My client wants the SharePoint web application to be authenticated using SiteMinder Claims based STS Web Service agent. When the web app started and authentication provider is selected web app will redirect to a login page and over the correct credentials it should redirect back to the site.
What is happening is over the correct credentials the SharePoint web application returns with the following error:
Any clue what might be the reason? I am happy to assist if additional information is required.
NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.
Exception Details:
System.IdentityModel.Tokens.SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.]
Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +181
Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +260
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +520
[SecurityTokenValidationException: ID4257: X.509 certificate 'E=user#domain.com, CN=certName, OU=WHQ, O=CSC, L=Chantilly, S=Virigina, C=US' validation failed by the token handler.]
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1358733
Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099702
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
Solution Time!
Special Thanks for #gtrig for tipping me off the real issue behind the error.
Why the Error
The error cause as a result of a Microsoft security patch (KB2661254) adding a restriction to certificate validation. This patch requires the certificate RSA key to be greater than or equal to 1024bits. The given siteminder.cer contains a 512bits RSA key. The following link would explain the issue in detail.
http://blogs.technet.com/b/rmilne/archive/2012/09/03/important-upcoming-certificate-changes.aspx
The solution in detail is here. http://support.microsoft.com/kb/2661254
But for me only adding the following regedit key did the trick.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
minRSAPubKeyBitLength : Decimal 512
To apply this registry modification open command prompt (Make sure the user has admin privileges, else start command prompt Administrator mode) and execute
certutil -setreg chain\minRSAPubKeyBitLength 512
However I would recommend reading through the entire solution from the above link in depth to find unique solution.
Important: This is not recommended approach in a client environment as this may possibly compromise the security of the server environment.
Recommended solution is to have a new certificate created with at least the minimum key size of 1024 (although 2048 is recommended)
Related
I'm trying to make work window authentication in Linux/Debian server with Kerberos. I'm using .net core 3.1 and IdentityServer4. For now I had joined Linux to the Windows AD like docs say:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio#kestrel-1
I have managet to work kerberos from bash with -kinit command. I also made work Apache2 with kerberos.
But in .net core it's always returns in logs
[17:39:53 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler AuthenticationScheme: Negotiate was challenged.
[17:39:54 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler None
if I set in krb5.conf wrong encript type I have error like:
Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information(Request ticket server **** kvno 4 enctype aes256-cts found in keytab but cannot decrypt ticket).
at System.Net.Security.NegotiateStreamPal.GssAcceptSecurityContext(SafeGssContextHandle& context, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags)
at System.Net.Security.NegotiateStreamPal.AcceptSecurityContext(SafeFreeCredentials credentialsHandle, SafeDeleteContext& securityContext, ContextFlagsPal requestedContextFlags, Byte[] incomingBlob, ChannelBinding channelBinding, Byte[]& resultBlob, ContextFlagsPal& contextFlags)
So the token is passing GSSAPI in normal mode and trying to validate user, but there is alwayse None in anwser. Can somebody help me get what I'm doing wrong?
I got it by using [Authorize] attribute instead of HttpContext.ChallengeAsync().
I'm trying to build a webapi service in aspnet core, on Linux Mint (which is an Ubuntu variant.)
When I try to access an endpoint, whether from the Swagger UI in Chrome, from Postman, or from Chrome directly, I get exceptions:
AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
HttpRequestException: The SSL connection could not be established, see inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(bool async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
Chrome is displaying the "Not secure" button, clicking on which displays:
Your connection to this site is not secure
I can click on "Certificate(invalid)" which brings up "Certificate Viewer: localhost", where I can see the details of the certificate, but I see nothing in the Chrome Certificate Viewer, or in the exceptions, that indicates exactly why the certificate is invalid.
Where can I find this certificate?
How do I determine why it's failing validation?
How do I get it to not fail validation?
I am stumped on this error and need some insight/assistance in solving it.
I had a wildcard SSL cert issued by GoDaddy that expired and I removed and replaced the renewed cert on all SharePoint servers -
* in IIS;
* in Cert:\LocalMachine\Sharepoint;
* in SharePoint SPTrustedRootAuthority
* STS
... but I still get the following error:
Server Error in '/' Application.
NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.IdentityModel.Tokens.SecurityTokenValidationException: NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityTokenValidationException: NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
]
Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +556
Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +362
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +451
[SecurityTokenValidationException: ID4257: X.509 certificate 'CN=*.abcd.com, OU=Domain Control Validated' validation failed by the token handler.]
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1557
Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +127
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.GetPrincipalFromToken(SecurityToken securityToken) +247
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.AuthenticateUser(SecurityToken securityToken) +11
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.SetPrincipalAndWriteSessionTokenWithOptions(SecurityToken securityToken, SPSessionTokenWriteType writeOperationType) +293
Microsoft.SharePoint.IdentityModel.<>c__DisplayClass5.b__1() +240
Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) +194
Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule.PerformClaimsAuthenticationForUser(HttpContext context, SPFederationAuthenticationModule fam, SessionAuthenticationModule sam, WindowsIdentity windowsIdentity, SessionSecurityToken sessionSecurityToken, Boolean writeCookie) +362
Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule.AuthenticateRequest(Object sender, EventArgs e) +822
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +229
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +213
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +91
Does anyone know how to resolve this?
