In our environment we have both a primary and contingency server to ensure some continuity of operations in the event one site goes down. During testing of the contingency server we discovered a Flex based application will not allow users to login and returns a "Auth error: send failed". When monitoring network activity I see the following:
It looks to me like the cross domain policy is causing the issue as I do not see anything similar when I load the Flex application in our primary environment.
Here is the contents of the crossdomain.xml file found in our web root.
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
What am I missing? Is the cross domain issue a red herring and there is something else going on that I am missing. Any suggestions on what to do?
EDIT: Not sure it matters but to be clear we are using HTTPS in both environments and when accessing the contingency server I use the fully qualified machine name as the DNS is set up to point to the primary server.
Related
I have a working Azure web role which I've been using over an http endpoint. I'm now trying to switch it over to https but struggling mightily with what I thought would be a simple operation. (I'll include a few tips here for future readers to address issues I've already come across).
I have created (for now) a self-signed certificate using the powershell commands documented by Microsoft here and uploaded it to the azure portal. I'm aware that 3rd parties won't be able to consume the API while it has a self-signed certificate but my plan is to use the following for local client testing before purchasing a 'proper' certificate.
ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;
Tip: you need upload the .pfx file and then supply the password you used in the powershell script. Don't be confused by suggestion to create a .cer file which is for completely different purposes.
I then followed the flow documented for configuring azure cloud services here although many of these operations are now done directly through visual studio rather than by hand-editing files.
In the main 'cloud service' project under the role I wanted to modify:
I imported the newly created certificate. Tip: the design of the dialog used to add the thumbprint makes it very easy to incorrectly select the developer certificate that is already installed on your machine (by visual studio?). Click 'more options' to get to _your_ certificate and then check the displayed thumbprint matches that shown in the Azure portal in the certificates section.
Under 'endpoints' I added a new https endpoint. Tip: use the standard https port 443, NOT the 'default' port of 8080 otherwise you will get no response from your service at all
In the web.config of the service itself, I changed the endpoint binding for the service so that the name element matched the new endpoint.
I then published the cloud project to Azure (using Visual Studio).
At this point, I'm not seeing the results I expected. The service is still available on http but is not available on https. When I try to browse for it on https (includeExceptionDetailInFaults is set to true) I get:
HTTP error 404 "The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable"
I interpret this as meaning that the https endpoint is available but the service itself is bound to http rather than https despite my changes to web.config.
I have verified that the publish step really is uploading the new configuration by modifying some of the returned content. (Remember this is still available on http.)
I have tried removing the 'obsolete' http endpoint but this just results in a different error:
"Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https]"
I'm sure I must be missing something simple here. Can anyone suggest what it is or tips for further trouble-shooting? There are a number of stack-overflow answers that relate to websites and suggest that IIS settings need to be tweaked but I don't see how this applies to a web-role where I don't have direct control of the server.
Edit Following Gaurav's suggestion I repeated the process using a (self-signed) certificate for our own domain rather than cloudapp.net then tried to access the service via this domain. I still see the same results; i.e. the service is available via http but not https.
Edit2 Information from csdef file... is the double reference to "Endpoint1" suspicious?
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="HttpsEndpoint" />
<Binding name="Endpoint1" endpointName="HttpEndpoint" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpsEndpoint" protocol="https" port="443" certificate="backend" />
<InputEndpoint name="HttpEndpoint" protocol="http" port="80" />
</Endpoints>
<Certificates>
<Certificate name="backend" storeLocation="LocalMachine" storeName="My" />
</Certificates>
I've been scouring the net for almost two days and must be missing something (possibly basic).
On the test (local) web server I have set up a simple service, and using a client, I discover the service and run it without problems.
Using the same client, I discover the same service, but on the production server using https://MyNewStuff.com/WebServices/MyService.asmx (the real internet address of the service) without problems, but when I try to run it it fails with an EndPointNotFound exception. Upon investigating I find that the client's app.config is incorrect as follows;
<endpoint address="https://ProductionWeb.Ourdomain.com/WebServices/MyService.asmx"
binding="basicHttpBinding" bindingConfiguration="MyServiceSoap"
contract="MOX24.MyServiceSoap" name="MyServiceSoap" />
i.e., not set up correctly as it reflects https://ProductionWeb.Ourdomain.com ... and not https://MyNewStuff.com/WebServices, indicating that the service (discovery) is sending the wrong information to the clients (it is sending the server's name and domain and not the 'web' name).
