Develop Reference

How do I trust dotnet's dev-cert, in Linux?

I'm working through an online course on building Microservices in .NET - https://www.dotnetmicroservices.com/.
But while the instructor is running on Windows, I'm working on Linux - Linux Mint 20.1 (Ulyssa).
.NET core and .NET 5.0 are supposed to be cross-platform, and I've had no real issues in getting things to work, until now.
At this point, I have two webapi services, one providing identity services and one providing a catalog service.
The identity service is configured to use IdentityServer4, IdentityServer4.AspNetIdentity, and Microsoft.AspNetCore.Identity.UI to provide OAuth 2.0 and OpenID services.
The catalog service is configured to use Microsoft.AspNetCore.Authentication.JwtBearer, and requires a valid JWT to access the endpoints.
So, in Postman, I have a Request configured to access a simple GET endpoint in the catalog service. In the Authorization tab for the Request I choose OAuth 2.0, and enter the necessary data to make the request, including the Auth URL and Access Token URL (https://localhost:5003/connect/authorize and https://localhost:5003/connect/token).
When I click on Postman's "Get New Access Token" button, I get the login page, I log in, and get the "MANAGE ACCESS TOKENS" dialog. I can copy the Access Token or the id_token from the dialog and paste them into https://jwt.ms/ and they both look fine.
So that much is working.
But when I click on Postman's "Use Token" button, and then do a "Send" on the Request, I get an exception in the catalog service:
fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
Exception occurred while processing message.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
It looks like the problem is that dotnet's developer certificate isn't trusted.
The usual method for doing this is to use the dotnet cli:
dotnet dev-certs https --trust
But on Linux, this returns:
Trusting the HTTPS development certificate was requested. Trusting the
certificate on Linux distributions automatically is not supported. For
instructions on how to manually trust the certificate on your Linux
distribution, go to https://aka.ms/dev-certs-trust
So I went to https://aka.ms/dev-certs-trust, and it contains a lot of stuff, most of which clearly isn't relevant. The section on "Ubuntu trust the certificate for service-to-service communication" seemed apropos:
sudo dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
sudo update-ca-certificates
And while that ran without issue, it didn't not fix the problem.
As for the rest, the page says "Establishing trust is browser specific. The following sections provide instructions for the Chromium browsers Edge and Chrome and for Firefox."
And I don't see how either is relevant to the problem at hand.
What is dotnet core doing, when it is verifying certificates? What do I need to do to mark the dotnet developer's certificate as trusted?

Either you have to stop using HTTPS and use HTTP instead between the services.
I assume you use containers to host the services? and For HTTPS to work, you need a domain name and mapping that domain name to the containers that match the certificate and using localhost (the dev cert) to map to containers I feel is a bad idea.
Better to get a real certificate that you then using different techniques map to the containers. Like editing the hosts file to map the domain to the IP-addresses of your services.
In dev/production, I usually host my HTTPS certificate in Azure Key Vault and download and add it to ASP.NET Core at startup time.
When I work locally, I have created a certificate for the domain indentityservice.local, using the mkcert tool
mkcert.exe -install
mkcert -pkcs12 -p12-file identityservice.local.pfx identityservice.local
Then I copy the generated identityservice.local.pfx and add it to my project. Then if all works, I can contact my local IdentityServer using https://identityService.local
I also do add this entry to my local hosts file at C:\Windows\System32\drivers\etc
127.0.0.1 identityService.local

The following works on Linux:
Generate a local CA.
mkcert -install
Generate the certificate to be used in your service
mkcert -pkcs12 -p12-file myservice.local.pfx myservice.local
Add an entry for myservice.local in /etc/hosts
127.0.0.1 myservice.local
Use the p12 certificate in your dotnet service
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
namespace myservice
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
#if DEBUG
webBuilder.UseStartup<Startup>().UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps("./myservice.local.pfx", "changeit");
});
}).UseUrls("https://myservice.local:5001");
#else
webBuilder.UseStartup<Startup>();
#endif
});
}
}

SharePoint Designer workflow error: The token service returned an error type of 'unauthorized_client' with the following description:

