I am able to authenticate a user when working locally, using the line
AuthenticationResult result = context.AcquireToken(resource,clientID, returnURI, PromptBehavior.Always);
Locally, I get the signin screen and the UserInfo.
When I publish the web app to Azure, the code above fails with this error
"Error HRESULT E_FAIL has been returned from a call to a COM component"
[COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.]
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask(Task`1 task) +89
What causes this? I am publishing to the shared site (eg xxx.azurewebsites.net) -- so I don't have access to the server machine to make any changes --- beyond using the portal.
The code works as expected locally.
Also the javascript version (ADAL.js) works using the same tenant, clientID and returnURI
The token acquisition flow you are performing is meant to be ran on a desktop application, not a web one. The dialog that comes out on your desktop is driven by your local process and the existence of a local windows session. It cannot work within one web application, given that there is no windows session and the process is running elsewhere on a server machine.
Please refer to our samples to understand how to acquire tokens from a web app, anything with "openid" or "oauth" from https://github.com/AzureADsamples will work.
Related
I have been testing a Blazor Server app (ASP.NET Core 6.0) locally for a while with no issues. It authenticates against Azure AD, and everything works fine.
I deployed it to an IIS 10 server on Windows Server 2019 (after installing Websockets, ASP.NET hosting runtime, etc.) and now I can't get past authentication, either locally on the server or remotely.
When I hit the URL, it immediately redirects to the Microsoft Login page, where I enter my username (email), then password, then 2FA challenge, then the yes/no stay logged in page, and then it appears to hang for a short while (although in the tab it is constantly switching between "Working" and "https://login.microsoft.com...") and then it either comes up with Bad Request - Request Too Long, or just "We can't sign you in".
If it's the Bad Request error, then the cookie store will be full of .AspNetCore.Correlation.xxx and .AspNetCore.OpenIdConnectNonce.xxx cookies, which is what makes the headers too long, and creates the bad request. If it's the "we can't sign you in" error, then clicking the three dots, and saying sign out and forget, resets things which will next time result in the Bad Request error.
Just to check that I hadn't done anything stupid, I created a new blank app, using the Blazor Server template, and deployed that in place of my app. Exactly the same thing happened. I could run it locally in VS, but after publishing to IIS, exactly the same Authentication errors.
Does anyone have any ideas or pointers?
OK, for anyone who finds this in the future... it was a simple fix - but there are no error messages which point to it until you look very deeply.
When I set up both my app, and the Blazor template app, I let the scaffolder set them up, and get a secret from the Azure API, which it placed into my local secret store.
When I published the app to IIS, the ClientSecret was not copied.
The quick fix was to simply put the client secret into the appsettings.json file at which point everything came good immediately. The longer fix is to use the server-based secret store.
Apparently the looping was caused by the client secret not being present. :(
I am getting this issue while publishing my .net core 3.1 app to azure app service.
I am able to publish the application but while hitting a url i am getting this error
Below are error details that i have found out in Event Viewer
" Login failed for user 'NT Service\SSISScaleOutMaster150'. Reason: Could not find a login matching the name provided. [CLIENT: ]"
NT Service\SSISScaleOutMaster150
Reason: Could not find a login matching the name provided.
[CLIENT: ]
I am also getting this icon when i am trying to publish it
denoting there are some warning in this section : Dependencies remote.
Other Details:
I am able to run application locally, I have a azure sql database which is connected to this, angular app as frontend and .net core 3.1 app as backend.
I have also tried creating a simple hello world app in .net core 3.1 and tried to deployed it. I am able to publish it and also able to run the url.
Kindly help me in this.
" Login failed for user 'NT Service\SSISScaleOutMaster150'. Reason: Could not find a login matching the name provided. [CLIENT: ]"
Judging from your error message, I think that when connecting to azure sql database, it may be filled in some places incorrectly.
Generally speaking, as long as the azure sql server can be used, the connection information is correct, and the yellow exclamation mark will not appear when adding Service Dependencies.
Troubleshooting steps:
1. Check login user NT Service\SSISScaleOutMaster150, whether you have the permission to log in to the database.
(I think there is a problem with this login user name, please check carefully. In Azure SQL, it is generally not in this format.)
① Use other tools such as SSMS to see if you can log in.
