Long story short, I can sign documents just fine. But verifying them returns false, every time. I've looked through the first 5 or 6 pages of google and bing for a solution, but every "fix" I've found fails to help. Any help would be appreciated, as I've been trying to tackle this for a little over a week now. Also, the private keys of these certs are NOT exportable, and can't be. I'm not sure if that matters or not. Also, I opted not to include ValidateCertificate for now because it's never once made it that far. It always fails at CheckSignature(). Thank you.
HEre's what I'm using to generate my certs:
makecert -a SHA256 -n "CN=JEA2.me" -pe -r -len 2048 -sy 24 -sky signature -sv jeame2.pvk jeame2.cer
certmgr /add jeame2.cer /s /r localmachine root
makecert -sk "jea2.me" -iv jeame2.pvk -n "CN=JEA2IIS.me" -eku 1.3.6.1.4.1.311.10.3.12 -pe -sy 24 -ss my -sr localmachine -len 2048 -sky signature -ic Jeame2.cer IIS-ServerCert-Jeame2.cer
And from here I'm installing them directly into Local machine -> Trusted Root Certification Authorities
private static X509Certificate2 CheckXmldsigSignature(XmlDocument document)
{
X509Certificate2 certificate = null;
try
{
XmlNodeList nodeList = document.GetElementsByTagName("Signature", Xmldsigns);
if (nodeList.Count != 1)
{
Logger.ErrorFormat("Found {0} signature elements in file", nodeList.Count);
throw new InvalidOperationException(
"The XML document must have a single element with local name: \"Signature\" and namespace URI: " + Xmldsigns);
}
else
{
Logger.DebugFormat("Found Signature element successfully");
}
RSAPKCS1SHA256SignatureDescription.Register();
var signatureElement = (XmlElement)nodeList[0];
var signedXml = new SignedXml(document);
signedXml.LoadXml(signatureElement);
var keyInfoX509 =
(KeyInfoX509Data)
(from KeyInfoClause kic in signedXml.KeyInfo where kic is KeyInfoX509Data select kic).Single();
if (keyInfoX509.Certificates.Count != 1)
{
var msg = "The signature must contain information for one certificate.";
Logger.Error(msg);
throw new InvalidOperationException(msg);
}
else
{
Logger.DebugFormat("Extracted X509 certificate data successfully");
}
certificate = (X509Certificate2)keyInfoX509.Certificates[0];
bool validSignature = signedXml.CheckSignature(); //was null parameters. This too does not work.
if (!validSignature)
{
var msg = " SignedXml.CheckSignature returned false.";
throw new InvalidOperationException(msg);
}
else
{
Logger.DebugFormat("SignedXml.CheckSignature returned true.");
}
}
catch (Exception ex)
{
ScriptPro.Common.Logging.LogEx.LogException(Logger, ex);
throw;
}
return certificate;
}
private static Stream SignSHA256Stream(X509Certificate2 certificate, Stream stream)
{
if (certificate == null)
{
Logger.Error("certificate argument is null");
throw new ArgumentNullException("certificate");
}
if (stream == null)
{
Logger.Error("stream argument is null");
throw new ArgumentNullException("stream");
}
RSAPKCS1SHA256SignatureDescription.Register();
var document = new XmlDocument();
document.PreserveWhitespace = true; // May not be necessary.
document.Load(stream);
XmlNode root = document.DocumentElement;
XmlNodeList nodeList = document.GetElementsByTagName("Signature", Xmldsigns);
while (nodeList.Count > 0)
{
root.RemoveChild(nodeList[0]);
}
Reference reference = new Reference(string.Empty);
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform(new XmlDsigExcC14NTransform());
reference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
CspParameters csp = new CspParameters(24);
csp.Flags = CspProviderFlags.UseMachineKeyStore;
csp.KeyContainerName = "XML_DISG_RSA_KEY";
RSACryptoServiceProvider key = new RSACryptoServiceProvider(csp);
key.PersistKeyInCsp = false;
var keyInfo = new KeyInfo();
keyInfo.AddClause(new KeyInfoX509Data(certificate));
SignedXml sxml = new SignedXml(document);
sxml.KeyInfo = keyInfo;
sxml.SigningKey = key;
sxml.SignedInfo.SignatureMethod = Xmldsigns256;
sxml.AddReference(reference);
sxml.ComputeSignature();
XmlElement xmlDigitalSignature = sxml.GetXml();
if (document.DocumentElement == null)
{
document.AppendChild(document.ImportNode(xmlDigitalSignature, true));
}
else
{
document.DocumentElement.AppendChild(document.ImportNode(xmlDigitalSignature, true));
}
if (document.FirstChild is XmlDeclaration)
{
document.RemoveChild(document.FirstChild);
}
MemoryStream outStream = new MemoryStream();
document.Save(outStream);
return outStream;
}
private static void SignSHA256File(X509Certificate2 certificate, FileInfo file)
{
if (certificate == null)
{
Logger.Error("certificate argument is null");
throw new ArgumentNullException("certificate");
}
if (file == null)
{
Logger.Error("file argument is null");
throw new ArgumentNullException("file");
}
if (!file.Exists)
{
Logger.ErrorFormat("File {0} does not exist.", file.Name);
throw new ArgumentException("File must exist.", "file");
}
if (file.IsReadOnly)
{
Logger.ErrorFormat("File {0} is read only.", file.Name);
throw new ArgumentException("File is read only.", "file");
}
FileStream stream = file.OpenRead();
string s = string.Empty;
using (StreamReader reader = new StreamReader(stream))
{
s = reader.ReadToEnd();
}
