This has been asked before but I am completely stuck and nothing so far has worked for me that has been listed in other questions. While this refers to Identity Server I think i have missed something in setting SSL up.
I have setup as follows (this is with IIS express not full IIS):
Identity Server app: auth.testhost.com:44373/core
Web API service: https://localhost:44356/
I get the error in the title on the line:
app.UseIdentityServerBearerTokenAuthentication(options);
This is basically requesting some open configuration options from the server at auth.testhost.com:44373/core/.well-known/openid-configuration.
My options are:
Authority = "https://auth.testhost.com:44373/core",
RequiredScopes = new List<string>() { "api" }
In some examples I see a client id and secret, but they are not available in the options for me: is this a problem?
If you need to see any identity server options please say and I'll post.
I ran the following command to create a cert:
makecert.exe -r -pe -n "CN=auth.testhost.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048
This generated the certificate, which I then exported to Trusted Root Certification Authorities.
From what I can tell, the SSL port bindings should be handled by Visual Studio as I am using IIS Express. Below are the bindings it has:
<site name="Authenticator_V2" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\user\documents\visual studio 2015\Projects\Authenticator_V2\Authenticator_V2" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:49755:localhost" />
<binding protocol="https" bindingInformation="*:44373:localhost" />
<binding protocol="https" bindingInformation="*:44373:auth.testhost.com" />
</bindings>
</site>
<site name="APIClient2" id="7">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Users\user\documents\visual studio 2015\Projects\Authenticator_V2\APIClient2" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:53812:localhost" />
<binding protocol="https" bindingInformation="*:44356:localhost" />
</bindings>
</site>
This is my hosts file:
127.0.0.1 localhost
127.0.0.1 hybrid.testhost.com
127.0.0.1 auth.testhost.com
When I go to https://auth.testhost.com:44373/ I still have a red line through my protocol. I assume this means something has not been configured correctly still. I am using Chrome and clicking on the certificate gives:
"Your connection to this site is not private."
Details:
SHA-1 Certificate
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.
View certificate
Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
I looked at the ERR_CERT_COMMON_NAME_INVALID error and it seems that is a chrome bug. However my error is being thrown from the web services server trying to connect to the authentication server so I think I can ignore this one???
I also ran netsh to check there was a cert binding set up:
netsh http show sslcert ipport=0.0.0.0:44373
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:44373
Certificate Hash : HAS ODD HASH - REMOVED
Application ID : {HAS GUID - REMOVED}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
At this point a noticed this hash is not the right one for my certificate. It is for the IIS Express localhost. I found this link: IdentityServer: The remote certificate is invalid according to the validation procedure and copied the steps to move the localhost certificate into the Trusted Root Certification Authorities but unfortunately I still have the error. I now am not sure what else to do.
Scope Configuration:
new Scope
{
Name = "api",
DisplayName = "Can call API",
Enabled = true,
Type = ScopeType.Resource
//ScopeSecrets = new List<Secret> { }
}
All my clients have this scope.
Thanks
This issue was fixed by upgrading all but IdentityModel.Jwt to latest versions, which gave the options to set the Certificate and Issuer Name on the bearer options. Both of these were required to be set for the error to go away
Related
I got error:
System.ArgumentException: „The provided URI scheme 'http' is invalid; expected 'https'.
Parameter name: via”
My xml code look like this:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="serviceSoapBinding">
<security allowInsecureTransport="true" enableUnsecuredResponse="true" includeTimestamp="false"
authenticationMode='CertificateOverTransport'
defaultAlgorithmSuite="Basic256"
requireDerivedKeys="true"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11"></textMessageEncoding>
<httpsTransport maxReceivedMessageSize="2000000000"/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://...Service"
binding="customBinding" bindingConfiguration="serviceSoapBinding"
contract="service.service" name="servicePort" >
</endpoint>
</client>
</system.serviceModel>
Changing http to https is not a solution, because I need http. I think I must change authenticationMode*, but I don't know which mode is right in my situation.
