Missing configuration for the issuer of security tokens error - authentication

I inherited an existing project without its development environment. I have UAT code and a backup of the Production database. I can run up the site locally via Visual Studio but have hit an authentication problem trying to setup a fresh standalone DEV server on AWS (single server, no load balancer). The doco indicates the Prod server is a dual server setup with a load balancer.
The front end site pages do display, although some search is not working. On trying to log into the backend pages, Chrome returns "The xxx page isn't working. xxx redirected you too many times." Using developer tools, I can see the page redirects back and forth between SWT?realm=... and sitefinity?wrap_defalted=true&wrap_access_token... On the second redirect response header there is "X-Authentication-Error:Missing configuration for the issuer of security tokens 'https://xxx/Sitefinity/Authenticate/SWT' "
I tried different values in the web.config lines:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
<cookieHandler requireSsl="false"/>
</federatedAuthentication>
but that actually made things worse so I have reverted.
I checked all the settings mentioned in http://docs.sitefinity.com/administration-switch-to-claims-based-authentication and they seem to be set correctly. I don't really know what else I can check to get this working.
I found http://docs.sitefinity.com/administration-configure-security, but it does not seem like these settings are set (I don't have access to Prod server so can't confirm if it is actually setup with load balancing). I am currently using a 30 day trial license so am not sure if this is contributing to the problem. The official license is in the process of being transferred by the client. The domain name associated with the official license would be different to the domain my new server is currently running on.
I am also running version 8 code on a version 9 install of Sitefinity. I wanted to get it working before I tried to upgrade the code. I think there was also an assembly load to manifest mismatch when I tried upgrading my local version.

Found the solution: Don't mess with the SecurityConfig.config file.
<securityTokenIssuers>
<add key="B886AA7BFB5515BA63F577A44BBEB5C7AE674035514D128BC397346B11F4C97A" encoding="Hexadecimal" membershipProvider="Default" realm="http://localhost" />
</securityTokenIssuers>
<relyingParties>
<add key="B886AA7BFB5515BA63F577A44BBEB5C7AE674035514D128BC397346B11F4C97A" encoding="Hexadecimal" realm="http://localhost" />
</relyingParties>
Even though it is running on a server, the above lines should still point to localhost. It seems like these only need to be edited if you have a multi-server setup with an entirely separate STS.
I initially changed it to match the new domain name, but after some experimentation around adding localhost and HTTP variations, it seems like it works best with just localhost.
Even when I changed the web.config entry above to use the new domain as the issuer instead of localhost and the SecureConfig.config to specify only the new domain as the realms, it didn't seem to work. I guess the authentication must try to hit localhost specifically.

Related

Publish .NET Code application to Arvixe Host

I have a ASP.NET Core with Blazor website and I want to deploy it to Arvixe host. The website is very simple and contains only UI elements no database required. I published the website to a local file system and uploaded it using FTP to the Plesk.
When I am visiting the website, I receive this error:
500 - Internal server error. There is a problem with the resource you
are looking for, and it cannot be displayed.
I have tried to run it on the IIS and I received more details:
Configuration The configuration file cannot be read due to
insufficient permissions.
I tried to add IIS_IUSRS to the group and users for web.config but I am not able to find it because I am using a windows 10 connected to active directory.
Besides, I still don't know how to solve this problem at Arvixe. Does anyone know tips might help?
500 internal error is generic issue. Please kindly check the error message on the server and paste it here. Make sure that your provider has installed .net core bundled on their server and here are tutorial about publsih .net core using plesk https://windowswebhostingreview.com/how-to-publish-using-web-deploy-with-plesk-control-panel/. It should be working fine.
You need to give Full Trust permission (Read-Write-Execute) to your application folder and also to Application Pool and also check if the Runtime version supported by Arvixe matches with your Asp.net Core version.
Also enable the logs in web.config file by setting stdoutLogEnabled="true" to get detailed error so that you can investigate more about the error.