MemoryStream stream2 = new MemoryStream(Encoding.Default.GetBytes(s));
Stream inStream = SignSHA256Stream(certificate, stream2);
XmlDocument document = new XmlDocument();
inStream.Seek(0L, SeekOrigin.Begin);
document.Load(inStream);
Logger.InfoFormat("Saving {0}", file.FullName);
document.Save(file.FullName);
}
public class RSAPKCS1SHA256SignatureDescription : SignatureDescription
{
private const int PROV_RSA_AES = 24;
public RSAPKCS1SHA256SignatureDescription()
{
this.KeyAlgorithm = "System.Security.Cryptography.RSACryptoServiceProvider";
this.DigestAlgorithm = "System.Security.Cryptography.SHA256CryptoServiceProvider"; // use System.Security.Cryptography.SHA256Managed for .NET 4.5
this.FormatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureFormatter";
this.DeformatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureDeformatter";
}
public static void Register()
{
CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var asymmetricSignatureDeformatter = (AsymmetricSignatureDeformatter)CryptoConfig.CreateFromName(DeformatterAlgorithm);
asymmetricSignatureDeformatter.SetKey(key);
asymmetricSignatureDeformatter.SetHashAlgorithm("SHA256");
return asymmetricSignatureDeformatter;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var asymmetricSignatureFormatter = (AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
asymmetricSignatureFormatter.SetKey(key);
asymmetricSignatureFormatter.SetHashAlgorithm("SHA256");
return asymmetricSignatureFormatter;
}
}
}
Here are my two XML Files:
1.xml:
<node1>
<node2>
</node2>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>3nIr0blku+Nsu3FgibCxfQRGBtSmtZL4JGodmaU8blE= </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>O3ihm7QwE/vh9VZ6CtdENAhB9Ve8jceATCgdJuaQkUHpPWxrG01TftUlrw9a/dQGfW48jJMPngwgcfqnbFspmEEGsBe1xoWQd6mdy2wVRBcQSjqdReNNzs0uQz3/1wPPk4Y2UO+fL+CVNzkIcMpne+t80c2eU4cHBa1WyL5qSlc=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICFDCCAX2gAwIBAgIQ2rStbEE1JJhHRLiuA4n/0jANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtKQUxDT1JOLm1lMjAeFw0xNjAzMzAxODE1MDFaFw0zOTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkpBTENPUk5JSVMubWUyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLJEzyRjaHLfK6zrg1Xdx2yO34d5sbd7ajFFVmb3zPKtVGmuJlCBPsDTC84pzHBTywVVApi3U2UwtuCh96rQu5r3nYUT/E46CtexWiFATyh0M9+wD/h3hZj1CQ0YHTEZWznOWWIdbNRAcp99tGSALrwjH2rEJhGHHpVn7otCNmZQIDAQABo2AwXjATBgNVHSUEDDAKBggrBgEFBQcDATBHBgNVHQEEQDA+gBAgVyu7w3c59jEjiSh/vma+oRgwFjEUMBIGA1UEAxMLSkFMQ09STi5tZTKCEFvqkxy0Sd+mSgbqvsCEqKcwDQYJKoZIhvcNAQELBQADgYEAAcM6GlR3UpjIY4TWWuMiSyqiUiAGgg3JetiUXj1EVZ7TZVvyoVA1L/wd8ZHt+nZu1UtJmJ8sU7eu55TMVcX/xu7QoYsp6JtbPp5abLI6rnOCwDfyorrjM4S8Rm2RCO3PhL0NC9i9QBPfNV15FEbFpeqHZGw/xmyGzEv3EWxEESE=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</node1>
2.xml:
<metadata>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>wc+6kgUoF9TE7KL1OQXm0EzAIYZuVVc6w3zOKsIY8yU= </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MDJn2QLG65LChsJOAN9zKmq4Br5JFSncaTMOmmsmL+DY4xcZt7e4VfI6/IehBkBUzDLeUJHWoE9sp7tVmArBiq/ZFm/ScB2/SRAAD+/NS0XxnxTPjvwu0JsmupNFJ364r/k31TYhI6TBmiCBIdZ6/3qV8LNPtS0iVrMkyhFw6L8=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICFDCCAX2gAwIBAgIQ2rStbEE1JJhHRLiuA4n/0jANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtKQUxDT1JOLm1lMjAeFw0xNjAzMzAxODE1MDFaFw0zOTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkpBTENPUk5JSVMubWUyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLJEzyRjaHLfK6zrg1Xdx2yO34d5sbd7ajFFVmb3zPKtVGmuJlCBPsDTC84pzHBTywVVApi3U2UwtuCh96rQu5r3nYUT/E46CtexWiFATyh0M9+wD/h3hZj1CQ0YHTEZWznOWWIdbNRAcp99tGSALrwjH2rEJhGHHpVn7otCNmZQIDAQABo2AwXjATBgNVHSUEDDAKBggrBgEFBQcDATBHBgNVHQEEQDA+gBAgVyu7w3c59jEjiSh/vma+oRgwFjEUMBIGA1UEAxMLSkFMQ09STi5tZTKCEFvqkxy0Sd+mSgbqvsCEqKcwDQYJKoZIhvcNAQELBQADgYEAAcM6GlR3UpjIY4TWWuMiSyqiUiAGgg3JetiUXj1EVZ7TZVvyoVA1L/wd8ZHt+nZu1UtJmJ8sU7eu55TMVcX/xu7QoYsp6JtbPp5abLI6rnOCwDfyorrjM4S8Rm2RCO3PhL0NC9i9QBPfNV15FEbFpeqHZGw/xmyGzEv3EWxEESE=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</metadata>
public static bool VerifyXmldsigSignature(FileInfo file, bool useSHA256 = false)
{
Logger.InfoFormat("Checking Digital Signature and Certificate on {0}", file.FullName);
bool validCertificate = false;
if (file == null)
{
Logger.Error("file argument is null");
throw new ArgumentNullException("file");
}
if (!file.Exists)
{
Logger.ErrorFormat("File {0} does not exist.", file.Name);
throw new ArgumentException("File must exist.", "file");
}
try
{
var document = new XmlDocument();
document.PreserveWhitespace = true; document.Load(file.FullName);
DateTime timestamp = DateTime.UtcNow;
bool respectCertExpiration = HasTimestamp(document);
if (respectCertExpiration)
{
timestamp = CheckXadesTimestamp(document);
}
var certificate = CheckXmldsigSignature(document);
validCertificate = ValidateCertificate(certificate, timestamp, respectCertExpiration);
Logger.InfoFormat("Digital Signature and Certificate passed verification on {0}", file.FullName);
}
catch (Exception ex)
{
string message = string.Format("{0} failed signature verification.", file.FullName);
throw;
}
Looking at the code, there are two places that I can find that might be an issue:
Certificate Validity.
