes openHTTPCommander(URL) javascript function.
Replace URL with correct HTTP Commander URL like 'http://yoursite/HTCOMNET/Default.aspx'.
- Contact Element-IT technical support if you have troubles with this.
Details — how it works
Let's explore openHTTPCommander Javascript function in BasicLoginExample.html file.
First, it sends asynchronous HEAD request to the current web page, that is BasicLoginExample.html.
We add an "r" parameter to the current page with random value.
The request URL should look like this "BasicLoginExample.html?r=0.061323485323896254".
The value of the parameter does not matter, it's needed to force the browser to send the request
instead of returning a cached response.
Javascript sets a special "X-HttpCommander-Auth" header that is processed by the HttpCommanderAuthModule.
When the module encounters the "X-HttpCommander-Auth" header in the request,
it returns the user name and password of the logged in user with "X-HttpCommander-Auth" header to the client.
JavaScript code reads the "X-HttpCommander-Auth" header from the response,
gets the user name and password of the user logged into the web site.
Using these credentials, Javascript sends asynchronous an HEAD request to Default.aspx page
of HTTP Commander. If the logged in user is allowed access to HTTP Commander,
authentication procedure succeeds. Web browser opens HTTP Commander and log ins automatically.
-
Forms Authentication on the other site:
If you have a login page where users type their name and password,
then you can pass these credentials to HTTP Commander so users will be authenticated in it as well.
To authenticate the user, you need to send an AJAX request with the credentials to the application.
HTTP Commander has a working example page testSSO.html in the application root folder for user login via Form on page.
You can look at the code of the page and move it to your login Form or contact us to get help.
For testSSO.html page the only thing you need is to set anonymous authentication in IIS:
The Default.aspx page is incorrectly displayed.
If Default.aspx page is displayed incorrectly, as on a screenshot below
Screenshot
please check the following:
- Whether it is allowed to display CSS in the browser
-
Whether check there is an Images\themes\[theme_name]\resources\
folders exists, with nonblank contents and contain the files hc-all.css
and have access to them (NTFS rights).
-
Open page in Chrome browser, press F12 and click on
Console tab in Developer tools.
Look, whether there are errors and what.
I got the "Error HTTP 403.18 - Forbidden" when open files from folders with dots in name.
This error means that in IIS installed
URLScan
ISAPI Filter and it is configured so that not allowed URLs in which path there
are folders having in the name of a dots (parameter
AllowDotInPath=0).
For the solution of this problem see how to configure URLScan Tool below:
Check
URLScan
ISAPI filter settings in IIS if it is installed.
-
Open IIS console:
Control panel → Administrative tools →
Internet Information Services (IIS) Manger → click on root →
find ISAPI filters
Screenshot
-
Double click on ISAPI Filters icon and in the opened list
find the filter which name begins with UrlScan.
If such filter it isn't found, UrlScan isn't installed, otherwise pass to the following step.
Screenshot
-
Pass into the folder with UrlScan executable file
(by default, it is C:\Windows\system32\inetsrv\urlscan\)
and open UrlScan.ini file for editing (for example in notepad).
-
In UrlScan.ini file find parameter
AllowDotInPath and if value of this parameter not equally 1,
set for it value 1 (AllowDotInPath=1),
save UrlScan.ini file and restart IIS.
Screenshot
I got the error The parameter is incorrect when open file list.
This error can arise when reading to the network folder if the site in IIS
with HTTPCommander works at a 64-bit platform, and in settings of a pool indicated value
True for the
Enable 32-Bit Applications parameter.
Specify
False value for the
Enable 32-Bit Applications
parameter in advanced settings of a pool and restart it
(
Application Pools →
htcomnetpool →
Advanced Settings).
Screenshot
See about Wow64FsRedirection in
FindFirstFile article.
Why Microsoft Office still opens my document (View / Edit → Edit in MS Office) as read-only?
First of all check settings of
work with WebDAV
and read article
Using MS Office and OpenOffice to work with documents.
Also check before opening of the document, having refreshed the file list,
whether it is opened by other user
(an icon
The file is locked on the right or in the
Labels column):
Screenshot
Also check NTFS persmissions for a read-write for a pool of applications and the user who opens the file.
And in addition check the file for block (the
Unblock button in properties of the file)
and if it is blocked, remove block (privileges of the administrator are necessary):
Screenshot
If the problem isn't fixed clear Microsoft Office WebDAV cache in registry on computer of user.
Microsoft Office reads WebDAV server options when connecting to server first time and stores them for later use.
The Microsoft Office WebDAV cache is stored under the key:
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\Internet\Server Cache\
To clear cache just delete all keys under this key.
