I came along with so many questions and answers but could not understand or find solution as my case is bit different.
I am using Azure with openIdconnect for Active directory authentication (ASP.Net framework 4.6.1)
it has been years it was working fine but a day before yesterday this error occurred for only about 1 hour. error was occurring when trying to do AD authentication.
"
Exception Message: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
Inner Exception: System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
StackTrace: System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request)."
during this local authentication and remaining whole application was working fine. After 1 hour this issue was automatically resolved.
same happened yesterday. issue occurred for 1 hour and resolved automatically.
Other solution are suggesting to modify IdentityModelEventSource.ShowPII = true;
But I dont think so it requires code modification.
Please guide what can be reason that this happens for only short time.
Note: this is happening on only one server all applications on other servers are working fine
Please check if below are causes.
The error usually appears when application's configuration is not
able to retrieve the OIDC metadata properly. Please make sure
Instance,Domain,TenantId,ClientId are correct.
And Please make sure to use the latest version (or to 4.7.2) of your
dot-net framework as few tasks may get to require updated / latest
version of “.NET” framework in order for them to work properly.
This error might occur if the application is running on TLS 1.1 or TLS 1.0,as they are depreciated. Use the protocol - TLS 1.2 for application.
In some cases packages maybe defaulting to TLS 1.1 even after that when loading that metadata and may take time to check for the correct one.
To resolve, try to add the following in Global.asax.cs which will allow the openid-configuration to be obtained as it is pointed to tls1.2 or above. Make sure to change the tls to 1.2 in portal also.
protected void Application_Start()
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; // allow TLSV1.2 and SSL3 only
//other code
}
References:
azure ad enable-support-tls-environment | microsoft docs
Error: Unable to retrieve document from:
'https://login.microsoftonline.com/.well-known/openid-configuration'- Microsoft Q&A
Related
Someone any idea, I’ve been struggling with this for some time.
I'm using SignalR (Asp.net 5). when I try to debug local (ISS 10.0 express) everything is working fine. SignalR is working (Long poll).
Now when I publish the app to Azure it I can access : .azurewebsites.net/signalr/hubs
but I cannot access .azurewebsites.net/signalr/hubs/negotiate
it returns:
The specified CGI application encountered an error and the server terminated the process.
When my web app calls $.connection.hub.start() it will fail.
GET XHR http://xxxx.azurewebsites.net/signalr/negotiate [HTTP/1.1 502 Bad Gateway]
I’m running out of idea's. Don't know how I can get more debug information.
Small selection of my ‘already tried’ list:
Set $.connection.hub.url path manual to http://xxxx.azurewebsites.net/signalr/
Enable/Disable websockets
Removed forwardWindowsAuthToken from the web.config httpPlatform
EDIT:
Now getting more details on this error:
CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Still absolutely no idea how to solve this!
Solved by using appBuilder.UseAesDataProtectorProvider();
(from Owin.Security.AesDataProtectorProvider;)
I have no idea if this is the best solution.
I have installed the API Mgr 1.7.0 in Win 7 64. I have been through the Quick Start guide and all appeared to work as described. However, when I get to the point of trying the subscribed-to cdyne api, the 'moving dots' graphic stays there forever. I can't find a way to stop it, other than a browser refresh. I can't see an entry in the API Mgr system logs.
I have removed the parameters and the auth info, which is supposed to return a 401, but it doesn't and the moving dots continue. I'm using Firefox 31, with AdBlock+ and Noscript. There are no blocked scripts as far as I can see.
[edit 1] I get the same problem with the first sample (YouTube). I wonder if the problem is caused by port values? As I have the ESB installed, I increased all the ports for API Mgr by 1. Maybe I missed one, or there is one that hasn't been documented.[/edit 1]
[edit 2] I have reinstalled the API Mgr. I stopped the ESB and left the APIM ports as default. I have recreated the Phone Verify service and I still have same problem with 'Try it now'. I set the global log level to DEBUG, but there is too much detail to be of use. I don't know what package names to set for this problem.
There was an entry in the Application Logs as follows, which might be relevant. The first few lines are shown:
System Error Occurred
Exception occurred while trying to invoke service method getApplicationNames
The following error details are available. Please refer logs for more details.
org.apache.axis2.AxisFault: Exception occurred while trying to invoke service method getApplicationNames
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.logging.view.stub.LogViewerStub.getApplicationNames(LogViewerStub.java:3700)
at org.wso2.carbon.logging.view.ui.LogViewerClient.getApplicationNames(LogViewerClient.java:165)
[/edit 2]
Regards, John
You may not have configured CORS. CORS is cross-origin resource sharing [1] and it is used by the try-it feature in the store.
