We have implemented a federation server which works fine in most cases. It relies on ws2007HttpBinding and implements an extension of UserNameSecurityTokenHandler (called CustomSecurityTokenHandler). On our LAN, all works fine.
However, we have the following scenarios which fails :
1) Instead of the local LAN, the server is deployed on Amazon EC2. The client is a WPF application which connects to the server. When the client is installed on pc within a workgroup, the connection is fine.
2) When the PC is located in a AD domain however, we cannot connect. This does not seem to be due to network issues : the connection to EC2 is still ok, we indeed connect to the federation provider, but never enter into the CustomSecurityTokenHandler.
So it looks as if the server was correctly configured for our local LAN, but suddenly gets stuck when the server is on some external network and the client calls from our local domain.
There's probably some kind of remove section in the configuration to do, but I don't see where.
I already have :
<microsoft.identityModel>
<service>
<securityTokenHandlers>
<remove type="Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add type="MyOwnFP.Federation.CustomSecurityTokenHandler, MyOwnFP.Federation"/>
Any idea would be most welcome.
Actually due to a time clock difference between server and client. Resolved by synchronizing my domain with a proper NTP.
Related
I want to make my identity server public so that all users who visit it can access the identity server but right now only I can access it since it's hosted locally. How can I deploy this so that it runs on my IIS? Will copying and pasting the WSO2 IS folder into my inetpub\wwwroot folder work? (And after configuring the .xml files so that it shares my public domain)
I tried reading the WSO2 IS documentation but it's not very clear to me how I can make it public. I was hoping for a systematic tutorial/way to do this but it chains from one step to multiple.
https://docs.wso2.com/display/IS530/Deployment+Guidelines+in+Production
https://docs.wso2.com/display/IS550/Changing+the+hostname
I believe there are a few misconceptions (no, copying the installation into inetpub\wwwroot won't work, it's not php)
chains from one step to multiple
well - the documentation is related only to a product, it assumes some knowledge of the network and systems it runs on
1 - you should run the WSO2IS as a service ( so this is Windows guide may be helpful and this here is how to run the WSO2IS as as service for Linux)
2 - change the repository/conf/carbon.xml
(this step is optional, but increases security)
HostName - to the public hostname
MgtHostName - to internal hostname, so the administrative console is not accessible from internet
3 - The best practice to expose the WSO2IS would be a reverse proxy (depending you are using IIS, nginx or httpd) so you don't expose the default port 9443 to the outside directly (I assume you want to use your own SSL certificate on 443 and TLS termination in the web server)
For the default WSO2IS applications you need to create a reverse proxy from `HTTPS:443 -> HTTP:9763
update /repository/conf/tomcat/catalina-server.xml and on the Connector listening on 9763 add attribtue proxyPort="443"
(Note: now I am not sure if it will work, what will work for sure is TLS bridging HTTPS:443->HTTPS:9443, it means adding proxyPort="443" to the Connector for port 9443)
Every WSO2 product already has an application server shipped with a TomCat.
This way you do not need, nor should, place the fonts on another separate application server. Use what's in the product.
By its description it seems to me that you do not have much familiarity with infrastructure, servers and etc, I will try to help you and clarify some points.
As I mentioned above, you should use the TomCat that already comes with the product and put it in some VM (Server) that has Internet output, that is, it has ports 80, 443 and also ports 9443 and 8243 (which are the default product ports) released for access beyond the internal network (LAN).
If you get the Public IP of that VM where the WSO2 Identity Server product is running, and access it from outside your local area network (LAN), the service should work.
Making an analogy to a Web site is the same concept. When you want to put a Web Site publicly for the internet, as you said put the fonts inside apache's WWW folder or something, it's the same concept, so people outside of your local network can access this website, this Apache would have to be with a Public IP, It's the same concept, but WSO2 already has its "Apache" TomCat internally, just leave your Public IP.
I am facing some problem with socket getting keep polled continuously without gap. Not sure whats happening.
