I'm working through an online course on building Microservices in .NET - https://www.dotnetmicroservices.com/.
But while the instructor is running on Windows, I'm working on Linux - Linux Mint 20.1 (Ulyssa).
.NET core and .NET 5.0 are supposed to be cross-platform, and I've had no real issues in getting things to work, until now.
At this point, I have two webapi services, one providing identity services and one providing a catalog service.
The identity service is configured to use IdentityServer4, IdentityServer4.AspNetIdentity, and Microsoft.AspNetCore.Identity.UI to provide OAuth 2.0 and OpenID services.
The catalog service is configured to use Microsoft.AspNetCore.Authentication.JwtBearer, and requires a valid JWT to access the endpoints.
So, in Postman, I have a Request configured to access a simple GET endpoint in the catalog service. In the Authorization tab for the Request I choose OAuth 2.0, and enter the necessary data to make the request, including the Auth URL and Access Token URL (https://localhost:5003/connect/authorize and https://localhost:5003/connect/token).
When I click on Postman's "Get New Access Token" button, I get the login page, I log in, and get the "MANAGE ACCESS TOKENS" dialog. I can copy the Access Token or the id_token from the dialog and paste them into https://jwt.ms/ and they both look fine.
So that much is working.
But when I click on Postman's "Use Token" button, and then do a "Send" on the Request, I get an exception in the catalog service:
fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
Exception occurred while processing message.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
It looks like the problem is that dotnet's developer certificate isn't trusted.
The usual method for doing this is to use the dotnet cli:
dotnet dev-certs https --trust
But on Linux, this returns:
Trusting the HTTPS development certificate was requested. Trusting the
certificate on Linux distributions automatically is not supported. For
instructions on how to manually trust the certificate on your Linux
distribution, go to https://aka.ms/dev-certs-trust
So I went to https://aka.ms/dev-certs-trust, and it contains a lot of stuff, most of which clearly isn't relevant. The section on "Ubuntu trust the certificate for service-to-service communication" seemed apropos:
sudo dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
sudo update-ca-certificates
And while that ran without issue, it didn't not fix the problem.
As for the rest, the page says "Establishing trust is browser specific. The following sections provide instructions for the Chromium browsers Edge and Chrome and for Firefox."
And I don't see how either is relevant to the problem at hand.
What is dotnet core doing, when it is verifying certificates? What do I need to do to mark the dotnet developer's certificate as trusted?
Either you have to stop using HTTPS and use HTTP instead between the services.
I assume you use containers to host the services? and For HTTPS to work, you need a domain name and mapping that domain name to the containers that match the certificate and using localhost (the dev cert) to map to containers I feel is a bad idea.
Better to get a real certificate that you then using different techniques map to the containers. Like editing the hosts file to map the domain to the IP-addresses of your services.
In dev/production, I usually host my HTTPS certificate in Azure Key Vault and download and add it to ASP.NET Core at startup time.
When I work locally, I have created a certificate for the domain indentityservice.local, using the mkcert tool
mkcert.exe -install
mkcert -pkcs12 -p12-file identityservice.local.pfx identityservice.local
Then I copy the generated identityservice.local.pfx and add it to my project. Then if all works, I can contact my local IdentityServer using https://identityService.local
I also do add this entry to my local hosts file at C:\Windows\System32\drivers\etc
127.0.0.1 identityService.local
The following works on Linux:
Generate a local CA.
mkcert -install
Generate the certificate to be used in your service
mkcert -pkcs12 -p12-file myservice.local.pfx myservice.local
Add an entry for myservice.local in /etc/hosts
127.0.0.1 myservice.local
Use the p12 certificate in your dotnet service
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
namespace myservice
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
#if DEBUG
webBuilder.UseStartup<Startup>().UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps("./myservice.local.pfx", "changeit");
});
}).UseUrls("https://myservice.local:5001");
#else
webBuilder.UseStartup<Startup>();
#endif
});
}
}
Related
Trying to deploy ABP framework 6.0.0 AuthServer at Azure, after sucessful built and run locally.
Got "HTTP Error 500.30 - ASP.NET Core app failed to start"
When trying to get some logs, using Azure Debug Console at myproject.scm.azurewebsites.net/DebugConsole I got following:
C:\home\site\wwwroot>dotnet MyProject.AuthServer.dll
[19:52:57 INF] Starting MyProject.AuthServer.
[19:53:00 FTL] MyProject.AuthServer terminated unexpectedly!
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate()
at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder)
at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
--- End of inner exception stack trace ---
at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
at MyProject.Program.Main(String[] args) in D:\a\1\s\aspnet-core\src\MyProject.AuthServer\Program.cs:line 35
This say nothing to me, and when Googling around, I hit this at abp.io website: https://support.abp.io/QA/Questions/3537/OpenIddict-WindowsCryptographicException-Access-is-denied
But I canĀ“t figure out where I shall do the changes. It feels like this should be noted in the ABP.io docs?
Do you know what can cause this, or have some ideas what can be wrong?
I was having the same issue with having the same setup as you have with the exception of deploying to azure, but it should be the same solution.
