Azure log has the following error when I try to send a request to a WCF service
In the working case the validate user of the membershipprovider is called, then AfterReceiveRequest is called and finally the webservice is invoked.
But in the non-working case the validateuser is not called. It directly goes on to AfterReceiveRequest and then webservice throws an exception that it can't understand the header.
The azure application gateway routes the request to the VM. It somehow looks the header or membership provider is not being recognized. SSL is managed at the gateway level.
<behaviors>
<serviceBehaviors>
<behavior name="DefaultBehavior">
<serviceMetadata httpGetEnabled ="true" httpsGetEnabled ="true" />
<serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="IDServices.CustomMembershipProvider,IDServices"/>
</serviceCredentials>
<useRequestHeadersForMetadataAddress />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="endbehavior1">
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</endpointBehaviors>
</behaviors>
{ "timeStamp": "2019-03-11T16:18:29+00:00",
"resourceId": "/SUBSCRIPTIONS/245CA15E-8C11-4F4C-B6D7-9F3E8EC5943F/RESOURCEGROUPS/JXCHANGERG/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/JHAAPPGW",
"operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", "properties":
{"instanceId":"appgw_0","clientIP":"009.04.06.009","clientPort":"65374","httpMethod":"POST","requestUri":"/PImage.svc","requestQuery":"",
"userAgent":"Apache-HttpClient/4.1.1 (java 1.5)","httpStatus":"500","httpVersion":"HTTP/1.1","receivedBytes":"2638","sentBytes":"917","timeTaken":"0.018","sslEnabled":"on",
"sslCipher":"ECDHE-RSA-AES256-GCM-SHA384","sslProtocol":"TLSv1.2","serverRouted":"40.124.51.221:80","serverStatus":"500","serverResponseLatency":"0.016","host":"jt.inaresecure.com"},
"time": "2019-03-11T16:18:29.0000000Z"}
Can anyone help me with what could be the problem. Is the request failing on the server? All I get is a Security header fault. The code works on every other machine and server except this VM on azure. The request uses the application gateway to route to the VM where the WCF service is hosted on SSL
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<s:Fault>
<faultcode>s:MustUnderstand</faultcode>
<faultstring xml:lang="en-US">The header 'Security' from the namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' was not understood by the recipient of this message, causing the message to not be processed. This error typically indicates that the sender of this message has enabled a communication protocol that the receiver cannot process. Please ensure that the configuration of the client's binding is consistent with the service's binding.</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>
This is the IIS log for the same call probably a different time because of my request
The request is set up to Use SSL. Why does it have 80 in the log? Is it not doing a SSL request? This is a request from SOAP UI
2019-03-11 17:27:44 10.0.0.4 POST /PCServices/2019/MySerivce.svc - 80 - 20.45.4.43 Apache-HttpClient/4.1.1+(java+1.5) - 500 0 0 1468
it may be fails cause of HTTP request.
if you calls from and to HTTPS than authentication done automatically.
but you have to forcefully authenticate while in HTTP request.
if (HttpContext.Current.Request.Url.Scheme.ToUpper().Equals("HTTP"))
{
CustomMembershipProvider auth = new CustomMembershipProvider();
auth.Validate(Username,Pswd);
}
Related
I have stumbled into an annoying azure wcf http relay issue, which i cant seem to be able to solve.
The issue arises when I set the security relayClientAuthenticationType to RelayAccessToken, which makes my endpoints unreachable due to a "Invalid authorization header: The request is missing WRAP authorization credentials" Error, whhich I Can't seem to solve.
If i set the security to "None", there are no issues.
I am currently using Postman to test the service.
Below areall the relevant details of the application(.net 4.6.2 console app), thanks in advance :)
App.config
<services>
<service name="XXXXX" behaviorConfiguration="servicebehavior">
<endpoint address="https://XXXXX.servicebus.windows.net/relayserver" binding="webHttpRelayBinding" contract="XXXXX" behaviorConfiguration="behavior" bindingConfiguration="default" />
</service>
</services>
<bindings>
<!-- Application Binding -->
<webHttpRelayBinding>
<binding name="default">
<security relayClientAuthenticationType="RelayAccessToken"/>
</binding>
</webHttpRelayBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="servicebehavior">
<serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="behavior">
<transportClientEndpointBehavior>
<tokenProvider>
<sharedAccessSignature keyName="RootManageSharedAccessKey" key="XXXX" />
</tokenProvider>
</transportClientEndpointBehavior>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
<appSettings>
<!-- Service Bus specific app setings for messaging connections -->
<add key="Microsoft.ServiceBus.ConnectionString" value="Endpoint=https://XXXX.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=XXXX" />
</appSettings>
Opening the host
var host = new System.ServiceModel.Web.WebServiceHost(typeof(XXXXX));
host.Open();
Console.WriteLine("Press ENTER to close");
Console.ReadLine();
host.Close();
Azure Relay Firewall settings
Allow access from all networks
Testing the relay: test method (interface)
[OperationContract, WebGet(UriTemplate = "?id={id}&key={key}", ResponseFormat = WebMessageFormat.Json)]
FakeData GetFakeData(string id, string key);
Test Results
If I set relayClientAuthenticationType to None, i get a json response as expected.