Using CheckSignature() without any parameters requires the signing certificate to be signed by a trusted root authority. As you're already extracting the certificate that is part of the signature I suggest that for testing you change the call to
bool validSignature = signedXml.CheckSignature(certificate);
Note that you know only validates that the Xml is signed by the certificate info in the file. You have no validation that the signature actually is done by any specific party. I assume you are doing that in the calling function as it returns the certificate.
Whitespace
In the signing routine you set PreserveWhitespace=true. That means that the whitespace will be included in the hash calculation of the signature. Make sure you set PreserveWhitespace=true when you load the document for validation too (that part is not included in the posted code, so I don't know).
References
Finally, you're code is vulnerable to Xml Signature Wrapping attacks, because you are not properly checking the references of the signature. Please see this blog post of mine for examples.
Anders, thanks for your suggestions. I finally got my code to verify after several weeks of playing around with it, and I finally got something to work so I wanted to share it with you guys. The verify method is unchanged, and the Xades stuff is custom and not necessary to verify files signed with my code. Lastly, I used the following 2 urls as my starting point, but dozens of pages from google also helped:
https://blogs.msdn.microsoft.com/winsdk/2015/11/14/using-sha256-with-the-signedxml-class/
https://gist.github.com/sneal/f35de432115b840c4c1f#file-rsapkcs1sha256signaturedescription
private static Stream SignSHA256Stream(X509Certificate2 certificate, Stream stream)
{
if (certificate == null)
{
Logger.Error("certificate argument is null");
throw new ArgumentNullException("certificate");
}
if (stream == null)
{
Logger.Error("stream argument is null");
throw new ArgumentNullException("stream");
}
RSAPKCS1SHA256SignatureDescription.Register();
var document = new XmlDocument();
document.Load(stream);
XmlNode root = document.DocumentElement;
XmlNodeList nodeList = document.GetElementsByTagName("Signature", Xmldsigns);
// nodeList is actively updated so we delete element [0] until there are none left.
while (nodeList.Count > 0)
{
root.RemoveChild(nodeList[0]);
}
Reference reference = new Reference(string.Empty);
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform(new XmlDsigExcC14NTransform());
reference.DigestMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
var keyInfo = new KeyInfo();
keyInfo.AddClause(new KeyInfoX509Data(certificate));
SignedXml sxml = new SignedXml(document);
sxml.KeyInfo = keyInfo;
sxml.SigningKey = certificate.PrivateKey;
sxml.SignedInfo.SignatureMethod = Xmldsigns256;
sxml.AddReference(reference);
sxml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
sxml.ComputeSignature();
XmlElement xmlDigitalSignature = sxml.GetXml();
if (document.DocumentElement == null)
{
document.AppendChild(document.ImportNode(xmlDigitalSignature, true));
}
else
{
document.DocumentElement.AppendChild(document.ImportNode(xmlDigitalSignature, true));
}
if (document.FirstChild is XmlDeclaration)
{
document.RemoveChild(document.FirstChild);
}
MemoryStream outStream = new MemoryStream();
document.Save(outStream);
return outStream;
}
Related
further to this question, i have the same problem. PubFolder on Prem , users in O365
I have fetched and added the routing headers from Glen's post but still get the error
GetToken works...
https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
GetX headers works...
https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/public-folder-access-with-ews-in-exchange
--->> ewsClient.FindFolders(WellKnownFolderName.PublicFoldersRoot, new FolderView(10))
Microsoft.Exchange.WebServices.Data.ServiceResponseException: 'There are no public folder servers available.'
