I created a web application and added an ELMAH module for error logging. It was working with my local development environment: when i access URL http://localhost:52584/elmah.axd it shows me a valid page:
When i testing it after uploading on azure portal it shows me an error page:
Is there any specific configuration i need to do for Azure platform?
Also i have done form authentication on my web application, so when I try elmah.axd it will redirect to login page and i need to login first. I would like to remove that form authentication, particularly for elmah.axd. How can i achieve this?
The nuget package does not add the following important lines to web.config resulting in 403 error.
<elmah>
<security allowRemoteAccess="1" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/app_data/elmah" />
</elmah>
This should fix the 403.
Also you may want to restrict the access to error logs by
<add name="Elmah" verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
Related
We have a simple Azure App Service app and part of that app accesses a SharePoint doc library to upload files. This has worked for years but recently stopped working. We generated a new clientid and secret thinking that was the problem - still no luck. We have been working with Microsoft for 3 weeks on the problem and they have been useless - they don't even know what a doc library is most the time and all they do is "take screenshots and will get back."
I can get a token and use it to pull resources in Postman just fine.
The following is the code in web.config:
`<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:ClientId" value="spclientid" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:ClientSecret" value="spclientsecret" />
<add key="ida:Domain" value="ourdomain.com" />
<add key="ida:TenantId" value="tenantid" />
<add key="ida:PostLogoutRedirectUri"
value="https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession/" />
</appSettings>`
Errors:1
Error :2
Error: 3
At our rope's end with this one, any ideas?
Thanks in advance.
• You must use ‘AllowAppOnlyPolicy=true’ in your manifest file for the registered Azure AD sharepoint app to acquire token from the registered application in Azure AD on behalf of the service principal created through your ‘App Service’. Also, you can grant the required permissions for accessing the sharepoint online website through your ‘App service’ as shown below in the snapshot through the Azure AD app registration portal instead of the ‘App manifest’ file: -
Thus, when you are providing the correct permissions to the ‘Sharepoint’ portal through this ‘Service Principal’ in Azure AD for OAuth 2.0 as well as configuring the ‘Authentication’ token and protocols too correctly, the Azure App Service should be able to access the Sharepoint doc library to upload files.
• Finally, please once again check the correct value of the secret ID and its value that is being used to connect to the sharepoint website on behalf of the SP app in Azure AD. Also, do check the correct tenant ID, domain and AADInstance of the registered SP for your app service, the details of which you have mentioned in the ‘App settings.json’ file of the code.
For more details and clarification on this, kindly refer to the below links explaining the issues regarding the ‘Sharepoint’ token helper issues and CSOM platform issues regarding various browsers that are used to try to access the same: -
https://github.com/SharePoint/sp-dev-docs/issues/6955
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient
I have website that is Hosted in a Azure App Service. are there any options in azure so that I can put a password on the website. Ideally without changing the websites code.
Just a basic password or user name and password, doesn't need to be google or facebook login or AD login.
It is a .net based website and I have seen a few options to do this, but it means I have to change the code of the website in someway or another.
Surely with all that sophisticated cloud technology, I can go in to the portal and set a password at a server level? - Or is the only way to make some kind of change to the application?
It is possible to enable Basic Authentication for Azure Web Apps with some settings in the applicationHost.xdt. You can load some modules in this file on the start of your Web App.
Steps:
Navigate to your WebApp in the Azure Portal
In the left menu, search for the header Development Tools an select Advanced Tools (Kudu)
Use the Debug Console > CMD tool, to navigate to the WebApp directory: \home\site
Create a file named: applicationHost.xdt
Paste the following:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Locator="Match(path)">
<system.webServer>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="RESPONSE_WWW_AUTHENTICATE" xdt:Locator="Match(name)" xdt:Transform="InsertIfMissing" />
</allowedServerVariables>
<rules xdt:Transform="InsertIfMissing">
<rule name="BasicAuthentication" stopProcessing="true" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)">
<match url=".*" />
<conditions>
<add input="{HTTP_AUTHORIZATION}" pattern="^Basic dXNlcjpwYXNzd29yZA==" ignoreCase="false" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized" statusDescription="Unauthorized" />
<serverVariables>
<set name="RESPONSE_WWW_AUTHENTICATE" value="Basic realm=Project" />
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
Change the Basic Auth to your liking (default in example is: user:password)
Make sure the web.config rewrite rules don't contain <clear /> as this wil remove the effects from the applicationHost.xdt file
Save the file and Stop and Start your WebApp (a simple Restart will not suffice)
Notes:
Not sure if this works on Linux based WebApps..
You can add this step to you're deployment pipelines by using FTP
Update: I've noticed issues with applicationHost.xdt while using it on secondary Web App slots. Only the primary slot seems to work.
PS: Cross-post from my answer here.
You can use Authentication and authorization in Azure App Service.
Authentication/Authorization was previously known as Easy Auth.
Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your app.
Source: Authentication and authorization in Azure App Service and Azure Functions.
EDIT:
The above is a solution to have a password protected App Service without changing any code whatsoever. At this point there is no alternative, as you can see in the open feedback issue Allow HTTP Basic authentication on basic apps
Hi everyone, we understand the demand for this feature, but we do not plan to support authentication at this level. We suggest using EasyAuth for this scenario.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
EDIT 2:
This method forces the user to use google or facebook, etc...
