Using below method query a token result in universal app:
AcquireTokenAsync(string resource, string clientId, Uri redirectUri, PromptBehavior promptBehavior);
No problem in F5 debug mode, but hit error when installed the app manually by a published store app package.
the error message:
authentication_ui_failed: The browser based authentication dialog failed to
complete. The system cannot locate the resource specified. (Exception
from HRESULT: 0x800C0005)
Please check the capabilities of your universal app. Following capabilities must be enabled for AAD browser authentication UI popup to be shown:
Enterprise Authentication
Internet(Client & Server)
Private Networks(Client & Server)
Shared User Certificates
If you want to enable them from the package.appxmanifest xml file of your app you should have following entries inside Capabilities tag as below which corresponds to above capabilities in the same order:
<uap:Capability Name="enterpriseAuthentication"/>
<Capability Name="internetClient" />
<Capability Name="privateNetworkClientServer" />
<uap:Capability Name="sharedUserCertificates" />
Hope this helps!
I got the same error message, although my problem was that I was using wrong redirectURI.
Need to use the one generated by:
redirectURI = Windows.Security.Authentication.Web.WebAuthenticationBroker.GetCurrentApplicationCallbackUri();
Related
I used yo office to create a Excel AddIn with custom functions.
I made some changes based on following Configure your Office Add-in to use a shared JavaScript runtime to use shared runtime.
After starting the project, I am able to check the shared runtime is running by checking the go text. But my custom functions did not work. it shows #BUSY! all the time.
I checked the error in AppData\Local\Temp\OfficeAddins.log.txt. There is no helpful information,
only content below:
11/29/2021 15:42:15 Unexpected Resource The server for this resource is unavailable.
11/29/2021 15:42:15 Unexpected Resource The server for this resource is unavailable.
11/29/2021 15:42:15 Medium Resource Resource Download Error Details: SolutionId=af84c00e-1e75-43c8-b0b8-5e68d915dfa4 , AppVersion=1.0.0.0
11/29/2021 15:42:15 Medium Resource Resource Download Error Details: SolutionId=af84c00e-1e75-43c8-b0b8-5e68d915dfa4 , AppVersion=1.0.0.0
11/29/2021 15:45:55 Verbose CustomFunctions [Execution] [Async] [Begin] Function=CONTOSO11.ADD1, Workbook=Excel add-in af84c00e-1e75-43c8-b0b8-5e68d915dfa4.xlsx
Any help would be appreciated
I finally resolved my issue.
The problem turned out to be in the usage of localhost in manifest for the add-in. I changed my webpack-dev-server to listen on IP address of the desktop and use http protocol instead of https. After this change, the add-in registered in split second and I saw my custom function accessible in the sheet.
I originally tried to configure the local webserver to use "0.0.0.0" to listen to the network calls as well but apparently my company is not allowing any local servers running on the desktop to be accessed outside of the machine (local network) for security reasons therefore I chose the option to use the IP instead.
This is the devServer config entry in webpack I used:
devServer: {
host: "xx.xxx.xxx.xxx",
allowedHosts: "all",
hot: true,
headers: {
"Access-Control-Allow-Origin": "*",
},
port: 9000,
},
As I had said I also adjusted my manifest from https://localhost:3000 which is the default to use http://<IP of the host>:9000
https did not work well since the certs were not matching host's logical IP address.
My original problem was slightly different than yours although the error message was exactly the same. My add-in was not loading at all and it was taking over 25 seconds to get an error from Excel on failed add-in installation reporting failure to load a required resource.
These are the errors I spotted in my Add-in log (OfficeAddin.log.txt)n:
8/19/2022 16:09:37 Medium Resource Resource Download Error Details: SolutionId=05c2e1c9-3e1d-406e-9a91-e9ac648541c3 , AppVersion=1.0.0.6
8/19/2022 16:09:37 Unexpected Resource The server for this resource is unavailable.
The second challenge for custom functions executing properly was to configure shared runtime. There are two places in manifest + changes in webpack config.
