I'm quite new to the .NET Workflow stuff.
I've made a workflow service and now I want to host this service using IIS. (This workflow was well tested by debugging it in VS2012)
I'm using AppFabric and Workflow Manager to configure all of this.
Workflow Manager made all the databases needed to persist the workflow instances and the Workflow Management Site in the IIS. Then I've published my workflow service into a zip file and imported this into my Workflow Management Site.
Everything was fine and running when I had shut down my computer two days ago. Now my Workflow Manager Backend service won't start anymore. When I watch the eventlogger this is the critical error:
The Workflow Manager backend failed to start at location 'WorkflowServiceBackendHost.Start' due to an exception: System.InvalidOperationException: Certificate '90ED72666C964EE0902E84767A0D284D66F6B725' is not found in the certificate store.
I found the sha1 of this certificate in 'Microsoft.Workflow.ServiceHost.exe.config' file in 'C:\Program Files\Workflow Manager\1.0\Workflow\Artifacts'. But it's not possible to change it and try something else. So I guess it was a generated certificate by the Workflow Manager configuration.
I searched in my certmgr.msc for this sha1 and could not find it. But I didn't change or remove any certificate and I don't think that the certificate could be expired because I installed and configured everything two days ago. I don't think this is the same certificate that is used for the communication between the service and an external application.
Maybe I could change something in the Workflow Manager configuration but this tool doesn't start. Probably because the service isn't started. But as I said I'm new to all of this and the information I found this far didn't help me or was re installing the workflow manager etc. But then I wonder what will happen if all of this is in production.
Could anyone help me to get this Workflow Manager backend service up and running again?
Thanks in advance, Tim
Reset the Auto-Generation Key for WFM and Service Bus
i. $CertKey=convertto-securestring ‘YourPassword’ -asplaintext -force;
1. Note: Update with YourPassword with your own password
ii. Run this step:
1. Set-WFCertificateAutoGenerationKey –Key $CertKey
iii. Followed by this step:
1. Set-SBCertificateAutogenerationKey –Key $CertKey
iv. Update the Hosts:
1. Stop-SBFarm
2. Update-SBHost
3. Stop-WFHost
4. Update-WFHost -certificateautogenerationkey $CertKey
5. start-sbfarm
Check that the Get-WFFarm and Get-SBFarm output has changed certificate thumbprints
Related
We have 5 Service Fabric nodes running 2 applications in 4 environments in Azure. Our Network team wanted to switch out our cluster certificate so they generated a new one (I believe in the key vault) and swapped it to primary. We updated our project to use the new cert's thumbprint. We successfully authenticated to the cluster and deployed (via Visual Studio) using the new cert, but now the application will not activate. The error we are seeing is:
System.Hosting' reported Error for property 'Activation:1.0:1.0:131965678558388988'.
There was an error during activation.There is already a certificate with thumbprint 123oldCertNumber bound to port 200appPort. New certificate thumbprint specified: 321newCertNumber
Additionally, we tried deleting the old cert which is now in the secondary slot, but it just processes for hours saying "Cluster is updating user certificate." and eventually fails to delete the cert.
Any help would be greatly appreciated!
Here's what worked for me:
I deleted all applications, but did not unprovision them. I then reset all nodes to clear them out. Then I deleted the old cert - this time it worked. I redeployed and viola, it activated no problem. Well, almost, I have one node that is stuck with the same error message. I've tried deleting data and resetting it, but haven't been able to clear it yet.
If both of you applications were using the old certificate then you may have encountered a problem described in documentation describing Upgrading multiple applications with HTTPS endpoints.
When the first application goes to update it will fail to configure the HTTPS port with the new certificate, since the second application is still running and has already configured the HTTPS port with the old certificate. The only path forward is to remove both applications that are sharing the port and then upgrade.
For this reason you may want to consider approaches to prevent this problem in the future. You could:
Combine services from the two applications into a single application, or
Run each application on a different port.
I just finished upgrading my applications to use a new cert and here is what you must do.
I have 3 applications using the one cert.
Instructions
In the Application Manifest, I removed the binding
from 2 of my 3 applications. It is important that you do not remove the binding from all of your apps at once.
I then redeployed the 2 apps with the binding removed.
I updated the 3rd Application with the new cert and redeployed
i then added back the binding in the other 2 applications and updated them to use the new cert and redeployed.
That was all that was needed.
Here is a link to the solution
Renew endpoint certificate
I am dabbling with WCF and SSL and have hit a bit of a problem.
I have a self-hosted WCF service and a basic client which connects to request a token.
I have it set up on my development machine it appears to communicating over SSL just fine.
But when I set it up on a different machine to test the deployment the client keeps getting nothing back from the service.
I assume it has something to do with the certificates I have set up as this is the only thing I think could be different.
I have used the netsh command to associate my port with an existing certificate that was already on the server. And it appears the same as my dev machine (where I created the certificate with makecert manually.
I initially tried to follow the same steps on the deployment server but failed as there was already a certificate with a common name of the server, so eve though the certificate generated when ever I tried to use the cert hash thumbprint of the newly generated certificate I was being given the :
SSL Certificate add failed, Error: 1312
A specified logon session does not exist...
The only way I could get the netsh http add to work was by specifying the cert hash of the existing certificate.
Is this my problem or a red herring? How do you debug issues like this?
Personally I just configure WCF tracing. It usually provides more user friendly info about a problem. Here's a how to link Configuring Tracing
Hope it helps!