static async System.Threading.Tasks.Task Test3()
{
string ClientId = ConfigurationManager.AppSettings["appId"];
string TenantId = ConfigurationManager.AppSettings["tenantId"];
string secret = ConfigurationManager.AppSettings["clientSecret"];
string uMbox = ConfigurationManager.AppSettings["userId"];
string uPwd = ConfigurationManager.AppSettings["userPWD"];
// Using Microsoft.Identity.Client 4.22.0
//https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth//
var cca = ConfidentialClientApplicationBuilder
.Create(ClientId)
.WithClientSecret(secret)
.WithTenantId(TenantId)
.Build();
var ewsScopes = new string[] { "https://outlook.office365.com/.default" };
try
{
var authResult = await cca.AcquireTokenForClient(ewsScopes)
.ExecuteAsync();
// Configure the ExchangeService with the access token
var ewsClient = new ExchangeService();
ewsClient.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
ewsClient.Credentials = new OAuthCredentials(authResult.AccessToken);
ewsClient.ImpersonatedUserId =
new ImpersonatedUserId(ConnectingIdType.SmtpAddress, uMbox);
AutodiscoverService autodiscoverService = GetAutodiscoverService(uMbox, uPwd);
GetUserSettingsResponse userResponse = GetUserSettings(autodiscoverService, uMbox, 3, UserSettingName.PublicFolderInformation, UserSettingName.InternalRpcClientServer);
string pfAnchorHeader= userResponse.Settings[UserSettingName.PublicFolderInformation].ToString();
string pfMailboxHeader = userResponse.Settings[UserSettingName.InternalRpcClientServer].ToString(); ;
// Make an EWS call
var folders = ewsClient.FindFolders(WellKnownFolderName.MsgFolderRoot, new FolderView(10));
foreach (var folder in folders)
{
Console.WriteLine($"Folder: {folder.DisplayName}");
}
//get Public folder root
//Include x-anchormailbox header
Console.WriteLine("X-AnchorMailbox value for public folder hierarchy requests: {0}", pfAnchorHeader);
Console.WriteLine("X-PublicFolderMailbox value for public folder hierarchy requests: {0}", pfMailboxHeader);
//var test3 = GetMailboxGuidAddress(ewsClient, pfAnchorHeader, pfMailboxHeader, uMbox);
///https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-route-public-folder-content-requests <summary>
ewsClient.HttpHeaders.Add("X-AnchorMailbox", userResponse.Settings[UserSettingName.PublicFolderInformation].ToString());
//ewsClient.HttpHeaders.Add("X-AnchorMailbox", "SharedPublicFolder#contoso.com");
ewsClient.HttpHeaders.Add("X-PublicFolderMailbox", userResponse.Settings[UserSettingName.InternalRpcClientServer].ToString());
try
{
var pubfolders = ewsClient.FindFolders(WellKnownFolderName.PublicFoldersRoot, new FolderView(10));
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
throw;
}
foreach (var folder in folders)
{
Console.WriteLine($"Folder: {folder.DisplayName}");
}
}
catch (MsalException ex)
{
Console.WriteLine($"Error acquiring access token: {ex}");
}
catch (Exception ex)
{
Console.WriteLine($"Error: {ex}");
}
if (System.Diagnostics.Debugger.IsAttached)
{
Console.WriteLine("Hit any key to exit...");
Console.ReadKey();
}
}
public static AutodiscoverService GetAutodiscoverService(string username, string pwd)
{
AutodiscoverService adAutoDiscoverService = new AutodiscoverService();
adAutoDiscoverService.Credentials = new WebCredentials(username, pwd);
adAutoDiscoverService.EnableScpLookup = true;
adAutoDiscoverService.RedirectionUrlValidationCallback = RedirectionUrlValidationCallback;
adAutoDiscoverService.PreAuthenticate = true;
adAutoDiscoverService.TraceEnabled = true;
adAutoDiscoverService.KeepAlive = false;
return adAutoDiscoverService;
}
public static GetUserSettingsResponse GetUserSettings(
AutodiscoverService service,
string emailAddress,
int maxHops,
params UserSettingName[] settings)
{
Uri url = null;
GetUserSettingsResponse response = null;
for (int attempt = 0; attempt < maxHops; attempt++)
{
service.Url = url;
service.EnableScpLookup = (attempt < 2);
response = service.GetUserSettings(emailAddress, settings);
if (response.ErrorCode == AutodiscoverErrorCode.RedirectAddress)
{
url = new Uri(response.RedirectTarget);
}
else if (response.ErrorCode == AutodiscoverErrorCode.RedirectUrl)
{
url = new Uri(response.RedirectTarget);
}
else
{
return response;
}
}
throw new Exception("No suitable Autodiscover endpoint was found.");
}
Your code won't work against an OnPrem Public folder tree as EWS in Office365 won't proxy to an OnPrem Exchange Org (even if hybrid is setup). (Outlook MAPI is a little different and allows this via versa setup but in that case it never proxies either it just makes a different connection to that store and its all the Outlook client doing this).
Because your trying to use the client credentials oauth flow for that to work onPrem you must have setup hybrid modern authentication https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide. Then you need to acquire a token with an audience set to the local OnPrem endpoint. (this is usually just your onPrem ews endpoint's host name but it should be one of the service principal names configured in your hybrid auth setup Get-MsolServicePrincipal). So in your code you would change
var ewsScopes = new string[] { "https://outlook.office365.com/.default" };
to
var ewsScopes = new string[] { "https://OnPrem.whatever.com/.default" };
which will then give you a token with an audience set for the onprem server then you need to send the EWS request to that endpoint so change that eg
ewsClient.Url = new Uri("https://OnPrem.whatever.com/EWS/Exchange.asmx");
if Hybird Modern Auth is setup then you need to default back to use Integrated or Basic Authenticaiton.
I need to add a Request Header to a WCF Request when using ConfigurationChannelFactory.CreateChannel.
I have already tried using OperationContextScope.