Manifest:
1st place is right after <HOST> in main tag block
<Requirements>
<Sets DefaultMinVersion="1.1">
<Set Name="SharedRuntime" MinVersion="1.1"/>
</Sets>
</Requirements>
2nd place is right after <HOST xsi:type="Workbook"> and inside <Page> tag:
<Host xsi:type="Workbook">
<Runtimes>
<Runtime resid="Taskpane.Url" lifetime="long" />
</Runtimes>
<AllFormFactors>
<ExtensionPoint xsi:type="CustomFunctions">
<Script>
<SourceLocation resid="JS-URL" />
</Script>
<Page>
<SourceLocation resid="Taskpane.Url"/>
</Page>
<Metadata>
<SourceLocation resid="JSON-URL" />
</Metadata>
<Namespace resid="Functions.Namespace" />
</ExtensionPoint>
</AllFormFactors>
Webpack adjustments are covered in the link you hinted.
The issue I have is we currently are using IdentityServer as our SSO authentication for our corporate applications. However, the bulk of our applications are under the same Site ID in IIS 7.5. When navigating to more than 5 of these applications under the same Site ID, you end up getting a 400 error, request header too long. The reason being each application has its own cookie, so the request header is passing around 5+ cookies with token information and the becoming too large.
My question is, are you able to prevent the sharing of cookies between applications under the same Site ID in IIS 7.5?
We also have IdentityServer for SSO and internal applications hosted on the same machine on IIS.
And I faced with the same problem too.
Here is a solution:
1) You need to solve Owin/Katana middleware problem to avoid nonce overfloating. Here you can find the code for that fix
2) You have to stop sharing cookies.
So if your base address for applications is "mysite.com".
And you have a lot of different applications like this:
Good App: mysite.com/good_app/
Best App: mysite.com/best_app/
Super App: mysite.com/super_app/
Use CookiePath for each application on an application's side and it will limit cookies (and look here too).
Use the code like this (for "Good App"):
var cookieOptions = new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieName = "GoodAppCookies",
// Cookie Path same as application name on IIS
CookiePath = "/good_app
};
Hope it'll help.
Few things that you can try. Make the following changes at the server level.
Highlight the server name in IIS, select "configuration editor", select "system.web" and "httpRuntime" and change "maxRequestLength" to "1048576".
You can also edit the "applicationHost.config" file in the following way- C:\Windows\System32\inetsrv\Config
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
Edit "Request Filtering" settings at server level on IIS and set "maxAllowedContentLength" to "1073741824"
You can also edit the root web.config file in the following manner - C:\Windows\Microsoft.NET\Framework64*\v4.0.30319*\Config
*Folder is based on your application. if its a 32 bit application, navigate to "Framework" folder. If its a .net 2.0 application, navigate to v2.0.50727.
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
First of all - I want to say that I have not tried this myself, so I can't assure that it is a solution, but I'm trying to help.
The problem with the cookies originates from the Microsoft OWIN/Katana and the way they are encrypting them. They become enormous, but this has nothing to do with Identity Server. However here and here there are good discussion around this.
The main thing to try first is in the Startup.cs of the IdentityServer project, in the IdentityServerOptions.AuthenticationOptions there is a property SignInMessageThreshold which defaults to 5. Try setting it to something lower, this will keep your header smaller (which may cause round trips to identity server when an app doesn't have its message in the cookies, but this will not force the user to re-login).
Another thing, that we achieved in one of out projects, is to create a DataBase backed cookie session handler. In your clients, where you use
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieName = cookieName,
});
There is also a property SessionStore. You can have a custom implementation of the Microsoft.Owin.Security.Cookies.IAuthenticationSessionStore. In our case this reduced the cookie size to less than (or around) 300.
Good day all
I'm completely stumped. I am developing an MVC App using MS VSExpress 2013 for Web, and am at the point where I need to add Windows Authentication. Creating a default MVC App using the Wizard and selecting Windows Authentication, it appears to work fine. Lets call the default App App1, my developed App App2.
Monitoring the Context.User object within Watch for both Apps:
App1 returns:
User {System.Security.Principal.WindowsPrincipal}
System.Security.Principal.WindowsIdentity
AuthenticationType "Negotiate" string
IsAuthenticated true bool
Name "MyDomain\\Andrew" string
When using the developed app, the result is as follows: Please note, the returned object is different (App1 = System.Security.Principle.WindowsPrinciple, App2 = System.Web.Security.RolePrinciple.