I have a WCF service that I want to secure with Client Certificates but I cannot get it to work on Azure.
I removed Azure from the equation by hosting the service on a standard Windows Server on Amazon. I installed both the service and client certificates (none are self-signed) into the Local Machine 'Personal' store on this server including the chained certificates and it all worked as expected, called from my local PC, with the client cert set against the binding/behavior. It did not work without the certificate being specified so it definitely worked correctly this way.
I then deployed the service to Azure. The client and server certificates are uploaded to the portal and set in the config against "Local Machine/My" and the CA and root certificates are uploaded and I tried them in various stores including "My", "Trusted" and "CA". Every variation I try, I continue to get "The HTTP request was forbidden with client authentication scheme 'Anonymous'" called from exactly the same program locally with the only change being the client endpoint address.
As another detail, I can get it to work without certificates so there is no problem with the web service but I am unsure how to work out what is actually happening with the certificate handshake between client and service.
I have finally got it to work, and have written a guide here: Blogspot.co.uk
I'm not sure what I had got wrong before since I have not done anything too weird to make it work. I think perhaps I had a small defect somewhere in configuration that I eventually fixed by starting again. Anyway, it DOES work and provides some useful security on Azure.
See my answer to this SO post - bottom line, cert in LocalMachine/My and run with elevated privileges in csdef file add:
<Runtime executionContext="elevated" />
We are planning to create and install self-signed certificates on azure web roles.
We have a requirement to create certificate on web role itself and installing there.
But we cannot find makecert.exe on azure web and worker role. We did remote desktop on azure role and found that makecert.exe is missing.
Any direction on creating and installing certificate on azure role would be helpful?
If there is any management APIs available for creating certificate on web role, please share with me as I am unable to locate in msdn.
You have a few options to create self-signed certificates:
Deploy makecert.exe with your application (include it in your VS project, set Copy Local = true)
Write something yourself to generate the certificate (example here: https://github.com/mono/mono/blob/master/mcs/tools/security/makecert.cs)
But there's more to it than simply generating a certificate. What will you do if you have more than one instance running? Will you install the certificate on 1 instance? Or do you need all your instances to have the certificate? What if you redeploy the application? ...
In those cases you might want to look ahead. Would it be an option to store all those certificates in blob storage? Maybe you could have a process running on each instance that 'synchronizes' the certificates with the current instance. You could also use AppFabric ServiceBus Topics to notify other instances when a new certificate has been generated...
The direct answer to your questions is that Makecert.exe is an utility which is installed either from installing Visual Studio or Windows SDK or direct download from Microsoft sites. A Windows Azure VM sure not to have this makecert.exe because it is not part of base Windows deployment and if you want to use/run Makecert in Windows Azure VM you really need to add in your project and deploy it.
HOWEVER,
If you have a need to deploy a certificate to Windows Azure you really don't need to generate it on fly (i.e. using Makecert.exe) because there is other easier way to do it. You just need to add (or deploy) your PFX certificate to your Windows Azure Service -> Certificate section and when you VM will be initialize, the certificate will be provisioned to your Windows Azure Role (Web or Worker or VM) so there is no need to add Makecert.exe with your project and then use Startup task to run it.
Instead of depend on Makecert.exe or any other method to have certificate in your role, i would suggest using above method which is actually designed for such requirement. If you don't know how to deploy a certificate to your Windows Azure Service either directly to portal or using PowerShell, please let me know..
I have a wcf service hosted by a windows service. We encrypt passwords using private certificates encrypted by RSA algorithm. The certificate (pfx file) is installed on the server when logged in remotely as the user A. The application throws an exception "Key not valid for use in specified state" when it tries to get the private key. The windows service runs under the account local system. When in the assembly calling the decrypt function it runs under account A (impersonation is used on the different calls in the wcf service). The server is a 64 bit Windows Server 2008 R2. The same code works for decryption in other applications installed on Windows Server 2012 servers.
I've already done the following, but end up with same error message:
Installed the certificate once more (uninstalled certificate in certmgr.msc, removed keyset in Crypto folder, checked that I get a different error message (keyset not available), restarted server, reinstalled same certificate, restarted server).
Deleted Crypto folder, reinstalled certificate.
I've trusted the certificate system-wide (refer to: https://superuser.com/questions/370217/trust-ssl-certificate-to-local-system-account)
I've changed the user the windows service runs under to be account A.
I've checked that the user A has access to the private key using this command: winhttpcertcfg -l -c CURRENT_USER\MY MyCertificate.
The string to be decrypted has the same length as used in the other applications where we don't have this problem, so we don't think it has something to do with the length (The string length is 137). In addition we know specifically that it fails on getting the private key. (Refer to: https://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryptoserviceprovider.encrypt.aspx(fOAEP is set to false)
I'v created a new certificate with a different name on the server logged in remotely as the user A.
I've checked that the domain, assembly and mscorlib is fully trusted
Need expert help! I can use the old encryption withouth certificate but that is not as secure. And it is so frustrating to have used this much time on it without any results...
Best regards, Kristine.
I figured it out myself by creating a small application that only did the specific thing that my code in the wcf service was failing on. Everytime it was working I added some more complexity. This way I figured out that the wcf service had to run as the user A mentioned above. In addition I figured out that it would work without some requirements I had for impersonation on the WCFService. For every service method I had this attribute:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]. I still use impersonation from the applications calling this WCFService (since the WCF Service is in domain X and the application calling it is in domain Y), but it works when I removed the attributes.
Kristine:)