I create an IdentityServer4 project with several client apps. I use a self-signed certificate file my_certificate.pfx to generate login token. It works fine on localhost.
However, it does not work when employing it to a shared web hosting server.
The app that hosts the IdentityServer4 works fine, indicating that the server app can access the certificate file. However, it generates the following error when trying to log in from a client app:
WindowsCryptographicException: The system cannot find the file specified.
System.Security.Cryptography.CngKey.Open(string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
System.Security.Cryptography.CngKey.Open(string keyName, CngProvider provider)
Internal.Cryptography.Pal.CertificatePal.GetPrivateKey<T>(Func<CspParameters, T> createCsp, Func<CngKey, T> createCng)
Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus()
Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.FoundPrivateKey(SecurityKey key)
Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, string algorithm, bool willCreateSignatures)
Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, string algorithm, bool willCreateSignatures, CryptoProviderFactory cryptoProviderFactory)
Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, string algorithm, bool willCreateSignatures)
Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, string algorithm)
Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(string input, SigningCredentials signingCredentials)
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token)
IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token)
IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, string authorizationCode)
IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateHybridFlowResponseAsync(ValidatedAuthorizeRequest request)
IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateResponseAsync(ValidatedAuthorizeRequest request)
IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
IdentityServer4.Endpoints.AuthorizeEndpoint.ProcessAsync(HttpContext context)
IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
IdentityServer4.Hosting.MutualTlsTokenEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
How to make the client app works?
Thanks
I ran into this when setting up IdentityServer on AWS ElasticBeanstalk infrastructure and using a local file, rather than the certificate store - however the solution in my case is the same. I found that the app pools on the EC2 instances did not have Load User Profile set true. When set, the permissions model changes and allows the process to load in the cert. You can enable through the IIS management UI on the app pool details, or use a version of the script below.
Import-Module WebAdministration
Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name "processModel.loadUserProfile" -Value "True"
Related
I used this authentication to handle Graph api calls in a webhook function.
I tried other authentication samples but this was the only only one which worked with the credentials for a service principal (app permission are needed, not user permissions - so some other auth samples doesn't worked for me)
CallRecords.Read.All - Anwendung - Read all call records - Ja - Gewährt für
The credentials are saved in a keyvault.
But the problem is on massive number of calls the authentication fails
(15.000 -20.000 request/day)
IConfidentialClientApplication app;
AuthenticationResult result = null;
string[] scopes = null;
string data = null;
IRestResponse response = null;
// build Authenticate for getting a token
config.Authority += config.CallRecordTenantID;
app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
.WithClientSecret(config.ClientSecret)
.WithAuthority(new Uri(config.Authority))
.Build();
scopes = new string[] { "https://graph.microsoft.com/.default" };
try
{
result = await app.AcquireTokenForClient(scopes)
.ExecuteAsync();
}
catch (Exception ex)
{
log.LogInformation("Exc.:" + ex.Message + "\n" + ex.StackTrace);
}
After getting many request near same time the authentication crashes; how can I avoid that?
2022-01-31T06:51:59Z [Information] AADSTS900023: Specified tenant identifier 'a1ae89fb-21b9-40bf-9d82-a10ae85a2407a1ae89fb-21b9-40bf-9d82-a10ae85a2407' is neither a valid DNS name, nor a valid external domain.
Trace ID: ebbb51ed-2ef1-4931-81b6-702833c93f00
Correlation ID: cb112afc-08bf-44bb-9a8e-b0a93938f6cb
Timestamp: 2022-01-31 06:51:55Z
at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshError(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
at Namespace1.Webhook.GetOnlyDesiredDataAfterFiltersAsync(String CallRecordId, AzFuncCallRecordsConfiguration config, ILogger log) in D:\Repos\Webhook.cs:line 518
at Namespace1.Webhook.Run(HttpRequest req, ExecutionContext context, ILogger log) in D:\Repos..\BWebhook.cs:line 180
So is there is no better way, for the app service (Azure function in function app) to use authentication token.
Or is there a better way to use other webhook e.g. durable functions with orchestration with the entities?
Or is there an easier solution to bind bind the service principal to the function app direct, so the auth token must not requested in code?
Or other ideas?
I hope someone can can give advice what I can do.
Thanks
NOTE: This is SignalR for .NET Core 3.
I saw a couple of other stackoverflow suggestions (similar but not exact) for the applicationUrl modification which I have tried. I am getting:
Unhandled exception. System.InvalidOperationException: A path base can only be configured using IApplicationBuilder.UsePathBase().
