I set up an ADFS environment Windows Server 2012 R2 by the following steps:
creating a certificate file;
Install ADFS through Server management;
Configure ADFS with the certificate file created in #1
the above 3 steps runs successfully but I cannot access the endpoint https://[DomainControllerName]/adfs/ls. Sometimes it shows 503 error page and sometimes it just says "the webpage is not available".
Does anyone encounter the similar problem? Please help. Really appreciated!
That's not a valid endpoint.
ADFS is expecting protocol parameters after that.
Try the metadata endpoint:
https://myserver.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Related
I am getting error when using below line from itfoxtec-identity-saml2 library. When i am on localhost and usin iisexpress, it works with proxy server id,password & port i.e. 127.0.0.0 / port. But when i load the application on companies IIS server [no internet], i get below error
return ReadIdPSsoDescriptor(webClient.DownloadString(idPMetadataUrl));
webClient.DownloadString(idPMetadataUrl) is giving below error.
Access Denied (authentication_failed)
Your credentials could not be authenticated: "Credentials are missing.". You will not be permitted access until your credentials can be verified.
Why I need internet on the IIS server? & what proxy settings I should provide in prod release which will go on IIS where there is no internet connection.
When loading the application on the IIS server what application pool I should set to the application [.net core 3.1 web-based application which will be hosted on AWS ec2 windows system] & under IIS authorization which mechanism I should select [windows/anonymous ?]. I am currently using SAML so selected anonymously.
Please guide, thanks in advance !!
You have configured to download the IdP metadata online, therefor your server need access to the place where the IdP metadata is hosted. Alternatively, you can download the metadata manually and place it as a file on the server.
I have hosted a site in IIS (Version 10.0.16299) on windows 10.
My site running under SSL required. When my site running with SSL required I am getting error
403 - Forbidden: Access is denied.
But when I disable required SSL, I am not receiving this kind of error everything is working fine.
But in my case, it is a must to use a required SSL connection.
The IIS hosted site is a simple directory browsing site.
How can I use it with the required SSL?
And I have attached the Trace root are in the below link.
Failed Trace root file
I reviewed your FRT log and the error message is 403.7-Client certificate required.
It is obviously that you are Setting Client certificates to required. If you don't need client certificate authentication for your web application, then Require is not required.
If you just want to enable SSL for your https site,Check Require SSL and set client certificate to ignore is enough.
Please keep in mind that you need to Set Client Certificates to required only when your web app require to pass client certificate from client side
It's a certification related issue we observed and resolved when installed the right certificate in the trusted root.
Configuration need to change on IIS
Occurrence of 403 is not only particular instance, it's IIS configuration part, in most case you can resolve from IIS it's self, there might be some restriction level in IIS setting, you can check on IIS where your site hosted, find IP Address and Domain Restrictions option and check there will an entry to allow specif IP address, we need to update that entry by checking Edit Feature Settings... enter image description here then need to select Access for unspecified clients: earlier may be Deny instead of this we need to allow enter image description here. after those changes, your url available to access if you have same issue which I described.
I'm learning Identity Server4, just a simple example. one server one client.
When i run the server on Kestrel, everything is fine.
but if i deploy the server to IIS, when i try to visit a Action with [Authorize] attribute from client, it throws an exception.
IOException: IDX20804: Unable to retrieve document from: 'http://myip:5555/.well-known/openid-configuration'.
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://myip:5555/.well-known/openid-configuration'.
even if i can access to http://myip:5555/.well-known/openid-configuration normally.
I searched and tried many solutions but none of them works.
Thanks anyone in advice.
If you are using a certificate check if is trusted certificate on your IIS machine.
How to trust the IIS Express Self-Signed Certificate
I am trying to workout how to configure a CXF consumer to use https, but use basic authentication.
I presume we need to attach our certificate using the httpj:engine-factory but whenever I try and do that the server generated the follwing error:
javax.net.ssl.SSLHandshakeException: null cert chain
EDIT: I believe what is happening is that the server is requesting a client certificate, but the client does not send one. For "One Directional" SLL, I don't think the server should be asking for a certificate from the client.