Also set
OpenDocumentsReadWriteWhileBrowsing DWORD Value to 1 on a user machine under the key
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\Internet
Note! After change registry keys restart computer or
WebClient service.
Error on download/upload with Dropbox or Box:
Could not load file or assembly 'Newtonsoft.Json, Version=...'.
How to disable WebDav feature.
There are 2 ways to completely disable WebDav feature in HTTP Commander.
-
With settings on settings tab in Admin Panel.
You will need to set to false the values of following parameters:
-
Edit Web.config file of HTTP Commander and remove from modules section
(system.webserver → modules and at system.web → httpModules sections)
following module:
<add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" precondition="integratedMode" />
Page reloaded when file list is scrolled up in Chrome browser on Android.
This issue is fixed in HTTP Commander 4.5 an later. Here are steps to fix this issue on version prior 4.5:
- Open Default.aspx page in text editor.
- Search for body tag
-
Append to body tag following code:
<% if(isMobileBrowser) { %> style="overflow-y: hidden;" <% } %>
-
Result should look like this:
<body id="pageBody" class="<%= pageBodyStyle %>" onload="<%= Utils.GetSetTimeOutScript() %>" <% if(isMobileBrowser) { %> style="overflow-y: hidden;" <% } %>>
IE browser does not rotate image loading.
To fix this, enable the "Play animations in webpages" option in the IE setting:
Internet options → Advanced → Multimedia → Play animations in webpages.
How can I hide files/folders that the user does not have rights to read?
Answer:
This feature is controlled by Windows Server. You need to use ABE (Access Based Enumerations) for share.
Windows Server (2008 R2 SP1, 2012, 2012 R2, 2016 and 2019) have ABE installed.
But the ABE is disabled by default. To enable it (for each folder you need):
- Open Server Manager
- Select File and Storage Services → Shares
- Select shared folder and go to properties from context menu by right click
-
In the properties window that opens, in Settings section,
check the box Enable access-based enumeration.
Then click the Apply and OK buttons.
Screenshot
In HTTP Commander you then create share. You should type your real share path like "\\servername\sharename".
Don't use a full folder path like "c:\foldername" becouse ABE won't work in this case!
After ABE is enabled, HTTP Commander will show only the files which user has rights to read
and will not show other users files (if there are no read permissions).
How can I create a "dropbox" for users (student can upload their own files but can't view other students files)?
Answer:
First, you need to create the folder on your server file system and configure users NTFS permissions.
It is possible to configure the NTFS permissions for students to enable them
to create or modify their own files and to disable reading other users files from this folder.
You can also configure to enable teachers to view all files.
So this folder will be as dropbox there students can upload their own works and teachers can view their works.
For this folder it is recommended to
enable ABE to hide files which
the user does not have rights to read (other students files).
In HTTP Commander you can share this folder with students and teachers groups.
You can disable some actions you don't want in right "permissions" window.
HTTP Commander supports NTFS so users won't be able to modify or view other users files if it is disabled by NTFS.
Also if ABE is enabled, then files which the user does not have rights to read will be hidden.
Every time I insert my login and password in the authentication window I get a "You are not authorized" error.
Answer:
-
Check if the logon user has read NTFS permissions for the HTCOMNET folder.
See NTFS permissions section of the Documentation.
- Try inserting the domain name prefix e.g. "domainname\username".
-
For Basic Authentication, check that you set the correct default domain name at Basic
Authentication settings at IIS. See "Application install" section of the Documentation.
Why would I need to use Basic Authentication instead of Windows?
Answer:
You can use Windows Integrated Authentication (our demo works under this auth).
But if you want to use Windows authentication, you will have some limitations:
-
You can make access only to the local files stored on the same server
(you can not use folders stored at remote servers).
However if you web server is member of Domain,
you can configure Delegation
for correct work withNetwork Shares when
Windows Integrated Authentication enabled.
-
Dynamic user group membership detection won't work if the application is installed at a non domain controller
(but you can make it work if you will use static file as AD info storage.
See ADAccountsFilePath key).
However it is still possible to get list of user groups
from Windows auth token when Windows Integrated Authentication used.
-
On some Android-based devices browsers don't support Windows Authentication but work great with Basic.
As conclusion: We recommend to use
Windows Integrated Authentication
when Web Server is
joined into Domain and
delegation can be configured.
For
standalone Web Server we recommend to use
Basic
auth if you plan to use Network Shares in HTTP Commander
and Windows Intergated Authentication if all folders will be local to the web server.
If you worry about sending password as a clear text while Basic authentication,
you can use
SSL.
May I use network folders with Windows Integrated Authentication?