ASP.NET Core hosting - 500 internal server error

I am trying to publish as ASP.NET Core project with a hosting provider that supports ASP.NET Core. I am getting 500 Internal Server Error which I believe is very common. So I searched through the internet and various forums and then I checked the processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" in web.config and they look to be correctly converted with processPath="dotnet" and arguments=".\MyApplication.dll".
I also checked the connection string and it points to production DB server that's working. I confirmed the DB connection by changing the connection string to production DB and running project local. It works and I get the production DB access.
I also tried to get the error info by using the below in my Startup.cs (irrespective of env):
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseBrowserLink();
I have also enabled stdoutLog in web.config, but I don't see that folder either:
stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout"
I also tried to change applicationUrl and launchUrl in launchSettings.json to my prod Url, but that didn't work as well.
So, the 500 Internal Server Error refuses to go away, and I still don't have a useful error message. The page just says:
Oops.
500 Internal Server Error
An error occurred while starting the application.
I would really appreciate if someone could help me here.
I have also enabled stdoutLog in web.config as but I don't see that folder either:
stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout"
There is one trick here - you must create both folders logs and stdout manually - then and only then IIS will create log file inside logs folder (not stdout as you could expect) - don't ask me why, because I don't know why ;)
Oops. 500 Internal Server Error An error occurred while starting the application.
Usually, means problems with a configuration in Startup.cs - the most common problems include an issue with DB itself, an issue with migrations (if you are using Code First approach), problems with appsettings.js, problems with Social Logins credentials (like missing SecretKey)...
Please refer to log file in .\logs\stdout - this is the quickest way to find details about the problem :)
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
Those will work after your WebApp fully started, but not while starting the application.
in web.config file change modules="AspNetCoreModuleV2" to modules="AspNetCoreModule"
and watch this video
https://www.youtube.com/watch?v=clCR3k6kkD8
Thanks to Lukasz for his comments. I was able to see the log and it stated that "ClientId option must be provided". The problem was with the UserSecrets. Since secrets.json is only available in Development, there were no secrets found in Production. Once I had the secrets in my appSettings.json, it worked fine.
Moreover, To replicate this in Local environment, just go to Project properties and change the environment variable ASPNETCORE_ENVIRONMENT to 'Production' and run in local. This will replicate the 500 Internal Server Error in local and you'll get the error message.
Also, ensure that the ASP.NET Core Windows Server Hosting bundle is installed. THis creates a reverse proxy between IIS and the Kestral server.
More Info:
https://learn.microsoft.com/en-us/aspnet/core/publishing/iis?tabs=aspnetcore2x#tabpanel_tfsY37MhAQ_aspnetcore2x
I would like to add some more info to #Lukasz Makowej answer.
I found out the reason why to have to create the folder, in microsoft documentation it is said that:
stdoutLogFile - Optional string attribute.
".....Any folders provided in the path must exist in order for the module to create the log file...."
So you have to create it yourself :)
Check it out here:
https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/aspnet-core-module?view=aspnetcore-2.0
I also must said that in my case I had to validate that the web-site had the permissions to access to the "log" folder.
Make sure your web.config is good. I've been stomped more than once by a syntactically good web.config that referred to a module (Rewrite) that wasn't on the server. No error messages anywhere, other than the 500 response error.
Std log wasn't working for me, I had to uninstall all .ENT Core runtime / SDK versions from the server and my local to install the latest one and it worked after publishing everything again from scratch.
Another thing that helped was binding the IIS app to port 5000 without any dns so it actually showed me errors on http://localhost:5000
Encountered this issue yesterday, we also had no logging, no eventlog message whatsoever.
Then we checked the site's authentication settings via the IIS-manager to double-check the settings. And pop suddenly a popup with an error message 'Error on line XXXX'.
Turned out the configuration section was locked in the website's config at server-level.
So try unlocking the relevant IIS configuration settings at server level, as follows:
Open IIS Manager
Select the server in the Connections pane
Open Configuration Editor in the main pane
In the Sections drop down, select the section to unlock, e.g. system.webServer => security => authentication
Click Unlock Attribute in the right pane
Repeat for any other settings which you need to unlock
Restart IIS (optional) - Select the server in the Connections pane, click Restart in the Actions pane