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.ParseAddress(String address, Boolean& https)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func2 createBinding)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication1 application, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.WebHost.StartAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String startupMessage)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String startupMessage)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
at cRioSaturnSignalRHub.Program.RunDefaultWebHostBuilder(String[] args, IConfigurationRoot config) in C:\Workspace\software\DataTier\dotNetCore\v3.x\Daemons\cRioSaturnSignalRHub\cRioSaturnSignalRHub\Program.cs:line 83
at cRioSaturnSignalRHub.Program.RunProcess(String[] args) in C:\Workspace\software\DataTier\dotNetCore\v3.x\Daemons\cRioSaturnSignalRHub\cRioSaturnSignalRHub\Program.cs:line 50
at cRioSaturnSignalRHub.Program.Main(String[] args) in C:\Workspace\software\DataTier\dotNetCore\v3.x\Daemons\cRioSaturnSignalRHub\cRioSaturnSignalRHub\Program.cs:line 27
The launch settings have applicationUrl = "http://localhost:5000" & the endpoint name is not on it as suggested in other stackoverflow related issue.
Any suggestions?
The problem is not at all related to the applicationUrl. Instead I tried the EnvironmentalVariables approach with the ASPNETCORE_URLS="http://*:5000" To do this I added .AddEnvironmentVariables() with the ConfigurationBuilder. & with WebHost.CreateDefaultBuilder(), I added .UseConfiguration(config). After this little change everything works when I publish & run.
I'm occasionally getting an "Invalid Token" error from my call to
userManager.ConfirmEmailAsync(user, token) . I've narrowed down the problem to the fact that my 2 web servers are sitting behind a load balancer, and the web server that generated the token isn't always the web server that is attempting to confirm the token. I had a similar problem with anti-forgery tokens in a different web site, which I fixed by persisting the data protection key to disk and sharing it between the web servers, so I tried a similar approach here.
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(#"c:\temp\API"));
I then copied the key to the same folder in my other web server but still wasn't successful. Debugging through the AspNetCore.Identity code I can see an exception thrown on the call to
var unprotectedData = Protector.Unprotect(Convert.FromBase64String(token))
in the DataProtectorTokenProvider class. the catch block for the exception in Microsoft's code is simply
catch
{
// Do not leak exception
}
so I decided to inject an IDataProtector into my own Controller and try making that call myself.
public UserController(Microsoft.AspNetCore.Identity.UserManager<ApplicationUser> userManager,
SignInManager<ApplicationUser> signInManager, Microsoft.AspNetCore.Identity.RoleManager<IdentityRole> roleManager,
ILoggerFactory loggerFactory,
IDataProtectionProvider dataProtectionProvider)
{
Protector = dataProtectionProvider.CreateProtector("DataProtectorTokenProvider");
}
try
{
var unconverted = Convert.FromBase64String(request.EmailConfirmationToken);
var unprotectedData = Protector.Unprotect(unconverted);
}
catch (Exception e)
{
}
I can now catch the exception thrown on the Unprotect call and it's:
The payload was invalid
Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)\r\n at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)\r\n at VTR.API.Controllers.UserController.d__16.MoveNext() in C:\Projects\Brewster.Travel\src\cres\trunk\VTR.API\src\VTR.API\Controllers\UserController.cs:line 409
If I make that call with a token generated on the same server then it gets unprotected successfully. I obviously have some problem with how I'm attempting to share my data protection keys, if anyone could shed some light on my problem I would appreciate it.
I managed to get this working thanks to the documentation here: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview
I needed to add a call to SetApplicationName() in ConfigureServices:
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(#"c:\someDirectory"))
.SetApplicationName("myApplicationName");
I have a client asking for an integrated authentication based solution utilizing a custom role/membership schema. My original plan was to use claims based authentication mechanism with integrated authentication. However, my initial research is not turning up a whole lot of useful information.
To the point, I have an ASP.NET (not core nor owin) WebAPI application, which has api actions used by angular SPA based (asp.net) web application. I am attempting to authorize the api calls using integrated authentication. My initial effort was focused around a custom AuthorizationAttribute and ClaimsAuthenticationManager implementation. However as I got deeper into that I started running into issues with the custom ClaimsAuthenticationManager, at this point I'm not sure that is the proper route to take.
So my question for you all is, can you at least give me some ideas of what it would take to make this happen? I don't need help with secific bits the code, just need to figure out the appropriate "stack" so to speak.
The only real requirement is WebAPI calls can be authorized, with a custom attribute passing a name of a claim to authorize on, but the claim is not in AD even though it is using windows authentication, the claims themselves would come from a database.
Thank you all in advance!
Look at https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api.
Your scenario isn't much different:
you're using AD for authentication
you're using your db for authorization
Simply put this can be addressed by configuring web-api to use windows authentication.
<system.web>
<authentication mode="Windows" />
</system.web>
And add your own IAuthorizationFilter to Web API pipeline, that will check current principal (should be set), and then override this principal with your own (i.e. query db - get claims, and override it with your custom claims principal by setting HttpContext.Current.User and Thread.CurrentPrincipal).