I have a function which is as shown below:
public O Execute<O>(Func<T, O> action, string configFilePath, string endpoint, StringDictionary headers)
{
bool closed = false;
T channel = default(T);
O output = default(O);
try
{
channel = this.GetChannel(configFilePath, endpoint);
if (headers != null && headers.Count > 0)
{
(channel as IClientChannel).Open();
using (new OperationContextScope(channel as IClientChannel))
{
HttpRequestMessageProperty requestMessage = new HttpRequestMessageProperty();
foreach (DictionaryEntry header in headers)
{
requestMessage.Headers[header.Key.ToString()] = header.Value.ToString();
}
OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] = requestMessage;
output = action(channel);
}
(channel as IClientChannel).Close();
}
else
{
(channel as IClientChannel).Open();
output = action(channel);
(channel as IClientChannel).Close();
}
closed = true;
}
finally
{
if (!closed && channel != null)
{
(channel as IClientChannel).Abort();
}
}
return output;
}
private T GetChannel(string configFilePath, string endpoint)
{
//Get the ChannelFactoryObject
ConfigurationChannelFactory<T> wcfClientFactory = null;
ExeConfigurationFileMap fileMap = new ExeConfigurationFileMap { ExeConfigFilename = configFilePath };
wcfClientFactory = new ConfigurationChannelFactory<T>(endpoint, ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None), null);
return wcfClientFactory.CreateChannel();
}
Configuration file entry:
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />;clientCredentialType="Windows" negotiateServiceCredential="true" />
</security>
The above function is called from another .cs file, as shown below, passing Func<T,O> as an argument:
Execute<MyService.InformationResponse[]>=>IMyService.GetInformation(Request), ConfigPath, myServiceEndPoint, headers);
I am getting 400, BadRequest as the Service is expecting "Authorization" in the Request header, which it is not able to find.
We could use the WebOperationContext class to alter and add HTTP header, please refer to the below code segments.
IService service = factory.CreateChannel();
using (OperationContextScope scope = new OperationContextScope((IContextChannel)service))
{
WebOperationContext.Current.OutgoingRequest.ContentType = "application/json; charset=utf-8";
WebOperationContext.Current.OutgoingRequest.Headers.Add("Authorization", "bearer xxxxxxxx");
service.GetData();
}
Result.
For details,
https://learn.microsoft.com/en-us/dotnet/api/system.servicemodel.web.weboperationcontext?redirectedfrom=MSDN&view=netframework-4.8
Feel free to let me know if there is anything I can help with.
I am working on Encryption,Decryption in swift OpenSSl AES-256-CBC. I have checked with many third- party libraries or pods i.e. CryptoSwift and many others. But I am always getting HMAc is Not valid from Php back end team.
Where as in android they have done this:
Following is my android method:
public EncryptedData encrypt(Object data) throws Exception {
String text;
if (data instanceof String) {
text = String.valueOf(data);
} else {
text = (new Gson()).toJson(data);
}
if (!this.doAction) {
return new EncryptedData(text, "");
} else {
this.ivspec = new IvParameterSpec(this.getIV1().getBytes());
this.keyspec = new SecretKeySpec(this.getKey1().getBytes(), "AES");
if (text != null && text.length() != 0) {
byte[] encrypted;
try {
this.cipher.init(Cipher.ENCRYPT_MODE, this.keyspec, this.ivspec);
encrypted = this.cipher.doFinal(this.padString(text).getBytes());
} catch (Exception var5) {
throw new Exception("[encrypt] " + var5.getMessage());
}
String encryptedData = new String(Base64.encode(encrypted, Base64.DEFAULT))
.replace("\n", "");
SecretKeySpec macKey = new SecretKeySpec(getKey1().getBytes(), "HmacSHA256");
Mac hmacSha256 = Mac.getInstance("HmacSHA256");
hmacSha256.init(macKey);
hmacSha256.update((Base64.encodeToString(getIV1().getBytes(), Base64.DEFAULT).trim() + encryptedData.trim()).getBytes());
byte[] calcMac = hmacSha256.doFinal();
return new EncryptedData(encryptedData, bytesToHex(calcMac));
} else {
throw new Exception("Empty string");
}
}
}
Any one know how this will works in iOS.
Any help will be appreciated.
Thanks
Here is a simple HMAC implement in Swift 4:
0xa6a/HMAC
No third-party library is needed. Just create a bridging header and import <CommonCrypto/CommonCrypto.h> in it.
Have a try and happy coding.
I made a feedback project. I made it on ASP.NET MVC 5 it also has crystal reports. reports were working fine, but suddenly they stopped to work. I don't what happened with them. but since last week I tried hard to find solution but unfortunately could not get the right one who solved the solution. I downloaded different run times but all went vain. this is the bottom line of error.
"Method not found: 'CrystalDecisions.ReportAppServer.DataDefModel.PropertyBag CrystalDecisions.ReportAppServer.ReportDefModel.ISCRExportOptions.get_ExportOptionsEx()'"
this is the code:
public CrystalReportFeedback UserFeedbackDateWise(FeedbackReport be){
if (Session["CurrentUser"] != null && Convert.ToInt32(Session["User_Id"]) != 0)
{
string reportPath = Path.Combine(Server.MapPath("~/Reports"), "UserFeedbackReport.rpt");
if (ModelState.IsValid)
{
be.FromDate = Convert.ToDateTime(TempData["UserFromDate"]);
be.ToDate = Convert.ToDateTime(TempData["UserToDate"]);
be.User_Id = Convert.ToInt32(Session["User_Id"]);
}
return new CrystalReportFeedback(reportPath, be);
}
else
{
return null;
//new CrystalReportFeedback(reportPath, be);
}
}
Init of the report :
public CrystalReportFeedback(string reportPath, FeedbackReport be)//, object dataSet)
{
//int[] array;
string strConnect = Convert.ToString(System.Configuration.ConfigurationManager.ConnectionStrings["TSC"]);
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(strConnect);
string _username = builder.UserID;
string _pass = builder.Password;
string _server = builder.DataSource;
string _database = builder.InitialCatalog;
ReportDocument reportDocument = new ReportDocument();
//
reportDocument.Load(reportPath);
reportDocument.SetDatabaseLogon(_username, _pass, _server, _database);
if (be.Region_Id != 0)
{
reportDocument.SetParameterValue("#Region_Id", be.Region_Id);
}
if (be.User_Id != 0)
{
reportDocument.SetParameterValue("#User_Id", be.User_Id);
}
reportDocument.SetParameterValue("#FromDate", be.FromDate);
reportDocument.SetParameterValue("#ToDate", be.ToDate);
//reportDocument.ExportToDisk(ExportFormatType.PortableDocFormat, "C:\report.pdf");
_contentBytes = StreamToBytes(reportDocument.ExportToStream(ExportFormatType.PortableDocFormat));
}
Export method :
public override void ExecuteResult(ControllerContext context)
{
var response = context.HttpContext.ApplicationInstance.Response;
response.Clear();
response.Buffer = false;
response.ClearContent();
response.ClearHeaders();
response.Cache.SetCacheability(HttpCacheability.Public);
response.ContentType = "application/pdf";
using (var stream = new MemoryStream(_contentBytes))
{
stream.WriteTo(response.OutputStream);
stream.Flush();
}
}
private static byte[] StreamToBytes(Stream input)
{
byte[] buffer = new byte[16 * 1024];
using (MemoryStream ms = new MemoryStream())
{
int read;
while ((read = input.Read(buffer, 0, buffer.Length)) > 0)
{
ms.Write(buffer, 0, read);
}
return ms.ToArray();
}
}
Hope that I will get my solution at earliest.