Sporadic invalid_request 400 errors connecting to Shopify /admin/oauth/access_token

I am using a java raw HTTP client to connect to Shopify API (specifically, using Play Framework with the non-defualt sync driver which is actually the JDK's default driver).
My application usually manages to connect successfully and convert the temporary access token into a permanent one by calling the /admin/oauth/access_token endpoint.
However, sometimes I get this error result from the API:
Generic Error(400)
{"error":"invalid_request"}
I haven't been able to reproduce the issue with my test stores - I've tried installing a fresh store, reinstalling existing stores after uninstalling, I'm not sure why this call sometimes fail and how to debug it. The API call still continues to succeed for some stores using our application.
Some things that I am doing:
Even if the URL of the store is on a custom domain, I'm always using the https://foo.myshopfiy.com/admin/oauth/access_token URL and not the URL of the custom domain, to prevent a redirect.
I am always using an https URL and never an http one, again to prevent a redirect (we noticed a few issues with redirect with the Java HTTP client, so we aim to have zero redirects)
A thread I found about this error suggest possible problems with our SSL certificates, however I don't think this is my problem because some requests work for us, and the result of running openssl on our machine does't show any issues.
How should I proceed? Open a support ticket with Shopify?
FYI, I see that this specific problem only started yesterday on Feb 19 2013, so it might be a temporary issue.
FYI, the problem was caused by reusing a temporary access code.
Our fault - Shopify could have been more clear in their error message though.

WinJS.xhr: Network Error 0x2efd, Could not complete the operation due to error 00002efd

I have problem with WinJS.xhr when developing a Windows 8 Metro application in JavaScript.
WinJS.xhr({ url: "http://www.seznam.cz"});
When above code is executed, I see in log:
SCRIPT7002: XMLHttpRequest: Network Error 0x2efd, Could not complete
the operation due to error 00002efd.
I have enabled "Internet (Client)" capability in manifest.
Maybe the problem is because I am behind proxy and using VPN, but I can access internet using Google Chrome (I just need to authorize, otherwise HTTP Status 407 - proxy authorization needed).
How can I fix it?
[EDIT]
So I found that it is probably related to the VPN I have to use (Cisco VPN Client). When I disable the VPN, even when I am behind the proxy (I use the LAN, with VPN I use WiFi), the request works. Maybe it is only Cisco VPN related. I had to modify registry as it is described here http://verbalprocessor.com/2012/09/17/windows-8-and-cisco-vpn-client/
Also interesting is that a few Metro apps work (maps) and some do not work (windows store) when I am behind proxy.
Just a notice: I have explored Windows.Networking.Connectivity and in both cases (with/without VPN) I get NetworkConnectivityLevel == "Local Access" (because I am behind the proxy probably).
I got the same error when connected to my workplace SSL/VPN connection (from Juniper).
Opening the .appxmanifest file and adding the "Private Networks (Home & Server)" capability solved the issue.
<Capabilities>
<Capability Name="internetClient" />
<Capability Name="privateNetworkClientServer" />
</Capabilities>
This solution worked for me (see forums link below)... essentially, you need to add the server's certificate to the Windows Store App manifest (also be sure your manfiest "Capabilities" are set to at least "InternetClient"). You can get the server's certificate by exporting it from your browser, save is as a ".der" file. Using Firefox was easier than IE in doing this (From FF, browse to the target domain that has the certificate, then right click on the page > Page Info > Security tab > Details tab > Export button > save as ".der".
http://social.msdn.microsoft.com/Forums/en-ZA/winappswithcsharp/thread/4a776e8c-0e10-4f03-908f-7f765d914080?prof=required
This solution seems absurd - so bear in mind, this may only be necessary for sites that are using self-signed certificates, like in a development environment, because this process was not necessary for other production sites.
The proper way to do this was posted on the MSDN forums, it didn't work for me but the following did
config.xml
...
<platform name="windows">
<config-file target="package.appxmanifest">
<DeviceCapability Name="privateNetworkClientServer" />
</config-file>
...
</platform>
These will be merged with your other capabilities