In my case client is authenticated by X509Certificate and service uses http protocol.
DavidG appears to be correct about the CertificateOverTransport requirements.
https://learn.microsoft.com/en-us/dotnet/api/system.servicemodel.configuration.authenticationmode?view=netframework-4.8
CertificateOverTransport 2 Specifies that the initiator is authenticated by an X.509 version 3 certificate, and that the responder is authenticated by SSL over HTTPS.
One of the others might work better, but as has been mentioned, not using https is considered highly irregular now.
That said, one of these would likely be your best bet.
MutualCertificate 9
Specifies that the initiator and responder are authenticated with X.509 version 3 certificates.
MutualCertificateDuplex 10
Specifies that the initiator and responder are authenticated with X.509 version 3 certificates.
MutualSslNegotiated 11
Specifies that the initiator and responder mutually authenticate each other using X509 version 3 certificates, and the responder's certificate is available from the SOAP SSL negotiation.
I am trying to connect to a client's Oracle database over SSL using the managed ODP.NET provider. The client has provided a self-signed certificate which I have imported on the server. To test the connection, I created a console app which simply opens the connection then closes it. This works successfully. However, when trying the same simple connection from ASP.NET on the same server, I always get this error:
Oracle.ManagedDataAccess.Client.OracleException (0x80004005): Network Transport: SSL failure in parsing wallet location --->
OracleInternal.Network.NetworkException (0xFFFFE700): Network Transport: SSL failure in parsing wallet location
Here is the connection string:
Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL = TCPS)(HOST = xxx.xx.xx.xxx)(PORT = 3484))(CONNECT_DATA=(SERVER = DEDICATED)(SERVICE_NAME = TEST.CLIENT.COM)(SID = TEST))); User Id = userid; Password = pa55word;
In the config files, I point to a directory for the SQLNET settings:
<oracle.manageddataaccess.client>
<version number="*">
<settings>
<setting name="TNS_ADMIN" value="C:\Oracle\tnsfiles" />
</settings>
</version>
</oracle.manageddataaccess.client>
And finally these settings from sqlnet.ora in that directory:
SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS)
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=MCS))
WALLET_LOCATION= (SOURCE=(METHOD=MCS))
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
Is there any reason why the connection from the console app succeeds, but from ASP.NET it fails on a wallet error? They are using the exact same settings. I tried a lot of different things but I welcome any suggestions.
This is a duplicate. Except that the answers for the other questions (see links at the end) don't make it work for me. And none mention VS 2017 except for the odd comment - perhaps that's the difference?
I've looked at a load of information, and I think all resolve down to:
netsh http add urlacl
open up the firewall
add binding to applicationhost.config
Run VS as administrator
I've done that. About 50 times. I've disabled the firewall completely. I've tried loads of combinations of netsh (where 44362 is my https port for the site and 60559 is normal):
- netsh http add urlacl https://*:44362/
- netsh http add urlacl http://*:44362/
- netsh http add urlacl http://*:60559/
- netsh http add urlacl https://192.168.0.5:44362/
- netsh http add urlacl https://machinename:44362/
I've tried quite a few bindings, but the most reliable is this - which is what I currently have:
<bindings>
<binding protocol="http" bindingInformation="*:60559:" />
<binding protocol="https" bindingInformation="*:44362:" />
</bindings>
This is what my netsh is currently set to, and it allows localhost through:
Reserved URL : http://*:60559/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
Reserved URL : https://*:44362/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
I'm testing it by trying to connect using the IP using both of:
http://192.168.0.5:60559
and
https://192.168.0.5:44362
But the client just says "connection refused". With the firewall off.
So I guess my question is: What am I missing???