this is modified code:
[HttpGet]
public FileResult UserFeedbackDateWise(FeedbackReport be)
{
if (Session["CurrentUser"] != null && Convert.ToInt32(Session["User_Id"]) != 0)
{
string reportPath = Path.Combine(Server.MapPath("~/Reports"), "UserFeedbackReport.rpt");
if (ModelState.IsValid)
{
be.FromDate = Convert.ToDateTime(TempData["UserFromDate"]);
be.ToDate = Convert.ToDateTime(TempData["UserToDate"]);
be.User_Id = Convert.ToInt32(Session["User_Id"]);
}
string strConnect = Convert.ToString(System.Configuration.ConfigurationManager.ConnectionStrings["TSC"]);
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(strConnect);
string _username = builder.UserID;
string _pass = builder.Password;
string _server = builder.DataSource;
string _database = builder.InitialCatalog;
ReportDocument reportDocument = new ReportDocument();
//
reportDocument.Load(reportPath);
reportDocument.SetDatabaseLogon(_username, _pass, _server, _database);
if (be.Region_Id != 0)
{
reportDocument.SetParameterValue("#Region_Id", be.Region_Id);
}
if (be.User_Id != 0)
{
reportDocument.SetParameterValue("#User_Id", be.User_Id);
}
reportDocument.SetParameterValue("#FromDate", be.FromDate);
reportDocument.SetParameterValue("#ToDate", be.ToDate);
Stream stream = reportDocument.ExportToStream(CrystalDecisions.Shared.ExportFormatType.PortableDocFormat);
//Here i have my stream with my pdf report, i just create a new FileStreamResult and return it to my client like that :
FileStreamResult myfile = new FileStreamResult(stream, "application/pdf");
return myfile;
//new CrystalReportFeedback(reportPath, be);
}
else
{
return null;
//new CrystalReportFeedback(reportPath, be);
}
}
This isn't a coding issue, it's a runtime issue. The version of the crystal runtime or the bitness of your application.
One thing to try first is to upgrade both your development version and ensure you're running the same version in production. See https://apps.support.sap.com/sap/support/knowledge/public/en/2148492 for more details
It says:
Compile your application either to 'X86 mode' or 'X64 mode'
Install the particular versions of runtimes on deployment machine.
i.e. If the application is compiled as 32 bit, then install the 32bit runtimes.
I'll try my best to help you exporting your report, but your post is not very clear. For your next post try to be very specific and provide as much information as you can.
I currently made a MVC project and export a crystalreport report from my controller to my client.
I think that your ExecuteResult method can work, but working with the httpcontext is useless, Crystalreport and .NET provide some useful methods to do the same.
So i'll show you how i create and export my report so you can copy / paste and modify your code.
Here is my controller method, called from a button :
[HttpGet]
public FileResult InitReport()
{
//I create my report here
FileImportReport rptH = new FileImportReport();
// Some configuration on the report, datasource, databaselogon .. etc
...
//
//Then I export my report to a pdf stream like that :
Stream stream = rptH.ExportToStream(CrystalDecisions.Shared.ExportFormatType.PortableDocFormat);
//Here i have my stream with my pdf report, i just create a new FileStreamResult and return it to my client like that :
FileStreamResult myfile = new FileStreamResult(stream, "application/pdf");
return myfile;
}
My method is called from a button but it can work like you want, or the file can be saved in any known path.
You can test to reproduce my code, in your CrystalReportFeedback method use my code with your reportDocument object, you don't need to use your StreamToBytes method.