ColdFusion SSL authentication failure

I have a simple cfhttp request (a login) going out to an SSL server:
<cfhttp url="https://www2.[domain].com/api/user/login" method="POST" port="443" >
<cfhttpparam type="formfield" name="username" value="[username]" >
<cfhttpparam type="formfield" name="password" value="[password]" >
</cfhttp>
The request fails before it begins, and the ColdFusion server says:
I/O Exception: peer not authenticated
Both development environments work smashingly. They receive the login session and then hand that to the collector process which successfully taps the remote web service for data.
After I spent a day trying to get the correct certificate into the ColdFusion stores, I had the bright idea to actually compare them to the working development environments. I looked at them (keytool -list), and they are identical.
Now that the obvious is absolved the questions I'm left with are twofold:
Is there some other certificate repository I need to check, or alternately, is there a place where I can get ColdFusion to tell me what certificate repository it needs to find the certificate IN (on the off chance it can and has been altered) or if that is even possible.
Identify and correct else could be causing this.
Are the development and production environments the same? Are they all, for example, ColdFusion 9 Standard or ColdFusion 8 Enterprise?
In my experience, this error is usually caused by one of two things:
The administrator failed to install the certificate into the cacarts repository, or they installed it into the wrong one.
ColdFusion Enterprise and ColdFusion Developer edition (for ColdFusion 8 and ColdFusion 9 both, I believe) have an issue with the built-in BSafe CryptoJ library that is installed and certain types of certificates (I have not yet been able to determine a pattern) that causes this error. There are some workarounds if this is the case.
First, I would explore the possibility that you are importing into the wrong certificate repository. It can be hard to tell which repository is being used. In your CF Admin under "Setting Summary" you should be able to find the location of the JRE that is being used. It is listed under "Java Home". Take that directory and add lib/security to the end of it and that should be the location of the cacaerts file that is being used. I say should because I have seen at least one weird situation where it was not.
I HAD the same problem and I tried everything and can't fix it. Strange is that everything worked fine then suddenly stopped working. It might be a Java update on the server causing the problem or a change of the certificate from the website the CFHTTP is trying to access.
Anyway, here is a link I setup for a "demo" of this problem:
http://www.viaromania.eu/https.cfm
As you can see, I am trying to access a HTTPS service using CFHTTP tag. And it is not working. I deleted the certificate from C:\ColdFusion9\runtime\jre\lib\security\cacerts, generated a new one from the website URL, imported back, installed "certman" under CFID/admministrator, checked the certificate, it's there... and it's listed in my test page.
If you scroll to the bottom of my test page, you'll see a similar CFHTTP to https://www.google.com and this works fine, even if there is no certificate installed on the server.
It is important to mention that the request is working just perfect on my development machine, and here I also don't have any certificate installed...
AND THIS HOW I FIXED IT
1. Updated ColdFusion 9.0.2 with this - https://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-1-coldfusion-902.html
2. Installed Java JDK 1.7.0_79 from here http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
3. Changed the Java Home in ColdFusion Administrator / Server Settings → Java and JVM from "C:\ColdFusion9\runtime\lib\jre" to "C:\Program Files\Java\jdk1.7.0_79\jre"
That's it. I don't know if it uses any certificate or not. They were installed in the "C:\ColdFusion9\runtime\lib\jre\lib\security\cacerts" and not moved from there or anything.