Any help on this would be greatly appreciated!!
If your client is a web application, put https://MyNewStuff.com/WebServices/MyService.asmx in the Web.Release.config.
We use "Process Monitor" (ProcMon) to monitor the w3wc.exe process on a Windows Server 2008 running IIS7 . We have noticed that requests to perfectly legal urls still results in a "PATH NOT FOUND" entry in ProcMon.
For example, we have configured a handler in web.config like:
<add name="ImageVaultHandler.aspx_*" path="ImageVaultHandler.aspx" verb="*" type="ImageStoreNET.Classes.Handlers.ImageHandler, ImageStoreNET" preCondition="integratedMode,runtimeVersionv2.0">
Requests to this handler eg. "http://localhost/id_123/ImageVaultHandler.aspx" will return an image as expected, but when you analyze the request in ProcMon the w3wc.exe process looks to have unsuccessfully searched for a physical file with the same path in my web directory.
Is this behaviour by design? Or have we missed something, the application pool used is configured to run in "Integrated Mode".
This sounds reasonable to me - what IIS is probably doing is checking to see whether or not the file exists in order to determine what handler to use when processing that request:
It looks like the logic in IIS doesn't bother to check first whether there is an applicable handler that can be used even when the file doesn't exist.
I'm using as3httpclientlib to post data to my web service, but I'm continually
getting the following security violation. Does anyone know how to resolve this?
My crossdomain.xml file is below the security violation notice.
NOTE: I'm using apache to proxy requests to the web service, therefore the target url/port and the url/port serving the applet are the same -- i.e. http://192.168.100.101. Also, the crossdomain.xml file is located in the root of the web app which serves the applet rather the web service; however, since the requests are proxied the url for the file is http://192.168.100.101/crossdomain.xml
* Security Sandbox Violation * Connection to 192.168.100.101:80
halted - not permitted from
http://192.168.100.101/com-web/flex/ComUi.swf Error: Request for resource at
xmlsocket://192.168.100.101:80 by
requestor from
http://192.168.100.101/com-web/flex/ComUi.swf
is denied due to lack of policy file
permissions.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
<allow-access-from domain="*" to-ports="80, 8080" />
</cross-domain-policy>
Thanks.
Did you tried to debug it with WireShark, see if the app sends the request on port 843 and if the server sends back the response via socket? It was not totally clear in your post if you already use a server app to serve the policy file, if not, you should, either the way, the link below should help.
If you need more info about how things work, you can check out this
I recently deployed a Flash application to a server, and am now experiencing errors when making HTTPService requests. I have put what I believe to be the most permissive crossdomain.xml possible in the wwwroot folder, and still get the errors.
Interestingly enough, the error only seems to occur when the request is made from a direct user interaction (i.e. button click). The application makes other requests that are initiated by other means(i.e creationComplete) , and they seem to work as expected.
Anyone see anything wrong with the crossdomain.xml, or have any other suggestions?
ERROR MESSAGE
[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]
at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::faultHandler()
at mx.rpc::Responder/fault()
at mx.rpc::AsyncRequest/fault()
at DirectHTTPMessageResponder/securityErrorHandler()
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at flash.net::URLLoader/redirectEvent()
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>
You need to be careful with those crossdomain policy files because they can open up some serious security holes. You should never use a * policy on a site that uses cookie or basic auth and you should never put a * policy on an intranet server.
The easiest way to avoid those security problems and make things work is to make sure that the URL the SWF is loaded from and the URL the requests are being made to is the same protocol, hostname, and port (if specified). If they are different then you should look into using a proxy so that they are the same. BlazeDS or Apache ban easily be setup as a proxy.
try this
open config file with notepad
replace
http://servername/arcgis/rest/services/BaseMap/MapServer/#
with
http://serverip/arcgis/rest/services/BaseMap/MapServer/#