(Here are a couple of questions I've tried the answers to):
- Connecting to Visual Studio debugging IIS Express server over the lan
- Using Custom Domains With IIS Express
I'm setting up a Service Fabric application which contains:
an Nginx instance as frontend (single instance, port 80)
some applications written with Asp.net core (1 website, some API services) (multiple instances, dynamic port)
a Gateway service for address resolution (single instance, port 8081)
For nginx, I'm using a solution available as Nuget package.
The gateway and, in general, the example to run .NET core app have been taken here
It is suggested by the .NET core team itself to host applications behind a real web server liken nginx.
Therefore I'd like to deploy my Service Fabric application with an instance of nginx as entry point, which redirects to the Gateway service, which will do the service resolution for the replicated stateless services.
My question is about the address that I need to use in the nginx.conf to point to the Gateway address. While trying locally, I can use the local address 127.0.0.1 and it works as expected, but what happens if on a real cluster my Nginx and Gateway instances are deployed to different machines?
This is my application manifest:
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="SFApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<Parameters>
<Parameter Name="NginxPoC_InstanceCount" DefaultValue="1" />
<Parameter Name="Gateway_InstanceCount" DefaultValue="1" />
</Parameters>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="NginxPoCPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
</Policies>
</ServiceManifestImport>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Gateway" ServiceManifestVersion="1.0.0" />
</ServiceManifestImport>
<DefaultServices>
<Service Name="NginxPoC">
<StatelessService ServiceTypeName="NginxPoCType" InstanceCount="[NginxPoC_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
<Service Name="Gateway">
<StatelessService ServiceTypeName="GatewayType" InstanceCount="[Gateway_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="Admin">
<MemberOf>
<SystemGroup Name="Administrators" />
</MemberOf>
</User>
</Users>
</Principals>
</ApplicationManifest>
and this is my current nginx.conf file:
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:8081;
}
}
Update 2016-10-09
As requested in the discussion, I've created a test project here. Every contribute to the project is welcome.
f you deploy the nginx and gateway service to all nodes (InstanceCount = -1) you should be good. If the gateway service is down on one node, you would of course not be able to forward the request from nginx to a gateway service on another node. For this, you need the nginx service to look-up the gateway service.
You can get the service endpoint address for the gateway using a REST call: https://msdn.microsoft.com/en-us/library/azure/dn707638.aspx
I have followed scot's article on how to enable default ports (80 and 443) for http and https respectively. I have followed each step to the letter and in the end IIS express sytem tray shows me that site is running on following urls
Only thing i have done differently is to use netsh>advfirewall>firewall context because it was telling me that netsh firewall is deprecated. I used following command to allow port 80 through firewall
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
Here is the relevant site section from applicationhost.config file of IIS Express
<site name="SSLTest" id="4">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="G:\Adeel\SSLTest\SSLTest" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:51518:localhost" />
<binding protocol="https" bindingInformation="*:44301:localhost" />
<binding protocol="http" bindingInformation="*:80:mhlabs" />
<binding protocol="https" bindingInformation="*:443:mhlabs" />
</bindings>
</site>
Edit: The problem is that when i browse to http:/mhlabs or https:/mhlabs it does not work. I get not found page of the browser. how can i get around that.
Edit2: Ok, as a first step, i would like to forget ssl and just reserve a url for test-one on port 80 and run my site on this url. The logical steps that come to mind is that i reserve a url using netsh http add urlacl url=http://test-one:80/ user=everyone and add this entry in bindings section of applicationhost.config file. i also allowed port 80 through firewall but the whole thing does not seem to work for me. Any ideas?
Are you starting iis express from command line or using WebMatrix?
If you are not starting it from command line, try following steps and see if there are any binding errors.
start command prompt, goto iis express installation folder '%programfiles%\iis express'
run following command
iisexpress.exe /site:SSLTest
If there are any bindings registration failure, you would see some error message.
If there is any error for 'mhlabs' binding registration, make sure your URL reservation is correct. URL reservation command should like below
netsh http add urlacl url=http://mhlabs:80/ user=everyone