Regards,
EDIT : Useful links with your error :
Crystal Reports exception in Visual Studio 2013
https://www.arcanadev.com/support/kb/K00000499.aspx
I am trying to validate an assertion signature received from an IDP. It results in a failure with following error :
Verification failed for URI "#_7e59add4-11a0-415f-85a3-6f493110d198"
Expected Digest: PgSvwq0Jn6GLMHID20j1fT40VlhvdavKxEM3PtNUfLM=
Actual Digest: mDcfPO26UwGV/tt/JM20ADDDkGGODjd2CZn7dqqR5LM=
org.opensaml.xml.signature.SignatureValidator(SignatureValidator.java:77) -
Signature did not validate against the credential's key
following is the code I am using to validate :
public class SamlTest {
public static void main(String[] args) throws Exception {
// read the file
File file = new File("d://a.xml");
BufferedReader bf = new BufferedReader(new FileReader(file));
String str = null;
String samlStr = "";
while ((str = bf.readLine()) != null) {
samlStr += str;
}
Assertion assertion = SamlTest.unmarshall(samlStr);
//Always do Profile Validation before cryptographically verify the Signature
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(assertion.getSignature());
} catch (ValidationException e) {
System.out.println("ErrorString [Error in SAMLSignatureProfilValidation]");
}
Certificate certificate = SamlTest.getCertificate(assertion.getSignature());
BasicCredential verificationCredential = new BasicCredential();
verificationCredential.setPublicKey(certificate.getPublicKey());
SignatureValidator sigValidator = new SignatureValidator(verificationCredential);
try {
sigValidator.validate(assertion.getSignature());
} catch (ValidationException e) {
System.out.println("unable to validate");
}
}
private static Assertion unmarshall(String samlStr) throws Exception {
DefaultBootstrap.bootstrap();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = null;
docBuilder = documentBuilderFactory.newDocumentBuilder();
ByteArrayInputStream is = new ByteArrayInputStream(samlStr.getBytes());
Document document = null;
document = docBuilder.parse(is);
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
return (Assertion) unmarshaller.unmarshall(element);
}
private static Certificate getCertificate(Signature signature) {
try {
X509Certificate certificate = signature.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0);
if (certificate != null) {
//Converts org.opensaml.xml.signature.X509Certificate to java.security.cert.Certificate
String lexicalXSDBase64Binary = certificate.getValue();
byte[] decoded = DatatypeConverter.parseBase64Binary(lexicalXSDBase64Binary);
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(decoded));
return cert;
} catch (CertificateException e) {
//this should never happen
System.out.println("SAML Signature issue");
return null;
}
}
return null; // TODO Auto-generated method stub
} catch (NullPointerException e) {
//Null certificates
return null;
}
}}
below is the assertion xml received : `
<?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns10="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns5="http://www.w3.org/2000/09/xmldsig#" xmlns:ns6="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" xmlns:ns7="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns8="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns9="http://www.w3.org/2005/08/addressing" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_7e59add4-11a0-415f-85a3-6f493110d198" IssueInstant="2015-06-16T19:38:03.664Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://localhost/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_7e59add4-11a0-415f-85a3-6f493110d198"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>PgSvwq0Jn6GLMHID20j1fT40VlhvdavKxEM3PtNUfLM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ovoMj6mUzEnhayptgu3MwQOiBEs47GO8Xs/H02SgO8/881X5m7anAmS8yIjHiOTu3Q0kNJH1K2cQ
uBNxKQG75jPHbM3wF6XVKLbcyjAWHjtg3Ndz6F2spIP13LZ7LM2KUBcwGh9YWBnybJWxwr70+qj0
7xHO5wEnV3RpkQPCjMgAfnesEAEHoCGpnQNQu0twSffWzKLKZcg6PHS2g49WY1r65Sw5Jcy9/VdN
4/mtEuNa4fb0wNbaKcpPxsjUo7dbeMdbZxl5T0E2pOTzGJkRKVfw1P6Vd2qIFrORVpfni5LAYkET
GJA40iY7wfVLJflIX7+9QcIEtMKsL5rbtxvQpQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDcDCCAligAwIBAgIJAMGuXxNnFfBZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEQMA4GA1UECgwHcnVjaGF2YzAeFw0xNTAyMTcxNjMzNTFaFw0yNTAyMTExNjQzNDJaMBgxFjAU
BgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqV+/l
kSS9U2y6RBsLiqxwdiLjJJFCw/3iFu/Fmpu8vltMNPE5ryZsT87HJGzK8jDgGoTcD0DbbUk7+Sbe
XGVj7n5ZsBXiTt8nbpWQkUfBcNxKimqkGm3WgRgF3UjtNt4enC+mOLw4/aicBvvuscd8ur1QyJxK