I have created SharePoint designer 2013 workflow on SharePoint Online list.
The site is restored from template.
I am getting following error from workflow.
Retrying last request. Next attempt scheduled after 9/29/2018 9:55 AM. Details of last request: HTTP to https://test.sharepoint.com/sites/site/subsite1/subsite2/_api/web/lists(guid'd5a0eced-1456-4f7e-aad0-d327ea860912') Correlation Id: Instance Id: 955783ad-2f95-487e-a194-73abb943edb6
System.Net.WebException: The request was aborted: The request was canceled. --->
System.InvalidOperationException: Failed to fetch an access token from the token service.
The token service returned an error type of 'unauthorized_client' with the following description: AADSTS70001: Application with identifier 'c13d643f-945a-46c3-8e4f-d3a7a70b6ed0' was not found in the directory ce02dcd7-f1dd-42f4-9dc3-1959d1672bac, Trace ID: 11414f23-e2b5-428e-9b82-945f4ebea401,Correlation ID: d132cb0a-6f47-e015-98a3-fa6aa32f74e0,Timestamp: 2018-09-28 04:30:25Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.at System.Net.HttpWebRequest.GetResponse() at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.FetchAccessToken(Uri stsUri, String targetServiceAudience, String authenticatorToken, HttpWebRequest request, TimeSpan timeout, EventTraceActivity eventTraceActivity, TimeSpan& expirationDuration)
--- End of inner exception stack trace ---
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.FetchAccessToken(Uri stsUri, String targetServiceAudience, String authenticatorToken, HttpWebRequest request, TimeSpan timeout, EventTraceActivity eventTraceActivity, TimeSpan& expirationDuration)
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.GetAccessTokenFromTokenService(OAuthS2SPrincipal client, OAuthS2SPrincipal targetServiceAudience, HttpWebRequest originalRequest, EventTraceActivity eventTraceActivity, TimeSpan& expirationDuration)
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.GetAuthorization(OAuthS2SAuthenticationChallenge[] bearerChallenges, HttpWebRequest request, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.AuthenticateInternal(String challenge, WebRequest request, OAuthS2SCredential credential, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
at System.Net.HttpWebRequest.ProcessResponse()
at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
--- End of inner exception stack trace ---
at Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
at Microsoft.Activities.Hosting.HostedHttpExtension.HttpRequestWorkItem.OnEndComplete(ScheduledWorkItemContext context, IAsyncResult result)

Have you tried applying the update to your SharePoint Designer 2013? Here is the link to download update: https://www.microsoft.com/en-us/download/confirmation.aspx?id=42009
This update is for 64-bit SPD2013.
I hope it may work.
Thanks and regards,
Purushottam

SSIS Authentification with SharepointList data source

I'm creating an SSIS Package that imports data from a SharePoint List, I've an authentification issue due to the SPCRED Component I think.
for the record I'm using a developement server in a domain whitch is different from the Sharepoint One. So I do specifie this one "SharePoint Server DomainName" in my SPCREDHer is my configuration Because Ican't use my windows Credantials.
I verrified that with my credantials I've an admin role in the hole Sharepoint web site. when configuring my SharePoint List Source I've got all the columns I was Able to do the data mapping. but when executing the package it runs into an error because of the authentification Here is the error:
SSIS package "MyPackage.dtsx" starting.
Information: 0x4004300A at Liste FPDA, SSIS.Pipeline: Validation phase is beginning.
Error: 0xC0047062 at SharepointListName, SharepointListName [193]: System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Samples.SqlServer.SSIS.SharePointUtility.ListsService.ListsSoap.GetListAndView(GetListAndViewRequest request)
at Microsoft.Samples.SqlServer.SSIS.SharePointUtility.ListsService.ListsSoapClient.GetListAndView(String listName, String viewName)
at Microsoft.Samples.SqlServer.SSIS.SharePointUtility.Adapter.ListsAdapter.GetSharePointFields(String listName, String viewId)
at Microsoft.Samples.SqlServer.SSIS.SharePointUtility.ListServiceUtility.GetFields(Uri sharepointUri, NetworkCredential credentials, String listName, String viewName)
at Microsoft.Samples.SqlServer.SSIS.SharePointListAdapters.SharePointListSource.GetAccessibleSharePointColumns(String sharepointUrl, String listName, String viewName)
at Microsoft.Samples.SqlServer.SSIS.SharePointListAdapters.SharePointListSource.ValidateSharePointColumns()
at Microsoft.Samples.SqlServer.SSIS.SharePointListAdapters.SharePointListSource.Validate()
at Microsoft.SqlServer.Dts.Pipeline.ManagedComponentHost.HostValidate(IDTSManagedComponentWrapper100 wrapper)
Error: 0xC0047017 at Liste FPDA, SSIS.Pipeline: Liste FPDA failed validation and returned error code 0x80131501.
Error: 0xC004700C at Liste FPDA, SSIS.Pipeline: One or more component failed validation.
Error: 0xC0024107 at Liste FPDA: There were errors during task validation.
SSIS package "MyPackage.dtsx" finished: Failure.
Thank You