User {System.Web.Security.RolePrincipal}
Identity {System.Security.Principal.GenericIdentity}
AuthenticationType "" string
IsAuthenticated false bool
Name "" string
HttpContext.Current.Request.LogonUserIdentity.Name "MyDomain\\Andrew"
When switching the developed app Development Server properties to Windows Authentication = Enabled, Anonymous Authentication = Disabled, the result is an immediate:
Server Error in "/" Application.
Resource cannot be found.
Http 404...
Requested URL:/Account/Login
I've checked and compared:
Web.config files and IISExpress\config\applicationhost.config settings for both applications.
My limited knowledge (based on reading all the questions on SO I could find), I'm guessing App2 thinks it is using Forms Authentication, not Windows Authentication. App2 is getting the user information through the
HttpContext.Current.Request.LogonUserIdentity.Name object (found this on SO).
I've added:
<add key="autoFormsAuthentication" value="false" />
to Web.config ... no joy.
Anyone have any idea why the two apps are returning different user objects, and where this can be corrected? Why does App2 not get IsAuthenticated=true from the same IISExpress server as App1?
Thanks
http://www.itorian.com/2013/05/windows-authentication-in-mvc4-with-iis.html
For some strange reason (EDIT Here is the reason-> ASP.NET MVC3 and Windows Auth on IIS keeps redirecting to /Account/Login /EDIT , the wizard generated app1 did not require these two lines within Web.config
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
After adding the 2nd line, the Context User object returned changed from
System.Security.Principal.GenericIdentity
to
System.Security.Principal.WindowsPrincipal
and all is well.
Also ensure your IISExpress server config file applicationhost.config (within the IISExpress installation folder) contains correct entries as required:
Global Entry:
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
I'm trying to implement a logout functionality for my Worklight app. Specifically, the Desktop Browser webpage environment.
My authenticationConfig.xml is as follows:
<resource id="MyApp" securityTest="MyAppTest">
<urlPatterns>/apps/services/www/MyApp/*</urlPatterns>
</resource>
<customSecurityTest name="MyAppTest">
<test realm="MyAppRealm" isInternalUserID="true"/>
</customSecurityTest>
<realm name="MyAppRealm" loginModule="MyAppLogin">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<parameter name="login-page" value="login.html" />
<onLoginUrl>/apps/services/www/MyApp/desktopbrowser/default/index.html</onLoginUrl>
</realm>
<loginModule name="MyAppLogin">
<className> com.worklight.core.auth.ext.RDBMSLoginModule </className>
<parameter name="dsJndiName" value="jdbc/myapp"/>
<parameter name="principalsQuery">
SELECT user_id, password, display_name FROM users WHERE user_id=?
</parameter>
</loginModule>
So far I have tried using Worklight client APIs
WL.Client.logout("MyAppRealm", {onSuccess: WL.Client.reloadApp});
WL.Client.logout(null, {onSuccess: WL.Client.reloadApp});
but that didn't work with errors around "realm is not defined". Could anyone please suggest why I might be seeing "realm is not defined" error?
Alternatively is there a different way to logout the user from my app (accessing the session directly?).
The Login Module that you are using is no longer exist in Worklight framework (com.worklight.core.auth.ext.RDBMSLoginModule).
More information about how to use login modules can be found here:
http://www.ibm.com/developerworks/mobile/worklight/getting-started.html#security
(Look for Form-Based authentication, Adapter-Based authentication and Custom Authenticator and Login Module).
You can also look here:
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/topic/com.ibm.worklight.dev.doc/dev/r_security_framework.html
Am trying to learn how to use dotnetnuke so am kinda new to it. I installed it correctly and i set up a user in server management studio. So when i try to open my page localhost\mypage i get these errors:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Detailed Error Information:
Module IIS Web Core
Notification Unknown
Handler Not yet determined
Error Code 0x8007000d
Config Error Configuration section not allowed in a <location> tag
Config File \\?\C:\inetpub\wwwroot\ANTONISDB\web.config
Requested URL http://`localhost`:80/dotnetnuke
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
Config Source:
210: </system.web>
211: <runtime>
212: <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
Anyone knows whats wrong with this?
Check to make sure the Application Pool for the virtual directory/application is configured to USE ASP.NET 4.0, DNN won't run with .NET 3.5 anymore (starting with Version 7)