I have a problem of authentication on a vanilla CRM2013 installed on a NLB. The crm 2013 is working correctly if i use the ip address of the NLB, but if i try to access the NLB using is unique name, it's prompting for credentials and is not authenticating the user (the user is the one that i used for the setup process). Anyone has ever seen something like this? I try to fiddler the request and beside a small difference in a cookie request in the header to me they look the same. Also if i ping the unique name of the NLB it responds with the correct ip address.
The last test that i did was add the name in the host file, and i had the same problem (no authentication), looks like is managing to get to the server but it fails to authenticate. I tried to use localhost address and it worked (on both the single servers), and it worked with the name of the 2 servers that are part of my cluster, it worked with the ip of those servers too. Anyone has any idea why with the ip address of the NLB everything is working as i expect and as soon as I use the name is not working?
Recap:
Address |Status
-------------------------
CRM1.com |working
192.168.1.CRM1 |working
CRM2.com |working
192.168.1.CRM2 |working
192.168.1.NLB |working
NLB.com |not working
Obviously this is sample data, and I know that with the single server i will not use the NLB, I was expecting to have issues with both the Ip and the servername, not with just one of them.
I found out the reason is not working. When you install behind a NLB you need to change some parameters in iss. Since I'm not very good at managing it in the config editor you need to change the section, and update 2 keyvalues from false to true. Step 2-10 of this guide http://blogs.msdn.com/b/niran_belliappa/archive/2014/02/17/network-load-balancing-microsoft-dynamics-crm-2013.aspx
Related
I have a freshly installed fusionpbx server on the cloud and I created a few extensions and I registered my gateway which in this case is flowroute. I created the outbound routes and everything looked OK besides the incoming calls which are not working.
In the access control I added all IP addresses that flowroute has on their website. I made sure to add :5080 but it still doesn't work.
I made sure flowroute is sending it to :5080. I added all IP adresses in the ACL list. And if I use "sngrep" it doesn't even show any incoming calls. And when I check in flowroute it says "Unavailable - No trunk or registration 604".
I'm configuring the keystone (as SP) for federation, and I have a question about the setup shibboleth [1]. I need edit the shibboleth2.xml file, and add the SP entity ID:
<ApplicationDefaults entityID="http://mysp.example.com/shibboleth">
In my case, would be:
<ApplicationDefaults entityID="http://10.7.49.47:5000/shibboleth">
I don't know if this is the right value. When I try access 10.7.49.47:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth, I receive the error:
Unable to locate metadata for 'http://10.7.49.47:5000/shibboleth'
I want understand better how the shibboleth work with keystone, and how get this Keystone SP entityID. I don't know if I need configure something to make '/shibboleth' works.
I need get this entityID to configure my IdP SimpleSamlPHP, and add the SP there [2].
[1] https://docs.openstack.org/developer/keystone/federation/shibboleth.html
[2] https://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_5
One I recommend you use HTTPS to connect with shibboleth. If it is you case then ignore.
Two entityId do not need to match with your host or IP. So if you want you can ignore port from entityId. You can use any string for that matter.
Now answer to your question, see my this answer to see steps to integrate shibooleth. Though this is java application steps but it is mostly done in apache http so it is relevant to anybody.
See the step 3 from that post, that is where your apache server knows that this location to protect.
P.S. The path your application listens is /Shibboleth.sso/ not /shibboleth
I inherited an existing project without its development environment. I have UAT code and a backup of the Production database. I can run up the site locally via Visual Studio but have hit an authentication problem trying to setup a fresh standalone DEV server on AWS (single server, no load balancer). The doco indicates the Prod server is a dual server setup with a load balancer.
The front end site pages do display, although some search is not working. On trying to log into the backend pages, Chrome returns "The xxx page isn't working. xxx redirected you too many times." Using developer tools, I can see the page redirects back and forth between SWT?realm=... and sitefinity?wrap_defalted=true&wrap_access_token... On the second redirect response header there is "X-Authentication-Error:Missing configuration for the issuer of security tokens 'https://xxx/Sitefinity/Authenticate/SWT' "
I tried different values in the web.config lines:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
<cookieHandler requireSsl="false"/>
</federatedAuthentication>
but that actually made things worse so I have reverted.