Answer:
Yes, you can use Network folders with Windows Integrated Authentication when Web Server is member of Domain.
But you will need to configure
Delegation.
On the domain controller for your Web Server’s domain, complete the following steps:
-
Click Start, click Administrative Tools,
and then click
Active Directory Users and Computers.
- Expand domain, and then expand the Computers folder.
-
In the right pane, right-click the computer name for the Web Server,
select Properties, and then click the Delegation tab.
- Click to select Trust this computer for delegation to specified services only.
- Ensure that Use any authentication protocol is selected, and then click OK.
-
Click the Add button. In the Add Services dialog box, click Users or Computers,
and then browse to or type the name of the File server that is to be used in HTTP Commander. Click OK.
- In the Available Services list, select the CIFS service. Click OK.
It may take some time for new settings to take effect.
I can't create access for a group or to a home folder.
Answer: You need to check if the application reads groups correctly.
You can see group list in Diagnostics.aspx page.
If the group list is empty in the diagnostics page or some error happens:
- Check if Basic Authentication is enabled in IIS settings, not Windows Integrated.
-
Check permissions for a user to read its own membership info.
See how to grant permissions at
ReadWindowsUsersGroupMembership
key description.
Can I setup access only for single OU (Organisational Unit) of domain?
Answer: Yes, you can.
Set
UseUniversalWayToReadGroups
parameter in the Application settings to "false"
and for
LDAPContainer
parameter value of LDAP path of needed OU
(like "
LDAP://OU=staff,DC=HOMEELEMENT-IT,DC=COM" ("staff" OU of "homeelement-it.com" domain)).
In such a case for the logon user, groups will be detected only from this OU
(you can run Diagnostics.aspx to see groups list of logon user).
Can I use application in DMZ and what ports for firewall should I open?
Answer: Yes, you can. You can install the application at the server in DMZ. Open HTTP (80) and HTTPS (443) ports.
If you want to use Active Directory groups membership and home folder info then open LDAP port 389
and set
UseUniversalWayToReadGroups
parameter in the Application settings to "false"
and for the
LDAPContainer parameter,
the value of the LDAP path to your domain controller.
Loading of folders tree is very slow and needs a few seconds.
Can I use Forms Authentication (Form at the web page)
instead of standard browser popup authentication window?
Answer: yes. You have a number of options.
Solution 1. testSSO.html page
HTTP Commander distribution includes testSSO.html file for this purpose.
You need to configure anonymous authentication for this page in IIS Manager:
Screenshots
Note This solution only works in the Windows version of HTTP Commander.
IIS authentication on the target web application (HTTP Commander) should be set to Basic or Windows.
Details - how testSSO.html works
testSSO.html page presents the user with an HTML form
where they will enter their user name, password, and select the language of the HTTP Commander interface.
After clicking on the Login button, JavaScript code sends an asynchronous HEAD request to Default.aspx page —
the main page of the HTTP Commander application.
JavaScript code authenticate in the Default.aspx page using the credentials supplied by the user.
Note that Default.aspx page should be configured for Basic or Windows authentication,
Forms authentication will not work here.
If authentication succeeds, the web browser is redirected to the Default.aspx page.
Since the browser already authenticated in that page (and hence to the application),
the user is logged on to HTTP Commander.
If authentication fails, the user sees an error message and is presented with the same login form on testSSO.html.
Simply put, testSSO.html page provides an HTML logon form for
a web application requiring Windows authentication.
Solution 2. "Forms with Windows users" authentication mode
Note This solution only works in the Standard (Forms) version of HTTP Commander.
Solution 3. Proxy server in front of HTTP Commander.
You may configure a proxy server to handle authentication using web form (cookie-based authentication)
while the web application is using windows authentication.
Some our customers using MS ISA Server successfully replaced
Basic Authentication with Forms by ISA settings. Read more info at
http://technet.microsoft.com/en-us/library/bb794733.aspx.
See also our article Publishing HTTP Commander through Forefront Threat Management Gateway 2010.
How do I clear windows authentication on Log out?
Answer:
Contemporary web browsers cache credentials a user supplied to authenticate to a web application.
Unfortunately, they do not provide an interface to clear authentication data on demand
(with the exception of Microsoft Internet Explorer).
Web browsers clear authentication data when you close the browser,
but they normally do not clear them when you simply close the tab.
The practical result of this issue is that the Log out button in HTTP Commander
does not in fact log the user out in any browser except Internet Explorer.
After log out you may continue to use HTTP Commander under the same user
you used to log in the last time. You'll not be asked to authenticate again.
The only reliable method to log out is to terminate the browser process.
HTTP Commander implements a workaround to this problem.
That is it makes the browser to forget user credentials.