<security relayClientAuthenticationType="None"/>
If I set relayClientAuthenticationType to RelayAccessToken, I get an unauthorized error.
<security relayClientAuthenticationType="RelayAccessToken"/>
<Error>
<Code>401</Code>
<Detail>MalformedToken: Invalid authorization header: The request is missing WRAP authorization credentials. TrackingId:..</Detail>
</Error>
Issue has been fixed : I had a typo in the access token i made: Created a new access token in c# using the following method: learn.microsoft.com/en-us/rest/api/eventhub/generate-sas-token
would you help me?
i've created a web api on azure and chose not to allow anonymous requests but to use azure active directory to authenticate the requests. the app beneath has "sign-in and read user profile" permissions set.
if the controller behind the web api accepts GET requests it works, while it gives me the error : "You do not have permission to view this directory or page."
before i call the web api i open a iframe on the page (sharepoint page) to implicitly get the token from the web api, which calls the basic GET action below:
[ActionName("Connect")]
[HttpGet]
public IHttpActionResult Connect()
{
return base.Content(HttpStatusCode.OK, "OK", new JsonMediaTypeFormatter(), "text/plain");
}
later on i call via jquery another action (POST)...
public IHttpActionResult PostPromote([FromBody] string request)
but at this point i receive the 403 (Forbidden) message.
the CORS for my webapi is set in the web.config file:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="https://mytenant.sharepoint.com" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Credentials" value="true"/>
</customHeaders>
</httpProtocol>
if i switch the method to GET it works, as well as (of course) if i permit anonymous requests.
thank you a lot, that's making me crazy.
Is there a way to debug OWIN middleware from extensions like WindowsAzureActiveDirectoryBearerAuthenticationOptions and see exactly why the request was rejected (e.g. no token, wrong resource id, invalid signature, …) ?
One thing you can do is enable logging in OWIN:
<configuration>
<system.diagnostics>
<switches>
<add name="Microsoft.Owin" value="Verbose" />
</switches>
</system.diagnostics>
</configuration>
I sent an expired token to my API and got this in the Output:
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware
Error: 0 : Authentication failed
System.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223:
Lifetime validation failed. The token is expired.
More info about configuring OWIN logging: http://www.tugberkugurlu.com/archive/logging-in-the-owin-world-with-microsoft-owin--introduction.
I made an application (in C#) connecting to Azure Service Bus Relay and it works well. However using WireShark I found out that both the server and client side use encryption with TLS 1.0 which is supposed to be degraded now. How can I force it to use TLS 1.1 or TLS 1.2?
Is there a parameter that I can set to specify TLS version?
part of App.config below:
<services>
<service name="GatewayServer.GatewayService">
<endpoint address="sb://myowntest.servicebus.windows.net" binding="netTcpRelayBinding" contract="GatewayServer.IGateway" behaviorConfiguration="gateway"/>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="gateway">
<transportClientEndpointBehavior>
<tokenProvider>
<sharedAccessSignature keyName="RootManageSharedAccessKey" key="myveryownkey=" />
</tokenProvider>
</transportClientEndpointBehavior>
</behavior>
</endpointBehaviors>
</behaviors>
part of the code to start the host:
ServiceHost sh = null;
sh = new ServiceHost(typeof(GatewayService));
sh.Open();
I have added the following configuration section to my web.config file
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
But when I call the *.asmx web service, I still got the following error:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
I am using the IIS7.5 ASP.NET integrated mode.
Any clues? I just found the IIS Authenticatino is very poor and unstable.
Thanks!
It turns out that we need to grant NTFS permission to target folder for the Anonymous Authentication Authenticated As identity, besides enable Anonymous Authentication in IIS.
Windows Authentication happens in both IIS and NTFS file system. I always forget the latter one. I will cut my dummy brain.