Notice: this exact question can be found on the dynamics community forum which as usual isn't exactly responsive...
I can't figure out what's wrong with this environment...
CRM and ADFS are on the same server, different ports:
By browser, navigating to https://myorg.mydomain:444 redirects to https://sts1.mydomain:442 adfs login screen shows up, I input credentials, then I'm redirected back to CRM, everything works perfectly no matter which organization I navigate to. The SSL certificate is a wildcard one, covering *.mydomain (again, no issues whatsoever). Outlook client also works without a hitch.
My issue is, the registration tool (I'm using the one from the 2016 SDK, but this also happens with the 2013 SDK's one ) doesn't seem to be able to connect.
The exception message showing up in the log is (I'm translating from my native language to english, messages might not be 100% accurate)
[Top] Unable to establish a trust relationship for the SSL/TLS secure channel with authority 'sts1.mydomain'
[Inner level 1] Underlying connection closed: <same as above>
[Inner level 2] The remote certificate wasn't deemed valid from the validation procedure
Nothing in particular stands out in the Event Viewer... What's wrong ?
Just before writing this, I also tried the 2011 Registration Tool and it spits out a different error: it attempts to login to ADFS through HTTP instead of HTTPS (it complains about not finding http://sts1.mydomain:442 which doesn't exist).
I also tried importing the aforementioned SSL cert into my trusted root cert authorities, it doesn't seem to matter (everything stays the same).
Update: I forgot to show the connection settings:
(o) On-Premises ( ) Office 365
Server: myorg.mydomain
PORT: 444 [X] Use SSL
Authentication Source: IFD
Username: DOMAIN\USERNAME
Password: PASSWORD
Domain: <BLANK>
[X] Display list
I haven't started fiddling with plugins in 2016 so I'm not sure how that works and which endpoint it's using but I'd try the 2011 plugin registration tool too. It's what I've been using up until now and I think it is a better one than the 2013 and later since you can have multiple servers setup in it.
Regards
Related
I have one issue when trying to connect to the LDAP server through code. It works fine when I use admin tool to connect to it.
it works fine when using this admin tool to connect to it.
it doesn't work when I use this code to connect to it, it says
The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
My code:
Using context As DirectoryServices.AccountManagement.PrincipalContext = New DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain, SingleSignOn.ADDomain, SingleSignOn.ADSecurityGroup, DirectoryServices.AccountManagement.ContextOptions.SecureSocketLayer Or DirectoryServices.AccountManagement.ContextOptions.Negotiate, UserName, Password)
Using foundUser = DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(context, UserName)
Return foundUser IsNot Nothing
End Using
End Using
My question is:
how to set up the code to use version 3?
Thank you in advance for your help/ideas.
Windows needs to trust the SSL certificate, otherwise the connection will fail. Unfortunately the error message doesn't tell you that.
You have a couple options:
Change the certificate being used on the server to a certificate from a trusted root authority. This is the best way to do it, especially if this is a production server.
Tell Windows to trust the self-signed cert. This would have to be done on every computer that will connect. To do this, use the PowerShell script in this answer to download the certificate (change the URL to match your server). This will give you a .cer file. Then follow the instructions here to import it on the computer that you are running this code on. In that article, start at the heading "To start the certificate import process through Microsoft Management Console (MMC)". In step 4, you have the option to import it for the current user only, or for the whole computer (which requires local admin rights).
In previous versions of Thunderbird, when connecting to a server with a self-signed certificate, a warning was displayed, but the option was offered to create a security exception for that server with this dialog:
I could click on "Confirm Security Exception" and thereafter, TB could communicate with the server.
But in this version of TB, I only see a message:
Sending of message failed.
The certificate is not trusted because it is self-signed.
The configuration related to [server name] must be corrected.
There is no indication of what "must be corrected" for TB to trust the certificate.
The Certificate Manager in the Privacy settings section does open the dialog above. But once the correct IP:port is entered, the "Get Certificate" button does nothing apart from displaying "No Information Available". This renders the dialog pretty useless.
I'm not concerned about man in the middle attacks due to the lack of CA signing because the mail server is on an intranet.
Is there any other way to get TB 78 to work with self-signed certificates?
I also suffer from this issue for hours. Finally, I figure it out to solve it.
At first, I tried to download the certificate from Firefox. When I try to access https://bad-mail-admin.com:465 and it tells me:
This address uses a network port which is normally used for purposes
other than Web browsing. Firefox has canceled the request for your
protection.
Then I googled it and found the solution: https://support.mozilla.org/en-US/questions/1083282
Just go to about:config, right-click anywhere on the page and choose New > String. Create an option named network.security.ports.banned.override, with the value: 465
Then firefox show https://bad-mail-admin.com:465 successfully.
Immediately I realized that Firefox and TB use the same browser engine. So I repeat do it in "Config Editor" of TB.
Then go to Certificate Manager of TB, enter https://bad-mail-admin.com:465. Press "Get Certificate" and finally I can get the certificate and add it to the security exception.
only problem is that when the user has multiple email accounts that use different ports. That port override doesn't take multiple ports. I tried comma space colon semi-colon separated list with no success.
we have an existing production environment MFP7.1. We have decided to use authentication and session independence.
Now the problem is a handful of devices are now getting “Access Denied” I understand this is because the server does not recognize the device, but the server has not changed, what other instance would cause this problem.
These are people that already have the app deployed on their phones..
FWLSE0376E: JWS signed ClientId signature does not match the client ID [project sonepar] Seems to be the error on server.
The immediate resolution from a user perspective is to delete the app and reinstall it.
#tik27 You mention you "update the server with Session Independence and added adapter authentication code.", and this is enough to (in the lack of better terms) trigger an invalidation of the authentication session token between the server and the application.
Specifically, it also happened to a project I worked on when I went from unprotected adapters to protected ones, and the only solution I found was to reinstall the app.
I'm trying to setup SSO using OWin and Thinktecture Identity Server but I am not having any luck getting the SSL certificate to work. At least I think that's the problem. All works fine when I'm in visual studio, but if I try to use IIS on my machine it gives me the error "The remote certificate is invalid according to the validation procedure". I've also tried using IIS as the client treat the instance running in visual studio as the token authority but I still get the same error. Anyone have any ideas on what I'm doing wrong?
In my case I was just trying to work through the samples (for ID3v2) and getting the cert errors running locally. Since some samples even do self hosting via owin I'm not even sure where it's getting the certs for host side??
Anyway my fix was to copy the cert to the Trusted Root:
Windows => Start => run MMC.EXE
File=> "Add/Remove Snap-In..." => Certificates
Use Computer Account => Local computer => Finish => Ok
Go under Personal / Certificates
Right click "localhost", Select Copy
Paste to "Trusted Root Certificate Authorities"
Done. Enjoy.
After spending a lot of time for me the solution was pretty simple
I just opened the Certmgr.msc ---> deleted the localhost certificate from the Trusted Root certification authorities.
Then opened my solution (after I had run the identity sever)
clicked run the visual studio asked fro me if I want generate new certificate to iis express (ssl),
I had clicked yes and then it started to work properly:)
You need to add whatever certificate IIS is using to your Trusted Root Certification Authorities store on your local computer.
That can be caused by bad configuration on a previous certifications (sometimes can happen when you disagree to install a certification) :
Windows Start and open Certmgr.msc
Under Personnel/Certificats, find all localhost certificats and delete them
Same thing to do under Trusted Root Certification, and then close.
Start your application, you will get an exception.
Open the Package Manager Console and excute: dotnet dev-certs https --trust
Restart your application, normally you have a valid certificat now.
Adding certificate to Trusted People store should be enough according to readme file in examples provided by the authors.
In a production scenario it should be better because Root store is for CAs and when you add something there that authority is not only trusted, but any certificate signed by it is automatically trusted.
You can check this an further details from the microsoft reference. An extract of the 2 store short description:
Root: Certificate store for trusted root certification authorities (CAs).
TrustedPeople: Certificate store for directly trusted people and resources.
P.S: I tested it an it works. In my scenario I have IS on machine A and a set of web applications using IS on machine A and B. IIS certificate on machine B is different from the one used in A and by IS, but I just added it on machine B Trusted People store and the "certificate error" disappeard.
Some times it doesn't work though the above settings were done and you have given the URL as "https://localhost", instead give the URL as "https://MachineName".
i.e machine name should match certificate's "issue to" value
For .Net Core change TrustServerCertificate=False to TrustServerCertificate=True and that will solve your problem like I have it below.
"DataConnect": "Server=tcp:127.0.0.1,1433;Initial Catalog=dbName;Persist Security Info=False;User ID=username;Password=password;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;"
I am using QuickBooks 2013 pro on server A, I have a self signed cert on server B. I had server A navigate to the services on SERVER B install the self signed cert into trusted root. Then had the web connector on SERVER A try to add an application. It is coming back with this error
qbwc1048: QuickBooks Web Connector Could not verify the web
application server certificate.
Any help in solving this would be great. Thank you very much
For anyone else having a similar problem, it may not be the certificate at all. It could be the server is closing the connection or returning an error code.
For more details, first click file -> clear log in the web connector. Then, try adding your application again. After it fails, click the view log button at the top right. Scroll down for more details on what happened.
You will see something like, remote server returned an error (401) unauthorized, or a similar message that is far more useful than what appears in the dialogue box.
#consolibyte Closed all IE windows and re-imported the SSL works now. Thank you