When I try to access an HTTP REST API hosted on a site within my machine’s local IIS, I get this error message:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''."
Anonymous Authentication is enabled in the site’s IIS authentication settings, and the identity of the anonymous user is set to be that of the IUSR role. The IUSR role has read permissions on the underlying virtual directory associated with my IIS site, and I have also tried giving “Everyone” Full Control over the underlying connection virtual directory (see below). Both the virtual directory and the IIS site should have sufficient authentication allowed for anonymous access.
Project Properties - Security - Permissions
The exact same code used in this web project runs perfectly fine on a different computer, so I don’t believe the issue lies in the code.
Stack Trace (snippet):
at Autofac.Core.Resolving.InstanceLookup.Activate(IEnumerable`1 parameters)","InnerException":{"Message":"An error has occurred.","ExceptionMessage":"An exception was thrown while invoking the constructor 'Void .ctor(PIM.App.Infrastructure.Setttings.ISettingsProvider)' on type 'ServiceFactory'. ---> The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''. (See inner exception for details.)","ExceptionType":"Autofac.Core.DependencyResolutionException","StackTrace":"
at Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()\r\n
at Autofac.Core.Activators.Reflection.ReflectionActivator.ActivateInstance(IComponentContext context, IEnumerable`1 parameters)\r\n
at Autofac.Core.Resolving.InstanceLookup.Activate(IEnumerable`1 parameters)","InnerException":{"Message":"An error has occurred.","ExceptionMessage":"The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''.","ExceptionType":"System.ServiceModel.Security.MessageSecurityException","StackTrace":"\r\nServer stack trace: \r\n
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)\r\n
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)\r\n
Related
I tried this:
runas /user: domain\user cmd with no luck
This seems to only occur now when IIS is reset and I try to resume my browsing session. So I am logged into the application, I reset IIS on the server, refresh the page and see the error.
I am building an application in .NET 4.0 MVC with a Secure Token Service that is using WIF 4.0. Everything works as expected, except this case. I even tried to use a custom error page, but the error is happening there as well. Because of that, I can't get the custom page to show either. Also, This is using a certificate that is located on both load balanced servers. This happens in my dev environment whihc consists of only one server (app, wfe, db operated there)
One thing I noticed is that if I switch my IIS APP Pool user back to Network Service account it doesn't throw the error any more. We have some restrictions (mostly network related) in the application that we need to use an account in our AD for the app pool sections
Anybody have any experience with this issue?
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.
Exception Details:
System.Security.Cryptography.CryptographicException: Key not valid for
use in specified state.
Source Error:
An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of
the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[]
encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +428
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +54
[InvalidOperationException: ID1073: A CryptographicException occurred
when attempting to decrypt the cookie using the ProtectedData API (see
inner exception for details). If you are using IIS 7.5, this could be
due to the loadUserProfile setting on the Application Pool being set
to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +146
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[]
cookie, Boolean outbound) +113
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader
reader, SecurityTokenResolver tokenResolver) +647
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[]
token, SecurityTokenResolver tokenResolver) +105
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[]
sessionCookie) +262
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken&
sessionToken) +76
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object
sender, EventArgs eventArgs) +53
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+148 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
This issue is related to session cookies.
WIF protects session cookies using Data Protection API (DPAPI) by default, and the DPAPI is closely related to machine keys.
If the keys used to encrypt the session cookies change, it throws this exception.
It could be also related to your app hosting infrastructure.
if your app is running in an Network Load Balancer (NLB) environment
if you change the app pool settings (e.g., change the pool’s user)
More details about this scenario on the MSDN blog entry:
WIF 1.0 – ID1073 A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API Archive.Today Shortlink
Todd Foust (October 29, 2012)
So, if your app runs in NLB environment, you could :
Configure your load balancer to use sticky sessions. This means that your user will be directed to the same server during the session duration. (I’m not very fond of that one)
Use a certificate to encrypt the session cookies
set all web.config files to use the same machine key in system.web
If you are not running the app in a NLB env, you could try:
set the machinekey in your web.config to use a pre-defined value instead of auto-generated values
Regarding auto-generated machinekey setting, please see:
How unique is your machine key?Archive.Today Shortlink
I'm running into a very weird scenario, have tried a lot of solutions and also tried searching for people having similar issues but couldn't find anything.
I have a webforms ASP.NET application for which the SSL certificate expired a couple of months ago, and we just received the renewed certificate. It was a new certificate instead of a renewal one, but issued to the same URL/SANs. It's also an internal certificate, not externally issued.