This is not true. You can also create a user in your Azure Active Directory and use that one with Easy Auth. The username would be something like username#<YOUR-TENANT>.onmicrosoft.com
I am trying to verify my domain through Azure using this Article. However, it keeps saying it cannot verify. I think maybe it's because I am assuming just putting it in my wwwroot is sufficient, but I don't know what else I need to do to have https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json open the file itself for verification.
Verification of publisher domain failed. Unable to connect to https://mydomain/.well-known/microsoft-identity-association. [uFNK6]
Many people have faced this issue, you could have a look at this1 and this2 on Github. You may get one-time free support ticket for this issue via
You could send an email to AzCommunity[at]microsoft[dot]com with a
reference to this thread and also your Azure Subscription GUID.
As a workaround, you could add your custom domain to Azure AD. Then verify your custom domain name. After verifying your domain, you could directly select a verified domain or verify a new domain in the Publisher Domain panel without host the file at https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json.
Hope this could help you.
I solved this problem by adding a web.config file to the .well-known folder to remove charset=utf8 from the Content-Type response. This appears to be necessary.
Beofre you start you can check with Curl from a PowerShell instance to see if the Content-Type being returned includes the charset and therefore is the source of your problem.
C:> curl https://www.whateveryourdomainis.org/.well-known/microsoft-identity-association.json
The web.config file contents is as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<clear />
<add name="MicrosoftIdentityAssociation" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />
</handlers>
<staticContent>
<remove fileExtension=".json" />
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
You need to be aware that this will modify the child folders too and so if you have other sub-folders you may have to take remedial action ie another web.config file putting it back. However, it may be that once you have verified the site, the verification code can be deleted. See [https://learn.microsoft.com/en-us/answers/questions/37272/should-we-continue-to-host-microsoft-identity-asso.html][2]
When I browse to my Azure webapp URL, I am re-directed to some other URL. I don't have any re-write rules in my web.config file. How can I analyze what is causing this issue?
I had an asp site that was having similar re-direct issue with status code 302.
Below are the steps, that I followed to analyze the problem. I’ve enabled Freb logs on Azure and have documented the steps below.
Step 1: Update your Web Config
Enabling Failed Request Tracing will help identify where in the request pipeline the request is hanging.
To enable Failed Request Tracing on you Azure App Service, add the following code snippet to the wwwroot web.config of your App Service. Add it within the section.
<tracing>
<traceFailedRequests>
<remove path="*" />
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,
Cache,RequestNotifications,Module,FastCGI"
verbosity="Verbose" />
</traceAreas>
<failureDefinitions statusCodes="300-399" />
</add>
</traceFailedRequests>
</tracing>
NOTE: Here, If the request HTTP status is between 300 and 399, the request gets logged. You can log requests based on your error code.
Step 2 : Enable Failed Request Tracing from Azure Portal
Open Azure Portal and go to your App Service page. Enable Failed Request Tracing in the diagnostics logs section as shown in the figure below:
https://i.stack.imgur.com/WQbAk.png
Step 3 : Repro the Issue
Now, browse to the URL that is causing this issue and reproduce the issue and you should now have the FREB log file created .
Step 4 : Analyze the Logs
Browse to https://yourAppService.scm.azurewebsites.net and then select Debug Console on the tool bar as below.
https://i.stack.imgur.com/sfs7u.jpg
Now, few options would be displayed, you need to select LogFiles folder and then look for W3SVC***** folder as shown below:
https://i.stack.imgur.com/6ea9k.jpg
That’s where you see Freb log files in fr*****.xml format. You will notice an option to download the file as highlighted below:
https://i.stack.imgur.com/uPDxY.jpg
https://i.stack.imgur.com/Iusxc.jpg
In my repro, I had seen from the logs that my asp application was throwing 302 error and has a response redirect in my code.
https://i.stack.imgur.com/l1sno.png
Hope this works for you.
Maybe I'm misunderstanding how to create a cache but none of the the IDs or Access keys is working on the to enable the azure cache. I've gone through the following tutorials:
http://msdn.microsoft.com/en-us/library/windowsazure/gg618003.aspx
http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_buildingappswithcacheservice_topic3#_Toc310505080
http://msdn.microsoft.com/en-us/library/windowsazure/gg618003.aspx
And about 1/2 a dozen different how to create a cache in azure pages and I'm still getting.
Authorization token passed by user Invalid.
I've got a website and cloud service with linked storage and nowhere can I find a url "yourcachename.cache.windows.net" or an Authentication Token in the manage Azure portal. Any suggestions would be greatly appreciated.
It turns out that I was getting confused between versions of Azure. I'm not sure what version this started in but I was working in 1.8 and I did not need an access key. Once I added the below sections to the web.config everything worked.
<dataCacheClients>
<dataCacheClient name="default">
<autoDiscover isEnabled="true" identifier="{your cache worker role}" />
<localCache isEnabled="true" sync="TimeoutBased" objectCount="100000" ttlValue="300" />
</dataCacheClient>
</dataCacheClients>
<cacheDiagnostics>
And then in order to get Sessions to work I needed to add this:
<sessionState mode="Custom" customProvider="AFCacheSessionStateProvider">
<providers>
<add name="AFCacheSessionStateProvider" type="Microsoft.Web.DistributedCache.DistributedCacheSessionStateStoreProvider, Microsoft.Web.DistributedCache" cacheName="default" dataCacheClientName="default" applicationName="AFCacheSessionState"/>
</providers>
</sessionState>
You need to login to the old portal via the link on the new portal, click on shared caching, service bus and access control. Create/Select a namespace and the auth token would be displayed on the right hand side bar.