② If not, use the administrator to log in to azure sql server to check if the user name NT Service\SSISScaleOutMaster150 is in the user group.
2. Please check the azure sql server connection information, string, etc. To be consistent with the portal, local user name and password cannot be used, and the login information of azure sql server must be used.
I develop web app, which cooperates with to TFS2012. In my local machine its works fine, but when i deploy on server i get the following exception:
[WebException: The remote server returned an error: (401) Unauthorized.]
System.Net.HttpWebRequest.GetResponse() +6440920
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequestAndGetResponse(HttpWebRequest webRequest, WebException& webException) +195
My connect to TFS Code:
_collection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("http://xxx/tfs/TestPrjects/"));
_collection.EnsureAuthenticated();
_store = _collection.GetService<WorkItemStore>();
my web-config:
<system.web>
<customErrors mode="Off"></customErrors>
<authentication mode="Windows"/>
...
<system.web>
in ISS i activate Windows authorization:
Where is my mistake?
The details you are using to access TFS are incorrect.
The reason it works on your local machine is because the webserver is running as you, who has access to TFS. On the IIS server it's running as the app pool user, which won't have access.
Potential Solutions
Run the app pool as a user that has access to TFS (or grant the current user access)
This is ok for read only access, but if you're writing back to items you may want to not go down this route
Enable delegation so the code that connects to TFS is run as the currently authenticated windows user
This is much harder to do and only works in internet explorer out of the box. Firefox users can change a setting and Chrome users need to start chrome with a commandline switch.
wrap a using(WindowsIdentity.GetCurrent().Impersonate()) {} around your code that uses TFS and ensure you are using CredentialCache.DefaultNetworkCredentials to connect to TFS.
Use the TFS Server API
Be naughty and use server instead of the client api. The server API writes directly to the db and doesn't need to impersonate a user. I highly doubt this is a supported path and you won't find much information on it. However it still needs to run as a user with access to the db (like option 1, but supports updates as windows authed users)
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.
I am hosting my web application on windows server 2008 with IIS 7.5,
I have 2 web applications:
1. the first one is the core sso (Single Sign-on) service with a login page.
2. another web application is hosted on the same web server which use the first app for sso.
I am using the WIF RTM to implementation the sso,
usually, it is running good without any problem, the user can login throw the sso and redirect back the start page.
but when I login throw the sso first, then restart the IIS, if I come back to the second application and refresh the page, I got the following error:
Server Error in '/' Application.
Key not valid for use in specified state.
Description: An unhandled
exception occurred during the
execution of the current web request.
Please review the stack trace for more
information about the error and where
it originated in the code.
Exception Details:
System.Security.Cryptography.CryptographicException:
Key not valid for use in specified
state.
Source Error: An unhandled exception
was generated during the execution of
the current web request. Information
regarding the origin and location of
the exception can be identified using
the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid
for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[]
encryptedData, Byte[] optionalEntropy,
DataProtectionScope scope) +425
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +59
[InvalidOperationException: ID1073: A
CryptographicException occurred when
attempting to decrypt the cookie using
the ProtectedData API (see inner
exception for details). If you are
using IIS 7.5, this could be due to
the loadUserProfile setting on the
Application Pool being set to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +151
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[]
cookie, Boolean outbound) +109
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader
reader, SecurityTokenResolver
tokenResolver) +634
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[]
token, SecurityTokenResolver
tokenResolver) +105
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[]
sessionCookie) +239
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken&
sessionToken) +59
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object
sender, EventArgs eventArgs) +52
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+68 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously)
+75
________________________________________ Version Information: Microsoft .NET
Framework Version:2.0.50727.4927;
ASP.NET Version:2.0.50727.4927
the user session are stored by using SQLServer session mode, I am using a special database for this.
I have tried a lot and I cannot re-procedure this problem on my local computer (Windows7).
did anyone have similar experience? can you tell me how to solve this problem?
I finally solve this problem by change the application pool user to a local user.
the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).
Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.
Thanks all you guys and I am so glad to share my solution with you.
There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5
If you have urls http://ourdomain.com/app1 and http://ourdomain.com/app2 you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.
So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/.
This could well be because your application pool user has no persistent user profile. To rectify this you can just run something as that user:
runas /user:<domain>\<user> cmd
And this will create the profile. Subsequently the data should be decryptable after restarting IIS.