For how to add filter to WebAPI pipe line check out How to add global ASP.Net Web Api Filters?
public class CustomAuthenticationFilter : IAuthenticationFilter {
public bool AllowMultiple { get { return true; } }
public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken) {
var windowsPrincipal = context.Principal as WindowsPrincipal;
if (windowsPrincipal != null) {
var name = windowsPrincipal.Identity.Name;
// TODO: fetch claims from db (i guess based on name)
var identity = new ClaimsIdentity(windowsPrincipal.Identity);
identity.AddClaim(new Claim("db-crazy-claim", "db-value"));
var claimsPrincipal = new ClaimsPrincipal(identity);
// here is the punchline - we're replacing original windows principal
// with our own claims principal
context.Principal = claimsPrincipal;
}
return Task.FromResult(0);
}
public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken) {
return Task.FromResult(0);
}
}
public static class WebApiConfig {
public static void Register(HttpConfiguration config) {
config.Filters.Add(new CustomAuthenticationFilter());
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute( ... );
}
}
Also there is no need for custom authorization attribute - use default one - its understood by everyone, and makes your code more readable.
I get an Access denied message when I try to deploy my MVC4 site with an Embedded instance of RavenDB to the new Azure Websites preview feature. The site works fine locally.
Here is how I configure Raven:
//Initialize the RavenDB Data Store
Raven.Database.Server.NonAdminHttp.EnsureCanListenToWhenInNonAdminContext(8887);
var documentStore = new EmbeddableDocumentStore()
{
DataDirectory = "~\\App_Data",
UseEmbeddedHttpServer = true,
Configuration = { Port = 8887 }
};
documentStore.Initialize();
And here is the stack trace when I browse to the site:
Access is denied
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Net.NetworkInformation.NetworkInformationException: Access is denied
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NetworkInformationException (0x5): Access is denied]
System.Net.NetworkInformation.SystemIPGlobalProperties.GetAllTcpConnections() +1570717
System.Net.NetworkInformation.SystemIPGlobalProperties.GetActiveTcpListeners() +74
Raven.Database.Util.PortUtil.FindPort() in c:\Builds\RavenDB-Unstable-v1.2\Raven.Database\Util\PortUtil.cs:110
Raven.Database.Util.PortUtil.GetPort(String portStr) in c:\Builds\RavenDB-Unstable-v1.2\Raven.Database\Util\PortUtil.cs:44
Raven.Database.Config.InMemoryRavenConfiguration.Initialize() in c:\Builds\RavenDB-Unstable-v1.2\Raven.Database\Config\InMemoryRavenConfiguration.cs:170
Raven.Database.Config.RavenConfiguration.LoadConfigurationAndInitialize(IEnumerable`1 values) in c:\Builds\RavenDB-Unstable-v1.2\Raven.Database\Config\RavenConfiguration.cs:28
Raven.Database.Config.RavenConfiguration..ctor() in c:\Builds\RavenDB-Unstable-v1.2\Raven.Database\Config\RavenConfiguration.cs:17
Raven.Client.Embedded.EmbeddableDocumentStore.get_Configuration() in c:\Builds\RavenDB-Unstable-v1.2\Raven.Client.Embedded\EmbeddableDocumentStore.cs:63
Raven.Client.Embedded.EmbeddableDocumentStore.set_DataDirectory(String value) in c:\Builds\RavenDB-Unstable-v1.2\Raven.Client.Embedded\EmbeddableDocumentStore.cs:90
Solarity.DesignSearch.Website.Bootstrapper.BuildUnityContainer() in c:\a\src\Solarity.DesignSearch\Solarity.DesignSearch.Website\Bootstrapper.cs:35
Solarity.DesignSearch.Website.Bootstrapper.Initialise() in c:\a\src\Solarity.DesignSearch\Solarity.DesignSearch.Website\Bootstrapper.cs:20
Solarity.DesignSearch.Website.MvcApplication.Application_Start() in c:\a\src\Solarity.DesignSearch\Solarity.DesignSearch.Website\Global.asax.cs:23
[HttpException (0x80004005): Access is denied]
System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +9859725
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +118
System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +172
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +336
System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +296
[HttpException (0x80004005): Access is denied]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +9873912
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +101
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +254
I managed to get it to work, although it is not ideal. You may notice in my original post that I am setting the UseEmbeddedHttpServer = true. This is so that I can browse to http:[MyUrl]:8081 and get the RavendDB Management Studio so that I can browse my data. For some reason, RavenDB wants to do the same kind of port check when this property is set as it does when you set the Port setting to automatic (Port=*).
I believe that RavenDB may need a fix so that it honors the Port setting when UseEmbeddedHttpServer is True and also let you set the Configuration property of the EmbeddedDocumentStore upon creation.
But in the meantime, you can truly get your MVC4 site to work with an EmbeddedDocumentStore on Azure Websites simply by specifying a port. Also, you do indeed have to use the AppSettings configuration rather than setting the Configuration property of the EmbeddedDocumentStore upon creation (like I tried to do above). This post (stackoverflow.com/questions/11529159/) shows how to do it.
Unfortunately, I still haven't found a way to run the EmbeddedHttpServer so I can use the Raven Management Studio. If I figure out how, I will post a solution here.
Hi this was answered on RavenDb on Azure Websites - Access Denied
Basically you need to configure the port in Web.config