Case: I have a a websites which authenticates to a second SSO website using federated authentication.
Go to the main website
Redirect to the SSO authentication site -> and you fill in the correct credentials
go back to main with authentication cookies -> crash
Extra info from the error logs:
It's always in an IE browser (FF and Chrome work perfectly)
I can't reproduce the problem myself: tested on every operating system and browser version with Browserstack nor can my colluegues.
When contacting end-users who have the problem. They consistently have it in IE. When asked to use another browser it works.
My current guess is that it's due to some IE-add-on. But I do not know which one and this is a bit of a guess. The fact that it happens on end-users computers means I have no control over those computers and I'm unable to go look on their screen and check out which plug-ins they have.
Are their ways to check this? and find out which add-on's are installed on an end-users pc?
The error is this one:
The token '>' was expected but found 't'. Line 1, position 1572.
Stacktrace:
at System.Xml.XmlExceptionHelper.ThrowXmlException(XmlDictionaryReader
reader, String res, String arg1, String arg2, String arg3) at
System.Xml.XmlExceptionHelper.ThrowTokenExpected(XmlDictionaryReader
reader, String expected, Char found) at
System.Xml.XmlUTF8TextReader.ReadStartElement() at
System.Xml.XmlUTF8TextReader.Read() at
System.Xml.XmlDictionaryWriter.WriteNode(XmlDictionaryReader reader,
Boolean defattr) at System.Xml.XmlDictionaryWriter.WriteNode(XmlReader
reader, Boolean defattr) at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadInnerXml(XmlReader
reader, Boolean onStartElement) at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTRXml(XmlReader
reader, RequestSecurityTokenResponse rstr, WSTrustSerializationContext
context, WSTrustConstantsAdapter trustConstants) at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13ResponseSerializer.ReadXmlElement(XmlReader
reader, RequestSecurityTokenResponse rstr, WSTrustSerializationContext
context) at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.CreateResponse(XmlReader
reader, WSTrustSerializationContext context, WSTrustResponseSerializer
responseSerializer, WSTrustConstantsAdapter trustConstants) at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13ResponseSerializer.ReadXml(XmlReader
reader, WSTrustSerializationContext context) at
Microsoft.IdentityModel.Protocols.WSFederation.WSFederationSerializer.CreateResponse(WSFederationMessage
message, WSTrustSerializationContext context) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetXmlTokenFromMessage(SignInResponseMessage
message, WSFederationSerializer federationSerializer) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetXmlTokenFromMessage(SignInResponseMessage
message) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetXmlTokenFromMessage(SignInResponseMessage
message, WSFederationSerializer federationSerializer) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(SignInResponseMessage
message) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(HttpRequest
request) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest
request) at
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object
sender, EventArgs args) at
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)
Related
I get these these two exceptions in Identity Server 4 during a regular login to get a token.
It's on a load balanced setup with 2 servers, so I've done the following:
They both get the same PFX for encrypting tokens. It works just fine on a single server. They have the password for the PFX file, and can seemingly encrypt a token correct correctly.
Sometimes the flow works well, but it always fails on giving CORS access on the connect/token endpoint. I can see that the CORS Middleware plays a role here, but I don't understand why the signing are credentials during the verification of CORS access. I've added protection here, and during startup, I verify that the private key for both the protectionCert and the signing credentials exist. Both certs are password-protected files included with the deploy just to keep it simple(i.e. not running into access issues on private key).
Why is it all of a sudden having trouble getting access to the private key during the CORS operation though? That part I do not understand. All of this works on my test environment, which runs on a single machine, so I'm 99% sure it has to do with this setup being load balanced. Also wondering, if I can save myself a headache by enabling sticky sessions in the load balancer.
In my DataProtection store there's only a single key saved. Not sure if that's normal. I would expect the application to generate more keys.
services.AddDataProtection()
.SetApplicationName("MyApp")
.PersistKeysToDbContext<DataProtectionKeyContext>()
.ProtectKeysWithCertificate(protectionCert);
var cert = new X509Certificate2("signing.pfx",
configuration.GetValue<string>("AppSettings:SigningCredentials:FilePassword"));
builder.AddSigningCredential(cert);
Unhandled exception: "Keyset does not exist" ";"Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus()
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token)
at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request)
at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)
at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
Connection ID ""17365880169046365174"", Request ID ""800253f9-0001-f100-b63f-84710c7967bb"": An unhandled exception was thrown by the application.";
"Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus()
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token)
at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request)
at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)
at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
at IdentityServer4.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.<Invoke>g__InvokeCoreAwaited|15_0(HttpContext context, Task`1 policyTask)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at NewRelic.Providers.Wrapper.AspNetCore.WrapPipelineMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT`1.ProcessRequestAsync()
I think I solved it. I read that it could have to do with lack of access. I guess on of my tasks in my CD setup isn't working right, because I tried running an APP CMD command to set user profile to loaded as true for my app pool. Supposedly, if this flag is false, the application will by default try to store the private key as the current user, but since no user is loaded, this doesn't work. So I tried with ephemeral keyset instead(in-memory) to avoid access issues and now it works. Not sure what the consequences are of using an in-memory keyset, if the keys are appropriate etc.
I have a WebApplication which I extended using CA and made the extension anonymous authorization (it's the RO version of the site).
After deploying my solution, whenever I try to access any page on the site (back or front) I get the error:
Operation is not valid due to the current state of the object.
with trace
[InvalidOperationException: Operation is not valid due to the current state of the object.]
Microsoft.SharePoint.WebControls.SPControl.EnsureSPWebRequest(SPWeb web) +218
Microsoft.SharePoint.WebControls.SPControl.SPWebEnsureSPControl(HttpContext context) +520
Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.GetContextWeb(HttpContext context) +27
Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PostResolveRequestCacheHandler(Object oSender, EventArgs ea) +918
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
However, when accessing a WCF (from the same solution) everything works fine.