If same code placed in digital ocean cloud, it's not happening.
Little background:
I'm running azure VM behind load balancers.
If you created load balancer using Application Request Routing with IIS, you'd need to Disable WebSocket when using socket.io on node.js.
If you are using the WebSocket support in socket.io on node.js in your
site, you will need to disable the default IIS WebSockets module by
adding the below snippet to your web.config or applicationHost.config.
If this is not done, the IIS WebSockets module will attempt to handle
the WebSocket communication rather than letting this task fall through
to node.js (and hence your application). This will result in
unexpected errors when you attempt to access your site.
<system.webServer>
...
<webSocket enabled="false"/>
</system.webServer>
Updating to latest socket library in nodeJS fixed this issue. Try your luck!
I'm hosting a small node.js app in azure, but when a client is joined it gets reconnected almost immediately and this is keep going on!
If i switch "Web Sockets" on in Azure, the reconnections are gone, but it doesn't seem to recieve any disconnect event if i close the clients*, also the connection events are registered relatively slow as well!
*disconnect events do get registered after a minute delay!
If i run the app in local, everything works fine!
You didn't share any code or web.config file with us. However, there is an official instruction: Create a Node.js chat application with Socket.IO in Azure App Service we can follow.
You may need to pay attention to Verify web.config settings:
Azure web apps that host Node.js applications use the web.config
file to route incoming requests to the Node.js application. For
WebSockets to function correctly with Node.js applications, the
web.config must contain the following entry.
<webSocket enabled="false"/>
This disables the IIS WebSockets module, which includes its own
implementation of WebSockets and conflicts with Node.js specific
WebSocket modules such as Socket.IO. If this line is not present, or
is set to true, this may be the reason that the WebSocket transport
is not working for your application.
I've got a ServiceStack application that almost works when self hosted rather than to use IIS.
If I start the service and connect from a remote machine to the ip address of the PC http://10.0.0.5:81 then it's fine and everything works as expected.
However if I start the service and the first connection happens to come in on localhost (say because I'm testing the service is working after it's been installed) then all remote machines get redirected to http://localhost:81. The same is true if I used 127.0.0.1:81 with remote PC's getting redirected to the loop back address.
At that point all I can do is restart the service and connect from a remote machine first to get it working again.
Is there some way to disable what appears to be this caching?
ServiceStack tries to infer the BaseUrl for your services which it can only do at runtime which it then caches for subsequent requests. You can specify it to use an explicit Base Url instead with:
SetConfig(new HostConfig {
WebHostUrl = "http://10.0.0.5:81",
});
I am having problems with sending emails from an ASP.NET MVC 4 app. I am getting the dreaded:
No connection could be made because the target machine actively refused it 127.0.0.1:25
The client's mail server is on another box. I have the correct host name and I can ping it. I can also use telnet to show that the mailserver is ready and listening on port 25.
In my web.config file, I have the following:
<system.net>
<mailSettings>
<smtp deliveryMethod="Network" from="support#myclient.co.uk">
<network host="mailserver1" clientDomain="OfficeNetwork.local" />
</smtp>
</mailSettings>
</system.net>
However, I still get the error above, as if it was trying to find a mailserver on the local machine.
Why?
Not being an expert on IIS or mail servers, do I need to add anything to the default configurtion so that my web app, running on the web server, can use the mailserver that is on another box? Ie, is there an SMTP service I need to install for this to happen?
You need to add SMTP as a new role in IIS. Its fairly easy.
This should get you started
Don't forget to check the service has started and running.
The network guy came back and solved it. However, I have no idea why it works.
All he did was create a user and password on the mail server that I added to the tag and voila all problems disappear. I suspect it is down to how they have security configured for the mail server and they aren't telling me... Alternatively, they don't have a clue either and either got lucky and someone told them to try that.
So another day older and not even a little bit wiser. Just deeper in debt. But not to the network guy.