How do I prevent the server from requesting a client certificate?
Any assistance greatly appreciated.
You need to install certificate in your JVM trust store. Please go through below link:
How to solve javax.net.ssl.SSLHandshakeException Error?
It turned out to be quite simple. In the httpj:engine-factory, there is a setting for client authentication.
<sec:clientAuthentication want="false" required="false"/>
This controls whether the server requests a certificate from the client. I had copied this from samples with Bi-Directional SSL and these values were set to true.
I'm currently working on an automated deployment process for a hosted service for Windows Azure. The creation of the .cspkg and .cscfg files works perfectly using a call to msbuild. Now I'm writing a small .NET console app that should deploy these files to Azure using the Management REST API.
There is no problem concerning the API itself. I can send a request to the API using one of my management certificates. I upload the .cspkg file to Azure BLOB Storage and then try to call Upgrade Deployment. But every time I try, I get a "400 Bad Request" response stating that the certificate with thumbprint xy was not found. This certificate is the SSL certificate (not a management certificate) I'm using for HTTPS for my custom domain (DNS CNAME).
And now, the whole thing gets interesting:
When I deploy the files using the "Publish" command in my Visual Studio, there is no problem. (I compared the .cscfg/.cspkg files from VS and from my msbuild output: apart from a few GUIDs, they're identical). And furthermore, using the Silverlight Management thingy in my browser, I can even upload my generated files that could not be uploaded using the API.
When I retrieve a list of all certificates using the List Certificates call, the certificate which is said to be missing is apparently there. I can also retrieve its data using the Get Certificate call.
So why does Azure keep telling me that the certificate was not found when using the Upgrade Deployment call? Did anyone experience something similar? Has anyone the hint for me? Thanks in advance.
P.S.: This is what Azure says when I use the API:
<Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Code>BadRequest</Code>
<Message>The certitficate with thumbprint 7b232c4a2d6e3deadbeef120d5dbc1fe8049fbea was not found.</Message>
</Error>
P.P.S.: Yes, the word in the response is certitficate, not certificate.
OK, after using the List Subscription Operations API call to find out what Visual Studio calls to deploy apps, I found the solution.
Turns out that the URL I used for the API request was wrong, but: with all due respect, I blame Microsoft for lousily documenting its Azure Management API.
In their documentation, they write the URL to use is:
https://management.core.windows.net/<subscription-id>/services/hostedservices/<service-name>/deploymentslots/<deployment-slot>/?comp=upgrade
And the description is the following:
To generate the request URI, replace <subscription-id> with your subscription ID, <service-name> with the name of your service, <deployment-slot> with staging or production, and <deployment-name> with the unique name of your deployment.
What they forgot to mention is, that you have to use the DNS Name of your service, and not the Name! They could at least return an appropriate error message telling you that the service name is invalid, non-existent or doesn't belong to your subscription ID, instead of complaining about some certificate issue.
Thank you Microsoft, that cost me more than two days.
The error indicates that you have not uploaded that certificate into the hosted service's secret store. Visual Studio might be doing that automagically for you, but if you want to replicate it programmatically, then use the Add Certificate API call and upload the PFX into the deployment.
You can see '400 BadRequest - The certificate with thumbprint XYZ was not found.' appear in the CreateDeployment or UpgradeDeployment scenario for the following reason (which I just debugged):
You use the same certificate for subscription management as you do for e.g. SSL or Remote Desktop password encryption in your hosted service. You therefore will use the certificate with thumbprint XYZ to authenticate your service management REST call that creates the deployment.
When specifying your deployment parameters you pass in your CSCFG which references that same cert by its thumbprint, because it needs to configure Remote Desktop/SSL etc.
That cert is not yet added to your hosted service certs.
In this case the 400 Bad Request error really is telling you that you have a bad request, because the certificate in your CSCFG is not yet attached to your hosted service. The confusion arises (for me) because, since its a multi purpose cert, you misinterpret the error message as referring to the authentication of the request, even though you are not getting 401.