Again this only happens on the extended RO version, normal RW WebApplication works perfectly.
When debugging, i stopped at Application_Start and started to go line by line, once I reached the end and pressed F10 to step over the next function, got the error.
Any Ideas?
With kind regards,
Nadav
I keep getting the following exception when trying to upload a file to Amazon Glacier using the .NET sdk:
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Amazon.Glacier.Model.Internal.MarshallTransformations.UploadArchiveResponseUnmarshaller.UnmarshallException(JsonUnmarshallerContext context, Exception innerException, HttpStatusCode statusCode)
at Amazon.Runtime.Internal.Transform.JsonResponseUnmarshaller.UnmarshallException(UnmarshallerContext input, Exception innerException, HttpStatusCode statusCode)
at Amazon.Runtime.AmazonWebServiceClient.handleHttpWebErrorResponse(AsyncResult asyncResult, WebException we)
at Amazon.Runtime.AmazonWebServiceClient.getResponseCallback(IAsyncResult result)
at Amazon.Runtime.AmazonWebServiceClient.endOperation[T](IAsyncResult result)
at Amazon.Glacier.Transfer.Internal.SinglepartUploadCommand.Execute()
at Amazon.Glacier.Transfer.ArchiveTransferManager.Upload(String vaultName, String archiveDescription, String filepath, UploadOptions options)
at UClaim.TaskRunner.Tasks.ArchiveDocuments.Execute() in c:\Projects\uclaim\src\UClaim.TaskRunner\Tasks\ArchiveDocuments.cs:line 55
I've got no idea why it's happening or what it means, and googling is turning up nothing. The code I'm using is nothing special, but here it is for completeness.
var document = GetDocumentToArchive();
var manager = new ArchiveTransferManager(Amazon.RegionEndpoint.EUWest1);
document.ArchiveId = manager.Upload(
"archivedDocs",
string.Format("#{0}: {1}", document.Claim.Id, document.Description),
document.GeneratePathOnServer()).ArchiveId;
Ok turns out this was a stupid mistake. I thought that the SDK would create the vault if it didn't exist but I guess it was attempting to look it up and failing. I logged in to the management console and created the "archivedDocs" vault and now it runs fine
We have a problem with MSMQ.
The design is we have some server with msmq installed with user X.
Now we install some Windows Service with user y credentials.
the problem is that the service can not reach or create a new private queue. we get the following exception :
Ensure that MSMQ is installed and running, the queue exists and has proper authorization to be read from. The inner exception may contain additional information. An error occurred while opening the queue:Access is denied. (-1072824283, 0xc00e0025). The message cannot be sent or received from the queue. Ensure that MSMQ is installed and running. Also ensure that the queue is available to open with the required access mode and authorization. at System.ServiceModel.Channels.MsmqQueue.OpenQueue()
at System.ServiceModel.Channels.MsmqQueue.GetHandle()
at System.ServiceModel.Channels.MsmqQueue.SupportsAccessMode(String formatName, Int32 accessType, MsmqException& msmqException)
at System.ServiceModel.Channels.MsmqVerifier.VerifyReceiver(MsmqReceiveParameters receiveParameters, Uri listenUri)
at System.ServiceModel.Channels.MsmqTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
at System.ServiceModel.ServiceHostBase.InitializeRuntime()
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
our solution for now is removing the MSMQ and installing it with the user credentials of the service.
Any way to do this right ?
UPDATE
OK i have found the problem, service with user X credentials created a private queue ..
the service was removed and then installed again with user Y credentials .. the queue was not removed . so when user Y try to create or used the private queue it get a security exception. is there any way to create the queue with predefined credentials ?
I am seeing some entries of the following exception in my logs and dont know why or where its occurring:
Failed to Execute URL.
at System.Web.Hosting.ISAPIWorkerRequestInProcForIIS6.BeginExecuteUrl(String url, String method, String childHeaders, Boolean sendHeaders, Boolean addUserIndo, IntPtr token, String name, String authType, Byte[] entity, AsyncCallback cb, Object state)
at System.Web.HttpResponse.BeginExecuteUrlForEntireResponse(String pathOverride, NameValueCollection requestHeaders, AsyncCallback cb, Object state)
at System.Web.DefaultHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback callback, Object state)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Has anyone come across this before or could shed some light on it? I running a .net 3.5 c# web application on IIS7.
I just ran into this while using Windows Identity Foundation. The problem ended up being resolved by switching the application pool to use Integrated instead of Classic. It was failing when there was a trailing slash on the url and redirecting to the login page. Specifying the full page in the url didn't give the error.
I had the same error when using WIF in classic pipeline mode. Because we unfortunately cannot change the application to integrated pipeline mode, I've implemented a fix for the specific scenario that David Scott describes.
In global.asax.cs:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Fix for "Failed to Execute URL" when non-authenticated user
// browses to application root
if ((User == null)
&& (string.Compare(Request.Url.AbsolutePath.TrimEnd('/'),
Request.ApplicationPath, true) == 0))
{
Response.Redirect(Request.ApplicationPath + "/Default.aspx");
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
}
Before the authentication attempt, Application_AuthenticateRequest is called with a null User object. Only in that case, the code redirects from / to /Default.aspx (my app is Asp.Net web forms). This fixed the problem for us.
I also had this issue when I was using WIF with .NET 4.5 application in Classic mode. User was geting authenticated from ADFS and then user getting this error. Previously I was sending E-Mail-Addresses -> E-Mail-Address as the claim. Adding another claim rule as E-Mail-Addresses -> Name resoled this issue for me.