The user has to authenticate in the application after logout to continue using HTTP Commander.
You need to go through a few configuration steps to activate the solution.
Step 1. Enable anonymous authentication for ForceLogout.aspx
- Locate the HTTP Commander application in IIS Manager, switch to Context view.
- Locate ForceLogout.aspx, right-click on in, select "Switch to Features View".
- Open Authentication feature.
- Enable Anonymous authentication, disable all other authentication types.
Step 2. Specify basic authentication realm in IIS
- Open IIS Manager, click the HTTP Commander application on the tree panel.
- Open the Authentication feature.
- Select basic authentication (it should be enabled).
- Click Edit on the Actions panel.
- Specify the value of the realm field.
- Click OK to close the dialog.
You may use any non-blank string for the realm parameter,
for example, name of the server machine.
The point is you must specify the same value in both IIS manager and in HTTP Commander settings.
Step 3. Specify BasicAuthenticationRealm parameter in HTTP Commander
- Open the Admin panel in HTTP Commander.
- Click the "Show hidden parameters" button on the top panel if hidden parameters are not shown.
- Set the BasicAuthenticationRealm parameter in the main section to the value you've assigned in IIS.
- Click the "Save settings" button.
After changing my username in Active Directory/WinNT I can still
login to HTTP Commander, but then I don't see any of the folders.
Answer: This problem can arise because of caching the mapping between
the SID and the user name in a local cache on the computer.
For obtaining more detailed information and problem elimination, see
LsaLookupSids
.
When opening - request of authorization occurs 2 (or more time) and
after login form for Forms version opens.
How can i restrict access to application for some users/groups?
When Windows authentication version is used, it is possible to restrict access to the application with help of the
Authorization rules. They are configured in the
system.web/authorization
section in the web.config file.
Here is an example of the rule to allow access to the application only for a "teachers" group:
<authorization>
<allow roles="element-it\Teachers"/>
<deny users="*"/>
</authorization>
For more information about authorization rules
read article.
How can i restrict access to application for some users/groups?
When Windows authentication version is used, it is possible to restrict access to the application with help of the
Authorization rules. They are configured in the
system.web/authorization
section in the web.config file.
Here is an example of the rule to allow access to the application only for a "teachers" group:
<authorization>
<allow roles="element-it\Teachers"/>
<deny users="*"/>
</authorization>
For more information about authorization rules
read article.
How can I display some text when user logs into HTTP Commander
(at the time when popup login window appears) instead of white screen?
Answer: You can create separate html page which will be available without authentication
and redirect to Default.aspx page immediately after load of this page.
This will result to render page with your custom text while users enter their credentials.
For example you can explain which credentials should be entered,
which users are allowed, what users will see after login, etc.
How to do that:
- Create new html page in root folder of HTTP Commander. For example, index.html.
-
Edit contents of that page to display some useful information.
Include following meta tag into head section of the page to automatically load default.aspx page:
<meta http-equiv="refresh" content="1;url=default.aspx">
Example:
-
Configure Anonymous access to newly created index.html file:
-
Open the IIS console:
Control panel → Administrative tools →
Internet Information Services (IIS) Manager
-
Expand Web Sites, Default Web Site, HTCOMNET.
-
Right-click the "HTCOMNET" virtual folder and select
Switch to content view in the context menu.
In the list of files in the middle panel, select the
index.html file and click the Switch to features view option.
Now you may change settings pertaining to the index.html file.
Click the Authentication feature on the central pane.
-
Enable Anonymous Authentication and
ASP.NET Impersonation.
Disable other items.
Screenshot
-
Use link to HTCOMNET/index.html file to display
contents of index.html page during login process.
When I receive or edit files in OneDrive, Office 365, Dropbox, Box,
I get the error "Access to the path '...' is denied."
Answer:
First of all, check if
Impersonation is enabled
for the application and
Handlers folder.
Then check the
NTFS folder rights.
If everything is correct, then follow these steps:
-
Stop IIS (in IIS Manager, on the left in the Connections tree,
highlight the server, and then on the right in the Actions - click Stop).
-
In each of the files (or only one of these files,
depending on what bitiness the Application Pool is working under):
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\Aspnet.config,
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config,
set legacyImpersonationPolicy to false and
alwaysFlowImpersonationPolicy to true:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<runtime>
<legacyUnhandledExceptionPolicy enabled="false" />
<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy enabled="true"/>
<SymbolReadingPolicy enabled="1" />
<shadowCopyVerifyByTimestamp enabled="true"/>
</runtime>
<startup useLegacyV2RuntimeActivationPolicy="true" />
</configuration>
-
Start IIS.
-
See also Microsoft Docs.