Please check this SO question:
WindowsCryptographicException: Access is denied when publishing app in Azure
The problem with OpenIddict (or rather, the goodness we're not used to) is that it is bare bones and you have to implement everything yourself.
OpenIddict must have a certificate in order to function on the server you're deploying to, and to have better security on top of whatever measures you're taking.
Basically what you will do is create a new self-signed certificate, upload it to cert store, add the thumbprint to the code and add it to one WEBSITE_LOAD_CERTIFICATES environment variable on said server.
You can add this environment variable to the code instead of hard-coding the thumbprint.
Here is a not-so-informative part of the abp.io documentation about the issue at hand:
Abp.io doc
And here is what I did in the code:
I hope this helps.
We are running a Service Fabric application on our remote dev cluster. It consists of several stateful and stateless services and is fronted by several front-end APIs running on Kestrel.
Until now, since it was not used for production, Kestrel was configured to use a self-signed certificate, which was also used for the reverse proxy and the cluster itself and the service was running directly on the default domain provided by Azure, <app>.<region>.cloudapp.azure.com.
We are now getting to the point in development where the self-signed certificate errors are becoming problematic, with third party callbacks rejecting the connection, so it was seen as the time to start using a proper domain and certificate for it.
So far, I have done the following:
Added an A record for devcluster.somexampledomain.com -> our public IP for the service.
Created a Wildcard Azure Application certificate for *.someexampledomain.com.
Imported the certificate to Azure Key Vault.
Bound the certificate to the Vault Secrets of the cluster, pulling the certificate to Cert:/LocalMachine/My/
Modified the application config to use this certificate when initialising Kestrel and verified that it is found when it is initialising.
Have tried with and without UseHsts() and UseHttpsRedirection()
Kestrel is configured with Listen(IPAddress.IPv6Any, endpoint.Port, ...) and UseHttps(X509Certificate2) on the options object.
UseUrls(string) is used with the default Url, which is https://+:<port> but tried manually adding https://*:<port> and even the actual hostname itself.
No matter what I have tried, no HTTPS connection can be established to the server. Trying the endpoints of the other staging servers that still use the old certificate, it works as expected.
Using openssl s_client -connect devcluster.someexampledomain.com:<port> -prexit, I get:
---
no peer certificate available
---
No client certificate CA names sent
---
There are no errors or exceptions being logged on ETW, everything seems to be in order. I suspect that this might have something to do with the CN of the certificate but I have run out of ideas to try and find out what is going on and how to fix it.
Been trying to look into this using Fiddler and I am not getting much out of it, the session just ends with fiddler.network.https> HTTPS handshake to <myhost> (for #191) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.
Does anybody know how to add some logging on the Kestrel side? I don't think installing Fiddler on the Azure VMs running my cluster is a viable solution.
After delving into the Kestrel source, I found that it logs under "Microsoft-AspNetCore-Server-Kestrel" and "Microsoft-Extensions-Logging", so adding transfer of those I found what was happening.
Connections were terminating with the following exception:
System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint, Byte[] clientHello)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ApplyConnectionAdaptersAsync()
This makes it a manifestation of Certificate problem with a new machine - credentials supplied to package not recognized.
I spent some time trying to figure out what the best way to sort this out would be, the Service Fabric documentation has a script to modify the permissions but that just did not sound right.
As it turns out, this can be done directly in the ApplicationManifest as follows:
<Principals>
<Users>
<User Name="NETWORK SERVICE" AccountType="NetworkService" />
</Users>
</Principals>
<Policies>
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="HttpsCert2" PrincipalRef="NETWORK SERVICE" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
<Certificates>
<SecretsCertificate X509FindValue="[HttpsCertThumbprint]" Name="HttpsCert" />
</Certificates>
For the SecurityAccessPolicy to find the ResourceRef it had to be a SecretsCertificate, not an EndpointCertificate. Since the EndpointBindingPolicy requires an EndpointCertificate, I just added both a SecretsCertificate and an EndpointCertificate, with different names. They are both referring to the same certificate, so it worked. It doesn't feel particularly clean having to double them up but that is the solution I have for now.
For 3 years I have been running Kentico 8.2.48 with a functional staging environment, pushing daily content changes to a production server without any issues. Both servers were running Windows Server 2012 R2.
I recently did the incremental upgrade to Kentico 11.0, and deployed both environments to new servers with Windows Server 2016. The headaches of the upgrade notwithstanding, both environments are functional but I am unable to sync the staging tasks, as I encounter the following exception:
Message: Microsoft.Web.Services3.Security.SecurityFault: The security token could not be authenticated or authorized ---> System.InvalidOperationException: WSE563: The computed password digest doesn't match that of the incoming username token.
at Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager.VerifyHashedPassword(UsernameToken token, String authenticatedPassword)
at Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager.VerifyPassword(UsernameToken token, String authenticatedPassword)
at Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager.VerifyToken(SecurityToken token)
at CMS.Synchronization.WSE3.WebServiceAuthorization.VerifyToken(SecurityToken token)
at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.LoadXmlSecurityToken(XmlElement element)
--- End of inner exception stack trace ---
at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.LoadXmlSecurityToken(XmlElement element)
at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.GetTokenFromXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.LoadToken(XmlElement element, SecurityConfiguration configuration, Int32& tokenCount)
at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor)
at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope requestEnvelope)
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
Exception type: System.Web.Services.Protocols.SoapHeaderException
Stack trace:
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at CMS.Synchronization.WSE3.Server.SyncServerWse.ProcessSynchronizationTaskData(String stagingTaskData)
at CMS.Synchronization.WSE3.Server.SyncServerWse.ProcessSynchronizationTaskData(IStagingTaskData stagingTaskData)
at CMS.Synchronization.WSE3.SyncClient.RunTask(StagingTaskInfo taskObj)
Synchronization client error: Exception occurred: Microsoft.Web.Services3.Security.SecurityFault: The security token could not be authenticated or authorized ---> System.InvalidOperationException: WSE563: The computed password digest doesn't match that of the incoming username token.
at Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager.VerifyHashedPassword(UsernameToken token, String authenticatedPassword)
at Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager.VerifyPassword(UsernameToken token, String authenticatedPassword)
at Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager.VerifyToken(SecurityToken token)
at CMS.Synchronization.WSE3.WebServiceAuthorization.VerifyToken(SecurityToken token)
at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.LoadXmlSecurityToken(XmlElement element)
--- End of inner exception stack trace ---
at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.LoadXmlSecurityToken(XmlElement element)
at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.GetTokenFromXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.LoadToken(XmlElement element, SecurityConfiguration configuration, Int32& tokenCount)
at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor)
at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope requestEnvelope)
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)Synchronizing 'Update page Sandbox' task
I have tried suggestions like this one and this one, but even after adding the App Setting to the config file and changing the credentials TWICE to make sure they were the same between the environments, I am still unable to synchronize tasks.
Any suggestions would be helpful, I have some very unhappy users. Thanks!
I have strange problem. Unfortunately i have to use RavenDB and the local machine is linux. Thankfully i managed to install some silverlight support by using Pipelight and it seems to work ok.
Jut one thing doesn't work at all.
When i open the database interface, it loads in, shows my documents but when i need to authenticate and it opens the authentication window, it simply doesn't pass the authentication. Or as it seems to me, it even doesn't pass username and password further to the server at all.
(of course, i tested on windows from Internet Explorer and it works OK)
This is the error that i get:
Could not authenticate against the server
Message: [HttpWebRequest_WebException_RemoteServer]
Arguments: NotFound
Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem. See http://go.microsoft.com/fwlink/?linkid=106663&Version=5.1.20513.0&File=System.Windows.dll&Key=HttpWebRequest_WebException_RemoteServer
Uri: /edit?id=asdf&database=test
Server Uri: http://asdfasfd/databases/asdfasdf/docs/asdfadf
-- Error Information --
System.Net.WebException: [HttpWebRequest_WebException_RemoteServer]
Arguments: NotFound
Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem. See http://go.microsoft.com/fwlink/?linkid=106663&Version=5.1.20513.0&File=System.Windows.dll&Key=HttpWebRequest_WebException_RemoteServer
at System.Net.Browser.ClientHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Func`2.Invoke(T arg)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise)
Inner StackTrace:
at Raven.Studio.Infrastructure.InvocationExtensions.Catch(Task parent, Action`1 action)
at Raven.Studio.Models.EditableDocumentModel.SaveDocumentCommand.SaveDocument()
at Raven.Studio.Models.EditableDocumentModel.SaveDocumentCommand.Execute(Object parameter)
at System.Windows.Controls.Primitives.ButtonBase.ExecuteCommand()
at System.Windows.Controls.Primitives.ButtonBase.OnClick()
at System.Windows.Controls.Button.OnClick()
at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
at System.Windows.Controls.Control.OnMouseLeftButtonUp(Control ctrl, EventArgs e)
at MS.Internal.JoltHelper.FireEvent(IntPtr unmanagedObj, IntPtr unmanagedObjArgs, Int32 argsTypeIndex, Int32 actualArgsTypeIndex, String eventName, UInt32 flags)
Hy guys ,
I developed a WebForms application using VS 2012 . I've published it on Azure .
After that I integrated ACS ( i've set the URL to my allready published application)
I published the application again , but it doesn't work .
After I've registered myself (for ex using Yahoo or LiveID) I've got this error :
Server Error in '/' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +379
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +52
[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +167
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +57
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +658
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +86
System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +144
System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +82
System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +216
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +860
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +369
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
What should i do ?
I've set the URL's correctly. I don't have in web.config any reffernces of "localhost"..
I don't know what I must set additionly for this to work..
By default WIF uses DPAPI to encrypt cookies. Switch to cert based encryption. See this answer:
Is it possible to run WIF without LoadUserProfile = True
Vittorio Bertocci answers the question here
http://www.cloudidentity.com/blog/2013/01/28/running-wif-based-apps-in-windows-azure-web-sites-4/
DPAPI is not available in the cloud web apps and 4.5 has a simple solutions