zTUVOtkKFYg1FuKaelkSA2GrScLBzjaU99L0K2YrWncKG2T+1yIK5Md4TPr4X3GwhEqlBn7YK2sJ
43ILrEu43BCGyhkawp3bOHhnMVzMUHi2eY4NLXj0ZNTUFRrl8LKpDlSqFwL7ChNuhfLJOlncDwvD
20gOa6TWEC8qr3hXo4u5vUx9j2e5PS/pAgMBAAGjeTB3MAsGA1UdDwQEAwIF4DAoBgNVHREEITAf
gh1ydWNoYXZjLnRlc3RsYWIuY29tbXZhdWx0LmNvbTAdBgNVHQ4EFgQUjBP2wdHo83NDTsksTBtf
/1+EwA4wHwYDVR0jBBgwFoAU++fsPhJCQ4XETaWO1bQCjDDAgM8wDQYJKoZIhvcNAQELBQADggEB
AD4WqxL4+y4Uz/IzrKljq8mpU+dZNqpni8u5RaPUa4z/abfpB/vgSD08WGo7FHOYKDVJK6ScE8wB
+cuUV0/rL+4/L1sUVj4hixH/fUVS6jO6/SZerHEZ0ubO/X5zZAyfWXOKvxa6llgNFYjKGqd74+Lh
LCB2w84/VOOOJlaBJFFbh/9AY8cwtd8jFnMAYmQE7YQSLEagIKoeQSiVO1H8Kbhs4EQtLVmEQjR9
Pt1/H8VsRtPs+/0vAbzq8DJ6FTMz+OuhpyJHmIdP2Xw8T/2LGpGFSTVzbeGKGW3h7cCHA0MEHQ2J
ags26hB/IvRy2PxLgA9yRUroro9dbW8jIGch4UM=</ds:X509Certificate><ds:X509Certificate>MIIDgDCCAmigAwIBAgIJAP828FCXHTizMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEQMA4GA1UECgwHcnVjaGF2YzAeFw0xNTAyMTQxNjQzNDJaFw0yNTAyMTExNjQzNDJaMFwxCzAJ
BgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2Fs
MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHcnVjaGF2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALgcEKO2qkQobx4vGXNG2D6HqnHNwiqEBs+cbrAGRwVtT2AxavMu4aUL9kDO8yyrqXT2
UF5W5B2jFEWr413h8MmV4v+F/+MqVW7UXQ6C0f6bsaBLdmQNa69b4EAj0UGvvohogObglvP9Du0n
qXwDTt3NMg2aJefHtLsyAXA6A1IR85g/AdImBezM0ZgUALpf1Jaq3XjZvR9XqRiu/VZHDEJacxep
/Csw9AuLA5D2U8bWBV8URoBIfFzyho+3dYG8zS1l9Ym5CvSP98nryWSH1LwsEBVunoZpVE+TLGsz
A4uui1/y31gO04y44DxZp1Bh/HfIT4woOIOIlBqOGd5Rz+kCAwEAAaNFMEMwHQYDVR0OBBYEFPvn
7D4SQkOFxE2ljtW0AowwwIDPMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMA0G
CSqGSIb3DQEBCwUAA4IBAQBcRs/wwAfkWVbwgVKkucSMnRNb7kPS7qERcUykMGA/46QXhDcDShd1
j2aXbZKx0DNLKpGYuIN4N6uGdHZu0jABaSMOtVYdXCAHdXGPYJB6vV/l3jOOVvOPULwaf8lbBrmM
AuR6F6J1DBiXH+XMuOPB6/Tp9YYSoFJkPqhxqxyns3tjjTXmCIcoEUuPqACniLk6aUzlKFzDUt2N
hp34Qzj4BdH7QepHjR/mcDkVVaMjY597d2f/kAJm0D/l01W3nyKCbDb3yq3w8f6gj1WIIB6o8w9R
HsZwm4eVFYhJWWvi9N2wci8X5PMdDi/abUxhOT7EYEQGk39dfc/VTEQoMKrE</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">Administrator</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">vsphere-webclient-21665f80-b6c4-11e4-b9fe-005056a638d3#vsphere.local</saml2:NameID><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIID5TCCAs2gAwIBAgIJAMk0TrGWNX/vMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEQMA4GA1UECgwHcnVjaGF2YzAeFw0xNTAyMTcxNjM1MDhaFw0yNTAyMTExNjQzNDJaMIGMMRow
GAYDVQQDDBF2c3BoZXJlLXdlYmNsaWVudDEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJ
kiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMCVVMxMTAvBgNVBAsMKG1JRC0yMTY2NWY4MC1iNmM0
LTExZTQtYjlmZS0wMDUwNTZhNjM4ZDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA
zkp7RK+aOZqq4+yyp/gfsLr4jQnOiLCNGdvEeLXVhUPWogYl0MkHEt3DY6i2HqL0xmmPeRjmOJ1T
62eR3Nc8ugrapKUy7bYgCTT6rzvjU7KtzHg/SncuwncrB53//lSndJ41UtTWNxZSqqja3tmfg3pT
4EQkv0YiyEeayKJhfNz6XiuL12wdBvai0SIEFIsZTq92hNlTs4W58tT8ov6408BEMtRcTVHrOSAS
BS2waelqHAt141PWos3ynz4MUsxRs2p0T77K+wh2Mj/eWQgJJnVVuc4oVA1uLOQHjP777QV/gEkd
p6v42q8b+24LtTWJssMIVvmsmvoEtItDbpApAgMBAAGjeTB3MAsGA1UdDwQEAwIF4DAoBgNVHREE
ITAfgh1ydWNoYXZjLnRlc3RsYWIuY29tbXZhdWx0LmNvbTAdBgNVHQ4EFgQUHR0Ta1eFnWxSD37T
ZFPQncCZYlswHwYDVR0jBBgwFoAU++fsPhJCQ4XETaWO1bQCjDDAgM8wDQYJKoZIhvcNAQELBQAD
ggEBAETECKs16qfadNvLwNysQq5F9Y9pAhnss6PniRLdQ2D7dbKgLNjgi4CIEV3SuaDXaqONV9IV
+IjAg6N+yMqGghc64MyAzDS0Rkp2R7hfNjyYUcG9lNTSpsKSZE0iNb9RWaqrPKu4RsnPvjIStx43
EytkF63Q7ktYxFCXlnB9AVeMa6nfOzFZS+SXHrd+zWs62Hp/9mBHLoHKEYYQawpJlbBnAkg8WZxq
uVE/Ky5Gv8ni3eAovM2g0Ot7gqqbfPH09Yk4L9pBUPw/lT2icBvZ6yHgWxmEnZuHBKUF5B8F0smI
TSCwNY2lUghkxxCdTEaqsthPGb9uYEB6JFJDgblgEBg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-06-16T19:38:51.295Z" NotOnOrAfter="2015-07-16T19:38:51.295Z"><saml2:ProxyRestriction Count="9"/><saml2:Condition xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xsi:type="del:DelegationRestrictionType"><del:Delegate DelegationInstant="2015-06-16T19:36:37.101Z"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">vsphere-webclient-21665f80-b6c4-11e4-b9fe-005056a638d3#vsphere.local</saml2:NameID></del:Delegate></saml2:Condition><saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="9" xsi:type="rsa:RenewRestrictionType"/></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-06-16T19:38:03.662Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">SophosAdministrator</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.localAdministrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.localEveryone</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string"/></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
`could someone please help me find the issue here.