It appears the SSL cert was also used for the Security Signing Service (STS) as well, So I used the PowerShell below and it worked:
Get-SPSecurityTokenServiceConfig
$path = 'C:\Certs\wildcard_abcd_com.pfx'
$pass = 'P#$$W0rd'
Import-PfxCertificate -FilePath $path -CertStoreLocation Cert:\LocalMachine\Root Password $pass.Password
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2($path, $pass, 20)
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $cert
iisreset /restart
Restart-Service SPTimerV4
I hope this saves someone a few hours.
Cheers,
~G
I'm trying to configuring data protection and to use the certificate to protect key files. Here is the MS documentation Configuring data protection
Here is what I'm trying to do:
services
.AddDataProtection()
.SetApplicationName("test server")
.PersistKeysToFileSystem("/home/www-data/config")
.ProtectKeysWithCertificate(
new X509Certificate2("/home/www-data/config/"keyprotection.pfx);
When I launch the application I get the following error on startup:
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
Creating key {71e2c23f-448b-49c9-984f-3c8d7227c904} with
creation date 2017-08-29 18:53:51Z, activation date 2017-08-29 18:53:51Z, and expiration date 2017-11-27 18:53:51Z.
info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
Writing data to file '/home/www-data/config/key-71e2c23f-448b-49c9-984f-3c8d7227c904.xml'.
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[24]
An exception occurred while processing the key element '<key id="71e2c23f-448b-49c9-984f-3c8d7227c904" version="1" />'.
System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
Key {71e2c23f-448b-49c9-984f-3c8d7227c904} is ineligible to be the default key because its CreateEncryptor method failed.
System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
Key {71e2c23f-448b-49c9-984f-3c8d7227c904} is ineligible to be the default key because its CreateEncryptor method failed.
System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
So the key is created and well encrypted. But it seems that somehow it doesn't know how to decrypt it as it says in the error:
System.Security.Cryptography.CryptographicException:
Unable to retrieve the decryption key.
If I understand it correctly, it uses the certificate I provided to encrypt the key. But it looks like it doesn't use the same cert for the decryption for some reason (It looks like it tries to retreive it from somewhere else [store?]).
What is going wrong ?
I also tried to put the cert into CA store as described here:
Create a Self-Signed Certificate and trust it on Ubuntu Linux
Then I tried to find them back from the code like this:
var cert = new CertificateResolver().ResolveCertificate(CertThumbprint);
But it didn't work (it cannot find it).
I also tried tried to find them using the following approach:
var store = new X509Store(StoreName.CertificateAuthority,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var collection = store.Certificates.Find(
X509FindType.FindByThumbprint,
CertThumbprint, false);
store.Close();
var x509Cert = collection.Count > 0 ? collection[0] : null;
But it didn't work neither.
So what is the right way ?
For reasons known only to Microsoft, the ProtectKeysWithCertificate overrides that accept actual certificates (PFX files or X509Certificate2 objects) are only able to encrypt DPAPI data. Decryption only works if the same certificate is stored in the machine's certificate store, which makes those overrides relatively pointless.
Why? Who knows. It isn't particularly useful information, but it's vaguely dismissed here as a "limitation of the underlying framework".
In this related discussion (which was just closed without any Microsoft assistance or engagement at all), a user shares custom persistence classes which aren't affected this mysterious "limitation." GitHub repo linked below, I know this is an old question, but maybe it'll help someone else.
https://github.com/tillig/DataProtection
Update: This will be fixed in the upcoming Core 2.1.0 release:
https://github.com/aspnet/Home/issues/2759#issuecomment-367157751
Hy guys ,
I developed a WebForms application using VS 2012 . I've published it on Azure .
After that I integrated ACS ( i've set the URL to my allready published application)
I published the application again , but it doesn't work .
After I've registered myself (for ex using Yahoo or LiveID) I've got this error :
Server Error in '/' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +379
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +52
[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +167
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +57
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +658
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +86
System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +144
System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +82
System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +216
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +860
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +369
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
What should i do ?
I've set the URL's correctly. I don't have in web.config any reffernces of "localhost"..
I don't know what I must set additionly for this to work..
By default WIF uses DPAPI to encrypt cookies. Switch to cert based encryption. See this answer:
Is it possible to run WIF without LoadUserProfile = True
Vittorio Bertocci answers the question here
http://www.cloudidentity.com/blog/2013/01/28/running-wif-based-apps-in-windows-azure-web-sites-4/
DPAPI is not available in the cloud web apps and 4.5 has a simple solutions