I checked all the settings mentioned in http://docs.sitefinity.com/administration-switch-to-claims-based-authentication and they seem to be set correctly. I don't really know what else I can check to get this working.
I found http://docs.sitefinity.com/administration-configure-security, but it does not seem like these settings are set (I don't have access to Prod server so can't confirm if it is actually setup with load balancing). I am currently using a 30 day trial license so am not sure if this is contributing to the problem. The official license is in the process of being transferred by the client. The domain name associated with the official license would be different to the domain my new server is currently running on.
I am also running version 8 code on a version 9 install of Sitefinity. I wanted to get it working before I tried to upgrade the code. I think there was also an assembly load to manifest mismatch when I tried upgrading my local version.
Found the solution: Don't mess with the SecurityConfig.config file.
<securityTokenIssuers>
<add key="B886AA7BFB5515BA63F577A44BBEB5C7AE674035514D128BC397346B11F4C97A" encoding="Hexadecimal" membershipProvider="Default" realm="http://localhost" />
</securityTokenIssuers>
<relyingParties>
<add key="B886AA7BFB5515BA63F577A44BBEB5C7AE674035514D128BC397346B11F4C97A" encoding="Hexadecimal" realm="http://localhost" />
</relyingParties>
Even though it is running on a server, the above lines should still point to localhost. It seems like these only need to be edited if you have a multi-server setup with an entirely separate STS.
I initially changed it to match the new domain name, but after some experimentation around adding localhost and HTTP variations, it seems like it works best with just localhost.
Even when I changed the web.config entry above to use the new domain as the issuer instead of localhost and the SecureConfig.config to specify only the new domain as the realms, it didn't seem to work. I guess the authentication must try to hit localhost specifically.
First of all let me describe my system.
I have a virtual server (Windows Server 2012 R2 with IIS 8.5) with two running systems.
One is for receiving Informations from Devices and the other one is for presenting and combining the users information with the device information.
The two systems are combined by a reference (via VS2012).
Problem:
If I have a look on my website for the system which gives me the user and device information in get an error, so I try to debug it on my own pc.
While debugging I want to access the service to display me all devices and it gives me:
System.ServiceModel.Security.MessageSecurityException
The HTTP request was forbidden with client authentication scheme 'Anonymous'.
I also have a WCF-Tracelog which shows me:
WCF-Tracelog
I'm now facing that problem for days and I was browsing stackoverflow a lot. I guess that it should be a problem with my certificates. At the moment I got a SSL-certificate (received from my university). I also "registered" it to a specified port and added the right bindings in my IIS (IIS 8.5). I am very new to WCF,IIS,SOAP and certificates but I guess my problem is the understanding of the certificates.
Question:
Which certificates do I have to create for my "Server-Website/Client"-System and which do I have to create for my own "Client" and where do I have to copy them (at the moment I'm familiar with the MMC => Snap-In)? And where do I need to keep my SSL-certificate located?
I hope someone faced the same Problem and can help me to fix this soon. Sorry for my bad english and if you need more information let me know!
EDIT:
I fixed my certificate-problem but now i receive 403.4 (SSL is required)
my problem solved, i have enabled "IP Address and Domain Restriction" and i added an "allow" option to this section, thus another ip got that error
I have added a WCF service to an existing ASP.Net web project on our test website (only accessible on company network). I can access the service by typing the URL in a browser, but if I add a service reference to a web project, I get a runtime error that 'the remote name could not be resolved'.
In my web.config, I have the bypassProxyOnLocal binding attribute set to 'true' (we use a proxy on the company network), but it seems as though our test domain is not recognized as a local domain (or recognized at all, really). Again, this is only when I add it as a service reference. Obviously the domain is valid, because I can add it as a service reference, and can event paste the URL into a browser, and it works. I just get a runtime error after I add it as a service reference. Anyone have any advice?
According to MSDN WSHttpBindingBase.BypassProxyOnLocal Property, "An Internet resource is local if it has a local address. A local address is one that is on same computer, the local LAN or intranet and is identified, syntactically, by the lack of a period (.) as in the URIs "http://webserver/" and "http://localhost/".
If your test domain is "http://test.mycompany.com/", then it won't be viewed as a local address. Perhaps using "http://test/" in this case would work?
Finally got this resolved. The request was somehow being blocked by the company network.