I had exactly the same problem, what helped me was setting the runtime credentials using the guide I've found here
Manually set to use Custom Credentials, then enter details of an account that has permissions to read & write to the target Sharepoint list
At run time, the account password set in the connection manager will not be used, it must be set by using package configurations.
Go to SSIS menu > Package Configurations
Enable package configurations if not done already
Click Add to create a new configuration
Select required configuration location, probably either XML file or SQL Server if available
Click next to select properties
In the tree of items to configure, expand Connection Managers > SharePoint Credential > Properties
Select UserName and Password properties, click Next
Set configuration name & click Finish
The Password value will not have been saved to the configuration destination because it is secured. You need to open the configuration location and manually set the Password value.

I fixed my issue by adding Connection Parameters. Right click the SharePoint Credential and select "Parameterize..." from the pop-up menu. Then click the Property drop down and create parameters for both UserName and Password.

ACS azure for published application

Hy guys ,
I developed a WebForms application using VS 2012 . I've published it on Azure .
After that I integrated ACS ( i've set the URL to my allready published application)
I published the application again , but it doesn't work .
After I've registered myself (for ex using Yahoo or LiveID) I've got this error :
Server Error in '/' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +379
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +52
[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +167
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +57
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +658
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +86
System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +144
System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +82
System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +216
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +860
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +369
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
What should i do ?
I've set the URL's correctly. I don't have in web.config any reffernces of "localhost"..
I don't know what I must set additionly for this to work..

By default WIF uses DPAPI to encrypt cookies. Switch to cert based encryption. See this answer:
Is it possible to run WIF without LoadUserProfile = True

Vittorio Bertocci answers the question here
http://www.cloudidentity.com/blog/2013/01/28/running-wif-based-apps-in-windows-azure-web-sites-4/
DPAPI is not available in the cloud web apps and 4.5 has a simple solutions

System.ServiceModel.CommunicationException: Silverlight application reading excel data by excel service

I create a c# console project to read the excel document on the sharepoint server, everything works fine. The problem is when I try to read the excel file data in a silverlight application, a exception popped up as below:
{System.ServiceModel.CommunicationException: An error occurred while trying to make a request to URI 'http://phc/_vti_bin/excelservice.asmx'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details. ---> System.Security.SecurityException ---> System.Security.SecurityException: Security error.
at System.Net.Browser.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
at System.Net.Browser.BrowserHttpWebRequest.<>c__DisplayClass5.<EndGetResponse>b__4(Object sendState)
at System.Net.Browser.AsyncHelper.<>c__DisplayClass2.<BeginOnUI>b__0(Object sendState)
--- End of inner exception stack trace ---
at System.Net.Browser.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state)
at System.Net.Browser.BrowserHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
--- End of inner exception stack trace ---
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.ClientBase`1.ChannelBase`1.EndInvoke(String methodName, Object[] args, IAsyncResult result)
at CERViewer.ESW.ExcelServiceSoapClient.ExcelServiceSoapClientChannel.EndOpenWorkbook(IAsyncResult result)
at CERViewer.ESW.ExcelServiceSoapClient.CERViewer.ESW.ExcelServiceSoap.EndOpenWorkbook(IAsyncResult result)
at CERViewer.ESW.ExcelServiceSoapClient.EndOpenWorkbook(IAsyncResult result, ObservableCollection`1& status)
at CERViewer.ESW.ExcelServiceSoapClient.OnEndOpenWorkbook(IAsyncResult result)
at System.ServiceModel.ClientBase`1.OnAsyncCallCompleted(IAsyncResult result)}
The source code:
private void GetFeatures()
{
ExcelServiceSoapClient = new ExcelServiceSoapClient();
string targetWorkbookPath = "http://phc/Shared%20Documents/sample.xlsx";
xlservice.OpenWorkbookCompleted += new EventHandler<OpenWorkbookCompletedEventArgs>(xlservice_OpenWorkbookCompleted);
xlservice.OpenWorkbookAsync(targetWorkbookPath, "en-US", "en-US");
}
void xlservice_OpenWorkbookCompleted(object sender, OpenWorkbookCompletedEventArgs e)
{
sessionId = (string)e.Result; //exception here!!!
}
I tried the ways below, but they all failed.
1: create the file and put it on the "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\isapi\", but it failed again.
2: open the cross-domain workbook and data connection access in the sharepoint server, here
I am totally new to sharepoint and silverlight development, I search around on the net but can't find the answer. anyone could help me???

I fixed the problem by putting the clientaccesspolicy.xml file in the server root.