After installing the new SSL certificate in our production environment, an internal web service (asmx reference) call that we are making (to a java web service) is failing, complaining about no parameters being sent to the web service. This only happens if I browse through the SSL enabled version of the site, and only in production. The site with SSL works correctly in our dev/stage environments. Prod also works but only if I don't browse through HTTPS.
I cannot paste all the technical exception details, as it's a work related thing, but any help/guidance is appreciated.
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Web.Services.Protocols.SoapHeaderException: Internal Server Error (Caught exception while handling request: java.lang.Exception: Last Name and/or First Name needs to be provided.)
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at OurProgram.com.Company.corp.amssvc.DirWs2.getEmployeeDataByName(String lastName, String firstName, String attData, String strDelim) in D:\somecodehere
For additional data, it is also not an IIS website on its own, it's hosted as an application under the Default Website, which is the one that has the SSL binding for the certificat.e
Has anyone experienced this?
TL;DR -- Disabled Anonymous Authentication.
Well, after 6 hours of fiddling with and comparing IIS and website configurations, the issue was that for some reason, Anonymous Authentication got enabled somehow after the site had been restarted for the new SSL certificate to kick in. Our application is an intranet one, so the web service takes the credentials of the logged in user. When Anon Auth got enabled somehow, it must have not been passing the correct credentials.
After disabling Anonymous Authentication, the site worked just fine. While it might seem a little related in hindsight, I would've expected a different error, anything other than the web service complaining that no parameters were sent.
Hope this helps someone.
I have 2 wcf services both hosted on IIS on the same machine.
Service A is called by a client and uses BasicHttpBinding with transport security and NTLM credentialtype.
Service A needs to call service B which is also hosted on IIS but uses WsHttpBinding with transport security and NTLM credentialtype.
IIS is configured to use integrated windows authentication.
The first attempt I got a 403 forbidden message:
System.ServiceModel.Security.MessageSecurityException : The HTTP request was forbidden with client authentication scheme 'Ntlm'.
System.Net.WebException: The remote server returned an error: (403) Forbidden.
This is normal because when I make a call from service A to service B the identity of the application pool is used.
In my second attempt I tried to impersonate the call to service B but then the problem is all code in the operation is executed under the callers account. This account has no ACL permissions on the server and providing these permissions is not an option.
The following error is logged:
System.IO.FileLoadException : Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
How could I solve this without changing security the ACL's or the application pool identity?
Check this out:
http://blogs.msdn.com/b/securitytools/archive/2009/11/04/double-hop-windows-authentication-with-iis-hosted-wcf-service.aspx.
Found the above link here:
http://go4answers.webhost4life.com/Example/calling-wcf-service-another-wcf-service-204170.aspx
I want to capture the SOAP request and actual response from the WebService.
Scenario : On click of a button in asp.net application I call a web service. The Web Service returns an exception : System.Web.Services.Protocols.SoapHeaderException: Access is denied. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at WebRefProject.HRWS.TeamMemberData201012Service.getTeamMemberProfilesByFullName(GetTeamMemberProfilesByFullNameRequest_Type getTeamMemberProfilesByFullName1) in C:\Project\FinalPAT\WebCode\1PSV\WebRefProject\Web References\HRWS\Reference.cs:line 138 at UIPSAT.GetUserDetails.GetUserDetailsbyFullName(String searchValue) in C:\Project\FinalPAT\WebCode\1PSV\UI\GetUserDetails.cs:line 209
Explanation:
I have a asp.net application which calls a web service to search for employee details.
The WS requires certificates and we attach it along the request.
The service is working good on local with local certificate.
It isnt working on Dev server and is giving the above exception.
A sample application runs good on Dev with the Dev certificate.
How do I know what SOAP is sent to the web service?
Also I could not add the reference of the web service directly to the solution as it was protected and Visual Studio IDE could not add it.
However the WSDL file was not protected. It was successfully added and the URL of the Web Service was changed based on the appropriate server environments.
How do check the SOAP Request and Response?
Yes, Fiddler.
You can use WCF Diagnostic message logging facilities. Just config it on your client, the soap messages will be logged. For instance:
<diagnostics>
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="1000"
maxSizeOfMessageToLog="5000"/>
</diagnostics>
You can configure soapUI (http://www.soapui.org/) to act as a logging proxy between your web service client and server. Configure your client to connect to a soapUI proxy instance running on the client host. Configure the soapUI instance to then forward to the service on the remote server.
You can get the trace file to a location. Add the following to the web.Config file :
I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.