I have a SP2016 Server and I am trying to setup app environment. I added the certificate as SPTrustetSecurityTokenIssuer and SPTrustetdRootAuthority but when I open the app there is a 401 error. ULS says; "multiple issuers detected for the same token".
Also i restartet the Security Token Service application pool and the server multiple times.
uls
Related
I have an App Service that's protected by a TLS certificate. It worked fine with small payloads, however, it started failing with larger payloads.
According to an article, I enabled certificate negotiation for my API Management Service:
https://notetoself.tech/2019/06/13/api-call-with-client-certificate-policy-failing-to-execute-due-to-message-size-on-azure-api-management/
However, it still randomly fails with certificate negotiation error, as seen below:
Important - I do not want to use client authentication between browser <-> API management. I'm using it only between API management <-> App Service.
I could not find any information on this substatus 72 code. What does it mean and can it be fixed? Is Azure client certificate authentication broken and won't work with large payloads?
The Negotiate Client Certificate checkbox will not help here as this is for the mutual auth between the client and your apim service where your problem is between apim and app service. Your app service should force apim to exchange the client certificate during the initial SSL handshake rather than waiting until it is needed.
This problem is not related specifically to azure, see this
https://techcommunity.microsoft.com/t5/networking-blog/https-client-certificate-request-freezes-when-the-server-is/ba-p/339672
The issue description to me or at least to how I understood it does not match with the error code as the 17 substatus code means that the client certificate has expired or is not yet valid.
See this https://www.google.com/search?q=403.17+http+code&oq=403.17+http+code&aqs=chrome..69i57.9265j0j7&client=ms-android-samsung-gn-rev1&sourceid=chrome-mobile&ie=UTF-8
And this https://techcommunity.microsoft.com/t5/iis-support-blog/client-certificate-revisited-how-to-troubleshoot-client/ba-p/348053
The app
I have a web application on Microsoft Azure. The client is written in Vue.js and hosted via a Windows App Service. The server is built using Azure Functions, and hosted via a Linux Azure Functions App.
Both the client App Service and the server Function App use built-in authentication ("Easy Auth"), with Active Directory configured as the identity provider. I am able to log into each, separately, via AD.
Until recently, I was also able to make authenticated requests from the client to the server. The client has
"loginParameters": [
"response_type=code id_token",
"scope=openid offline_access api://<Application (client) ID>/user_impersonation"
]
in its authsettingsV2 and generated tokens' aud have the correct application ID. Passing the access_token from the client's /.auth/me response as a bearer token in requests to the server used to work.
The problem
I made a few configuration changes today, tested authentication, found that it was no longer working, and backed them out. Unfortunately, reverting those changes didn't fix the issue and generated tokens are no longer being accepted by Easy Auth on the server:
{
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]' or validationParameters.ValidIssuers: '[PII is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'."
}
Okay, so the issuer is not in the list of valid issuers. But Azure hides personally identifiable information in exceptions by default so I can't see the issuer or any of the valid issuers.
One option appears to be:
If you need to see the full information present in exceptions, please set IdentityModelEventSource.ShowPII to true
but this looks like a reference for configuring authentication myself using C#. I don't see any way to change this setting when using Easy Auth.
Maybe I can access raw logs. Let's see, I should be able to see this information by enabling application logging:
If you enable application logging, you will see authentication and authorization traces directly in your log files
To enable application logging for Linux apps or custom containers in the Azure portal, navigate to your app and select App Service logs.
But that option is not available:
A lot of the Function App documentation links to App Service documentation, so it would seem that Function Apps are a special kind of App Service App, but maybe not. The preceding quote is from App Service documentation, but I got there following links from Azure Function App documentation.
Alright, let's see if there's a way to enable application logging for Function Apps. Azure Monitor Logs look promising, but none of the generated logs appear to be about Easy Auth. I just see messages about the service starting. Maybe that's because, on Linux apps, Easy Auth runs in an isolated environment and therefore wouldn't be included in diagnostic logs:
The authentication and authorization module runs in a separate container, isolated from your application code.
So… how can I get more details about this error? Easy Auth is recommended as an option for authentication with Function Apps, and I'd hope that there's a way to get more information about what's happening.
I have seen Azure App Service Authentication / Authorization returns HTTP 401 IDX10205: Issuer validation failed and have already set accessTokenAcceptedVersion to null in the manifest. That Q&A helped me get the token passing working in the first place, and I have not changed that value.
I have Registered two apps in Azure AD; One being the Server and the other being the Client as one set. There are two sets created; One set for Production and the other being for UAT. Client Apps are types of "Web" and none being as SPA.
Production Server App is almost a clone of the UAT Server App. And Production Client App is almost a clone of a UAT CLient app.
Consumers use Client Apps to get tokens by using the OAuth 2.0 token endpoint (v2) https://login.microsoftonline.com/[--Tenant--]/oauth2/v2.0/token as Client Credential Flow with a Secret. The token generated is used as a bearer token to Authorize my Web API.
On the Production Client App, it returns an error when retrieving Token from Token endpoint and it read as:
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application'
Whats Bizzare here is:
Production Client App can get Token from Public Network (Internet), but not in Internal Network (Having Internet access)
UAT Client App produces Tokens from Public and Internal Networks (Having Internet access).
With such facts, it's not rational to say that there is a network restriction in the Production Consumer site. I am clueless on why App is not producing tokens in Internal networks but in Public networks, whereas the UAT Apps have no issue in producing Tokens irrespective of the environment.
This case almost elaborates my case but I have checked mine, where Client App is Public and Server App is Private.
Where to search? What areas to looking to?
In case someone else encounters this error, check the URIs type in the Manifest file to be Spa and NOT Web. Even if you have set the platform in Authentication to Single-page applications, the URIs type might still be set to Web which will cause this error.
We're experiencing random timeouts on our azure web role and I'm trying to rule out if this alert code is the cause. When I RDP into the role and check the Event Viewer, I'm seeing hundreds of these errors in the event log:
A fatal alert was received from the remote endpoint. The TLS protocol
defined fatal alert code is 48.
This blog gives more info for alert code 48:
Received a valid certificate chain or partial chain, but the
certificate was not accepted because the CA certificate could not be
located or could not be matched with a known, trusted CA. This message
is always fatal.
We do have an SSL certificate on the server, have setup the azure configuration to use it, and are able to browse the site under https.
What does this error and description mean and how do I go about fixing it? I'm not really sure how to move forward with this info, as it's the first time I've setup a site with SSL.
I have a MVC 4.0 application with a web service as reference. The web service is installed on third party remote server will SSL. Also the web service requires client certificate authentication. I installed the certificate that issued by the 3rd party to our test server on Personal store, Trusted Root Certificate Authorities and Third-Party Root Certificate Authorities. Same to my local computer. The application is able to access the remote server and get response on my local development server, but always failed on our test server. Our test server is win 2003 and IIS 6.0. The error I got is "Client Certificate Required". It looks like the remote server either reject or cannot take the certificate we pass.
Here is my code:
var svc = new webservcie();
svc.ClientCertificates.Add(X509Certificate.CreateFromCertFile("c:\clientcert.cer"));
svc.Credentials = new NetworkCredential(username, password);
svc.url = "https://www.thirdparty.com/WMServices";
svc.givemedata()
I have tried many ways to fix this issue, but cannot. I think the issue is that our test server is not able to access the client certification. I read an article about grant Networkservice access to the certificate, but not sure if it is right or not.
Could someone please help me out? Thanks!
I found more detail error from server application event log:
Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: This network connection does not exist.
Thanks!