The CORS configuration is stored in [API Manager Home]/reposotiry/conf/api-manager.xml . The header must include the Host name used by the CORS request. The host name being used by the try-it service is shown in gray at the bottom-left hand corner of the API-Console / try-it screen. It should show up as 'base url'. For example: [ base url: http://10.212.0.846.:8281 , api version: 1.0 ]
You may also be having trouble with the default APIs - please make sure that the APIs in [API Manager Home]/repository/deployment/server/synapse-configs/default/api/ are updated with your port offset. This may be preventing basic authentication. It is documented here [2]
Hope that helps.
-Colin
[1] http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
[2] https://docs.wso2.com/display/AM170/Changing+the+Default+Ports+with+Offset
I have been trying to create a web api 2 that is secure with individual account.
So I can easily create WebApi2 with individual account, see link below
http://www.asp.net/vnext/overview/authentication/individual-accounts-in-aspnet-web-api
And Self hosting is easy to do.
http://www.asp.net/web-api/overview/hosting-aspnet-web-api/use-owin-to-self-host-web-api
But I cannot figure out how to combine the solutions.
Far as I got was adding a console app to a webapi2. Which seems to run. But whenever I try and get the access token it returns
An unhandled exception of type 'System.Net.WebException' occurred in System.dll
Additional information: The remote server returned an error: (500) Internal Server Error.
If anyone knows of a solution that would be great. Thanks
This post is way old, but to anyone else who is having this issue and finds this question, I was able to get past the 500 Error by adding app.UseWebApi(config); after setting up config, as mentioned in this post:
http://odetocode.com/blogs/scott/archive/2013/07/24/self-hosting-webapi-with-katana.aspx
HOWEVER, I'm now getting a 401, unauthorized request for all of my requests, even though I have a valid token and I'm sending it the same way I did that worked in the non-self-hosted WebApi2 app. but I'm one step closer anyways.
On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.
When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.
When using my test asp page to call a web method from this reference i get the following returned:
Finished calling Web Service.
Status = Internal Server Error
ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.
The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.
I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.
The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.
Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?
Thank you
Scott
EDITED TO ADD THE FOLLOWING UPDATE:
Attempted to use the Default App Pool and a new App Pool but same problem persists.
My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
IIS LOG shows:
v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200)
/V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)
note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.
EVENT LOG:
The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.
This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.
_http://theether.net/kb/100127
REF http://theether.net/kb/100127
load cmd prompt
CD to C:\Windows\System32\inetsrv
enter: appcmd list config -section:system.webServer/asp
the following path is displayed: c:\inetpub\conf\temp\ASP compiled templates
check path exists (it does)
Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute;
icacls "c:\inetpub\conf\temp\ASP Compiled Templates" /grant "NETWORK SERVICE:(OI)(CI)(M)"
should read "sucessfully processed 1 files"
restarted app pool.
THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.
Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.
Got a lead at last. Examined:
ServiceSecurityAudit set in service behaviour. Ref http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/#
IIS logs (simply shows the non-specific error 500.)
Fault tracing enabled( also shows error 500).
Custom errors were off
Friendly IE messages were off
Asp client side and server side debugging on
ProcessMon running , no errors.
Web.config httpErrors errorMode="Detailed" /> +
ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.
Follow up (17/08/11):
Service Security Audit documented here:
http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/
Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.
I'm trying to connect from adobe flash builder 4 beta to red5 v0.9 rc2 (latest svn).
i try to connect using the exact following example:
http://www.actionscript.org/resources/articles/615/3/Getting-started-with-red5-server/Page3.html
i get the following error message:
INFO] [NioProcessor-3] org.red5.server.net.rtmp.RTMPHandler - Connecting to: [WebScope#627b5c Depth = 1, Path = '/default', Name = 'mytestapp']
[WARN] [NioProcessor-3] org.red5.server.net.rtmp.RTMPConnection - Client rejected, unscheduling waitForHandshakeJob
org.red5.server.exception.ClientRejectedException: Client rejected
i can't seem to figure out what's the problem. can anyone please provide any information regarding to what may have caused this ?
i tried both on rtmp and rtmpe protocol but i receive the same error message.
thanks
update
I tried also using flex builder 3 and i get the same results.
Client rejected, unscheduling waitForHandshakeJob
this just means that the server rejected the connection.
the server side scripting rejected the connection because i did not provide several required parameters by the application.