I get the following error when I try to save an updated Azure WAF custom policy.
"Failed to update the WAF policy 'xxxxx'. Error: WebApplicationFirewallPolicy validation failed.
More information "Match Variable RemoteAddr must be used with Operator(s) IPMatch,GeoMatch"."
IP address is there then I have deny traffic. Update works but the error comes up and I hit save
I found out that if you have more than one and and if any of the rules have any error, you cannot save. If you get an error like this, you need to check all the rules. The other rule had an error and everything worked after I corrected it.
Related
I'm trying to follow this documentation https://learn.microsoft.com/en-us/windows/uwp/monetize/view-and-grant-products-from-a-service#step-1 on "Manage product entitlements from a service"
I created a new application in Azure AD (single-tenant application) and I reached the point where I need to set "identifierUris" in the manifest file with the following content:
"identifierUris" : [
"https://onestore.microsoft.com",
"https://onestore.microsoft.com/b2b/keys/create/collections",
"https://onestore.microsoft.com/b2b/keys/create/purchase"
],
Whenever I do that, I get this error message:
Failed to update XXX application. Error detail: Application alias 'url' value is invalid. [Ja+Ze]
Any idea why I'm getting this error message? I tired to change some application settings but no luck so far
Assuming onestore.microsoft.com is a sample custom tenant you might try with {yourtenantname}.onmicrosoft.com.
Getting the following error while deploying.
Error: Error waiting for CDN Endpoint "website-dev-appservice" (Profile "website-dev-eastus2-cdn" / Resource Group "website-dev-eastus2-rg") to finish creating: Code="BadRequest"
Message="{\"ErrorMessage\":\"Errors found in Model: OriginHostHeader must match the regex '(^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])$)|((?:[:0-9A-Fa-f]+))'.\"}"
what could be the issue here?
Even though hashicorp doc says origin_host_header is an optional field but here Scripts needs origin_host_header to be specified which default value is the domain e.g origin_host_header = www.google.com
Just add origin_host_header, It should work.
I have been following after this guide step by step:
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi
The only thing that I didn't do (not sure if its related) is the following line:
"Also in the ToGoAPI project, open the file Controllers/ToGoListController.cs. In the [EnableCors...] attribute, enter the location of the To Do SPA client. By default it is https://localhost:44326. Make sure to omit the trailing slash.
"
The reason I didn't do it is simply because I can't find any [EnableCors...] in the code. I did try to enable CORS in a different way though. following this:
https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api#enable-cors
Anyway, I get the following error:
"Error :invalid_resource
adal.js:973 Error description:AADSTS500011: The resource principal named https://yorecisraportsco.onmicrosoft.com/ToGoAPI was not found in the tenant named yorecisraportsco.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 64213edc-4b12-4caa-aa4e-b9ec82bd3000
Correlation ID: 607d25c1-d915-46eb-ba48-67adb70ddab8
Timestamp: 2019-03-04 12:41:33Z"
I am not sure why this is happning as I followed the guide - configured everything in Azure like it said and also configured it in the code.
I have a requirement to delete some roles from an app registration.
Have tried to do this on the Azure portal both directly in the manifest editor and by downloading / editing / uploading the manifest JSON.
I get the following error:
Failed to update application xxxxxx. Error details:
CannotDeleteEnabledEntitlement.
I also tried to set "isEnabled" property to "false" and delete the roles after that with no success.
Anyone have any pointers on how to overcome this issue?
As you mentioned in your post, the deletion of any OAuth2Permission is a 2 step process:
You must first disable the permission, and push that to the directory.
Then you can delete the permission.
The error message you are showing in your post is a result of you not disabling the permission first. You will need to share details about the error you get if trying to delete the disabled permission fails as well.
I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.
Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
Error Code ACS50008: SAML token is invalid.
I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.
My STS is currently on beta and can be reached here: metadata .
If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.
note: The case is different than similar question found here since my inner exception details do not suggest any reason.
UPDATE: check the discussion in this thread for some additional informaton and the payloads I extracted from fiddler.
Thanks in advance,
Constantinos
I finally figured this out with the help of ms support on Azure.
It seems that the "ACS50008: SAML token is invalid" error is quite generic and usually there is more information in an inner exception that does not end up on the error screen. Why this happens is still a mystery for me.
So for anyone that happens to be in my position I nailed two possible reasons for this to happen.
Reason: the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS. Action: <saml:Conditions NotBefore="...." NotOnOrAfter="....">
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour.
Reason: a hidden inner exception that can be seen only with the help of ms support using your error's trackingId.
Microsoft.Cloud.AccessControl.Common.Diagnostics.SignInException :
ACS20001: An error occurred while processing a WS-Federation sign-in
response.Microsoft.Cloud.AccessControl.Common.Diagnostics.ServiceException
: ACS50008: SAML token is
invalid.Microsoft.IdentityModel.SecurityTokenService.IssuerNameNotSupportedException
: Principal with name 'https://login.mydomain.com/' is not a known
principal.
In my case the principal name should not contain the forward slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!
You can always create a support case with Microsoft and have them help figure it out:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn