msdeploy getting ERROR_CERTIFICATE_VALIDATION_FAILED, allowUntrusted being ignored - msdeploy

I am using msdeploy to push out website code to 4 different servers (test and production servers). Works fine on the first 3, but the 4th is giving me an ERROR_CERTIFICATE_VALIDATION_FAILED error. I am using the -allowUntrusted option.
"C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:iisApp="E:\workspace\testDeploy\outproject\_PublishedWebsites\<webfolder>" -dest:iisApp="mycompany.com",ComputerName="https://<hostip>:8172/MsDeploy.axd",UserName="<userid>",Password="****",AuthType="Basic" -allowUntrusted -enableRule:AppOffline -skip:objectName=filePath,absolutePath="^.*<webfolder>\\web.*\.config$|^.*mycompany\.com\\web.*\.config"
Error Code: ERROR_CERTIFICATE_VALIDATION_FAILED
More Infenter code hereormation: Connected to the remote computer ("<hostip>") using the specified process ("Web Management Service"), but could not verify the server's certificate. If you trust the server, connect again and allow untrusted certificates. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED.
Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Error: The remote certificate is invalid according to the validation procedure.
Any idea what I am missing?

Adding <AllowUntrustedCertificate>True</AllowUntrustedCertificate> to my pubxml file seemed to fix the problem initially.
Upon re-publishing days later though, I got the same error. I went into the Publish Settings, re-entered my password and the publish succeeded.
I'm now thinking my initial problem was solved by re-entering my password, not by adding <AllowUntrustedCertificate>True</AllowUntrustedCertificate>.

-allowUntrusted did not worked for me.
I used this:
/p:AllowUntrustedCertificate=True

Adding this solution as none of the others worked for me...
I had to add these lines to publish profile:
<UseMSDeployExe>True</UseMSDeployExe>
<AllowUntrustedCertificate>True</AllowUntrustedCertificate>
After adding those, publish still failed. Then I opened the publish profile settings, clicked validate connection, and saved. Only then did publish succeed.

I fixed this by going into the publish settings, then clicking "Validate Connection" at the bottom. Then this error goes away.

The problem was with the password for the user on the destination system.
I saw on another post that someone moved the -allowUntrusted flag before the -dest entry. I tried that and I started getting a ERROR_USER_UNAUTHORIZED message. Everything was correct with the password as it was entered, but it started with an * character and also had a single quote in it. I generated a new password for the user that didn't use those special characters and changed it on the remote system. After that, everything worked fine.
I was able to run the command as shown in the initial post without any error.
If you are getting a ERROR_CERTIFICATE_VALIDATION_FAILED or ERROR_USER_UNAUTHORIZED and everything is set up properly, try changing the password assigned to the user on the destination system. It would seem that some passwords just won't work.

Another Potential Solution - Deploying Web Jobs specifically
I know this is an old post, but I ran into this issue with VS 2019 when deploying my Azure Web Jobs. None of the above worked for me. What did end up working was re-authenticating using the tooling after updating the publishing profile. The way I resolved it was by right clicking the solution and selecting "Publish as Azure Webjob.." Even after creating a new publishing profile it still failed. I then added the following my publishing profile.
<_DestinationType>AzureWebSite</_DestinationType>
<UseMSDeployExe>True</UseMSDeployExe>
<AllowUntrustedCertificate>True</AllowUntrustedCertificate>
I tried publishing it again and it failed. Then I re-authenticated by clicking the edit password link shown below.
When you do, you'll see the following screen. Click on the "Attempt to retrieve credentials from Azure" link.
Don't forget to hit the save button at the bottom after retrieving the creds from Azure. Once you do, go back and try publishing again. It should work just fine.
NOTE: If you just pulled down/created your publishing profile for the first time, do not click the edit button under the name of the Publishing profile and validate the connection that way as shown below.
If you do, it may remove the username/password from the UI for the publishing tooling shown in my first image above. If it disappears, you need to start this process all over again by deleting your profile, creating a new one and finally following the steps above in order. I don't know why it does this, but just something I noticed.

I notice you used the IP address for the deployment server:
-dest:iisApp="mycompany.com",ComputerName="https://<hostip>:8172/MsDeploy.axd"
This caused the certificate validation error for me because the SSL certificate was issued for the domain name, not the IP address. Changing to domain name instead of IP address fixed it.

Just want to add my 50 cents and my solution so it may help someone else.
what i did yo solve this is to use remote desktop to connect to the host machine
and when asked to accept the machine certificate ( after input login and password ) i marked remember this at the bottom.
hope this help someone

Related

The trust relationship between the primary domain and the trusted domain failed

We have an ASP.NET v4.0 IIS Webapp and we are getting this error a few times a day and it requires a reboot of the domain controllers to fix. There are no real issues with the trust that I can see. With two servers running the web app one can work while another shows this error. The issue happens when we contact Active Directory to get a users roles so that we can build a menu. When the issue comes up, I cannot remote debug the app.
This is the line that starts off the error:
System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection
sourceAccounts, Boolean& someFailed) +1085
I have tried unjoining and rejoining the web server to the domain. And have followed this kb article https://support.microsoft.com/en-us/help/324383/troubleshooting-scecli-1202-events that talks about users with spaces in their name. So far no luck.
Is there anything else I can check? Are there some safeguards I can put into the app to help mitigate this issue?
The issue that we had was caused by our application checking to see if a user was in a security group that did not exist. Once we updated it so that it only validated against existing security groups, the problem went away.
Sometimes if you are not connected to domain also cause this issue, I solved.

ASP.Net redirecting to local host after authentication

I just created a webform that is hosted in my Azure subscription. I set it up with authenication via my works Azure directory for authenticating users. In debug this works fine and I am able to login with my work credentials and then view the website via local host.
I have published this to my Azure and it says it is running and working fine. So when I try to connect to the website it continuously redirects me to the localhost resulting in an error.
I have checked the web config.
Here is the google network chain of events when it occurs.
I am really lost as to what is wrong and what I need to do to fix this so any help would be greatly appreciated. I'm sorry I can't offer more but I don't even know what is wrong to begin with or where to look. Is there some setting in Azure that I need to add the website too?
I have solved this issue. Since it was such a pain I will keep this up as I couldn't find any answers on this. It was actually quite simple.
You have two options. The one I did and which worked was changing the publish profile as below:
Add the domain where the authentication is occurring. So if you have your web app hosted by a different azure account that which is authenticating the users, use the one that is authenticating.
This will create two versions of your app on the site one for local host and one for the actual site.
The second option(I have not tried this but it should work) is to go to the Azure account where you are authenticating the users and go to applications and then configure. Change the APP URL from local host to the url you are trying to get to.
Here is an excellent link that explains how to do this clearly.
Click this link for detailed explanation
I also had this issue and took these steps to resolve
navigate to the app registration in AAD
Open the manifest
Change the ReplyUrl to the url of the app (e.g. http://appname.azurewebsites.net)
Then I got the error
Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long.
Next I cleared all cookies from the browser, and this changed the error to just
Bad Request
So I went back to that ReplyUrl and changed it to https://appname.azurewebsites.net/.auth/login/aad/callback and now it appears to work.
Note I also had to make sure I didn't have the site open in any other tabs before it started working
I had this issue when I switched an app from our company Azure over to a customer's Azure. In my case I'd forgotten to update the ida:ClientId, ida:AADInstance and ida:TenantId, which then meant that the value I'd set for ida:PostLogoutRedirectUri was ignored (I think) and instead my app redirected to localhost.
Once I changed those ida values to the values from the app settings and subscriptions settings on our customer's Azure it all worked as expected.
It took a while to track down all the values in Azure portal as they are all called something different, or aren't named at all:
ClientId can be found at Azure Active Directory > App Registrations > YourAppName. It's called 'Application ID' in Azure
Domain can be found on Azure Active Directory > Overview. It's currently in the top left in the format somename.onmicrosoft.com
TenantId this is the Azure AD instance ID, get that from Azure Active Directory > Properties and then it's called 'Directory ID'
I spent a lot of time trying to work out where the localhost port that was being redirected to was in the code, but it simply isn't there as far as I can see, so I have no idea how Azure was choosing what localhost address to redirect to!
You need to set another parameter in configuration that is replyUrl and assign to your web app, other wise it takes the url from which it was originated.
I was able to fix this by changing my Startup.Auth.cs file redirectUri from "https://localhost:44316/" to https://myapp.com/

Vtiger error message "Sorry! Attempt to access restricted file." and illegal request

I am trying to migrate from one server with vTiger 6.0 to a new server with vtiger 6.2.
I complete the installation and also i move the database from the old server and no problems in those parts.
The errors come when i try to login, if i try to login with my user i get the error
"Sorry! Attempt to access restricted file"
and when i try to login with the admin account i get a lot of illegal request messages, i do get the vTiger GUI but if i click in one option menu i get a illegal request and if i logout it displays the next message
"{"success":false,"error":{"code":"Illegal request","message":"Illegal request"}}"
i'm new to Vtiger and i don't know why is this happening.
Some extra info i have try to check the path directory and seems to be right, the database data is right too it recognize the users when you log in just doesnt show anything but an error.
When i finish the installation i could enter with no problem the problem start when i uploaded the Database.
Also i want to access to enter from another computer, do i need to enable port 8888 on the server?
I am using a localhost and from that pc i want to acces from another pc.
Illegal request error is due to the improper CSRF validation. Please make sure that your browser url is same as your $site_URL in config.inc.php file .
config.inc.php file you will get from your Directory following below path --
C:\Program Files (x86)\vtigerCRM620\apache\htdocs\vtigerCRM\config.inc.php
In that file change $site_URL from 'http://localhost:8888/'; to 'http://1.6.2.12:8888/'; (1.6.2.12 is your machine IP)
This process will make your machine "1.6.2.12" into server for Vtiger application, so your application will be hosted on server 1.6.2.12 and then you can access this application on other computer also.
Port-8888 is used by Apache which is inbuilt in Vtiger by default so don't make any changes in that.
If you've migrated your data then try checking /vtiger/user_privileges/
There should be 2 files for each user: user-privileges-.php and sharing-privileges-.php (admin will be 1)
These can become lost and/or have dodgy permissions after migration, has happened twice to me. For some reason, Admin always copies over and works.
From your backup, take the related user files in /vtiger/user_priveleges/ and put them in new working folder and set permissions to read/write.
Make sure you transfer all files in /user_privileges because they are generated by sharing rules system in vTiger should be transferred like database.

System.ArgumentException: Format of the initialization string does not conform to specification starting at index 0

Firstly, I am aware this problem has been dealt with before here, and the solutions are always corrections to the connection string.
However, in our case, the connection string is correct, because most of the time it works fine. What happens is at some point the site 'stops' and starts logging this error. Simply recycling the app pool clears it, and everything is good again until the next time. A site might run fine for hours or days, but then it falls over and every request logs this error.
Since it is a transient error, I suspect it is somehow memory or service related? Either some kind of service that handles the connection from the ASP.NET site fails within the app pool, or there is some shortage of memory so whatever process is required to handle the connection fails.
It is not just a single server, I have seen this issue occur on various customers' servers, so I don't think it is some obscure glitch with a particular server. I have also seen sites that were running fine for a long time start to experience this issue (which suggests to me it is related to resource availability).
For the sake of completeness, this is the connection string from a site that exhibits this problem:
<add name="SQLConnection" connectionString="Data Source=localhost\sqlexpress;
Integrated Security=True;Initial Catalog=databasename"
providerName="System.Data.SqlClient" />
But like I said, this works absolutely fine for hours/days, until the problem occurs.
Just surfing with error message and got one link from Microsoft.
Seems to me like your problem.
Can have a look on this.
http://social.msdn.microsoft.com/Forums/en-US/9f191038-dbf6-4306-8f66-ec211a1e933a/format-of-the-initialization-string-does-not-conform-to-specification-starting-at-index-0?forum=adodotnetdataproviders
Thanks
Can you please check following points:
Make sure the account has full permission (both read and write) on folder:
"C:\INETPUB\WWWROOT\BE SITE WORK(FINAL)\4SIGHT\WEBSITE\BARAMATIESTATES\BARAMATIESTATES\”
I recommend that set “C:\INETPUB” folder allow all user access and edit, at least give full administrator right to IIS account.
2 Make sure IIS account is sysadmin of SQL Server.
Setting IIS Permissions for an Object
You can set permissions for any object in IIS, including Web sites, folders, files, and scripts. To set the permissions for an object in IIS:
Log on to the Web server computer as an administrator.
Click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Internet Services Manager.
Right-click the Web site that you want to configure in the left pane, and then click Properties.
If you want to set the permissions for a Web site's home folder, click the Home Directory tab.
If you want to set the permissions for a folder in a Web site, click the Directory tab.
If you want to set the permissions for a file or a script in a folder, click the File tab.
Click the corresponding permissions that you want to set for the object.
To turn on script processing for a Web site or folder, click Scripts Only from the Execute permissions list.To turn off script processing, click None.
Click OK.
if the issue still persist let me know :)

FTP Error 530 User cannot login

I am trying to FTP to a new FTP site I setup with IIS 7.0 for the Windows Server Web (64-bit) edition. But I get the above error when I try to login to this site. But I can login to my other FTP sites.
Also, when I select this website from IIS Manager, the FTP section does not display in the middle section although it does display in Action panel. And I cannot successfully login to this FTP site either.
I have checked and I have Log on locally selected. I do not have allow only anonymous connections. I have Access this computer from the network selected.
I restarted my IIS and FTP services also.
The one different thing I noticed about this website in IIS different from the other site that has FTP working is that this one there are 3 virtual directories beneath the site. And that when I click on any one of these 3, then the FTP strip does appear in the center pane. Make sense?
How can I debug cause of this error? Any SW tools I can use?
Have you tried logging in from the FTP server? If you do this, and have "Show detailed messages from local requests" enabled under FTP Messages, then you'll get a clearer idea as to why the login if failing. In my case I got the following message (I am using IIS Manager Users, and Passthrough authentication)
530-User cannot log in.
Win32 error: Access is denied.
Error details: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
Error: Cannot read configuration file due to insufficient permissions
To solve this I gave the NETWORK SERVICES user read only access to the config directory specified in the error message. I'm not 100% sure this is the right thing to do, but it certainly fixed this issue for me.
in my situation, I was missing Role Service FTP extensibility, which is actually allows IIS Manager Auth.
This is pretty tricky, as you could allow IIS Manager auth, but still it would not work until you have not installed FTP Extensibility
In my case I forgot to enable the Basic authentication
There seem to be many different possible causes. In my case, I was unable to login with the plain "username" with the same error as mentioned.
It was solved when I logged in with ".\username" instead.
For some reason the FTP client was trying to login with a domain account, while I just wanted to login with a local computer account.
Hope this helps someone.
Try submitting your credentials in this format:
UserName: Domain|Username
Password: secretSquirrel
I had the same problem, I removed the FTP site and followed this:
http://www.iis.net/learn/publish/using-the-ftp-service/configure-ftp-with-iis-manager-authentication-in-iis-7
Prerequisites - I set the permissions on the folders using the 4 command samples but this did not alone fix the issue, so I cannot in good faith say this step is needed, but it is what I did and it now works.
CONFIGURE THE IIS MANAGEMENT SERVICE AND ADD AN IIS 7 MANAGER -
Just do step 4, removing the existing user first and then re-adding them.
Creating a New FTP Site and Configuring an IIS 7 Manager Account -
All the steps here
CONFIGURE THE FTP SITE TO USE IIS 7 MANAGER AUTHENTICATION
All 12 steps here, including the "administrator" setting in step 5.
Then it started working for me, I am guessing when I did this without a guide I skipped something simple.
In My case I have made that user a member of IIS_IUSERS.
Using IIS Users.
Do not isolate users -> User name directory was working fine. Users started in the right folder.
When I was switching to Isolate Users -> User name Directory I had the following error:
Response: 530 User cannot log in, home directory inaccessible.
Win32 error: The system cannot find the path specified.
For some reason, you need to add the LocalUser virtual directory that points to your root.
It has to be that exact name and it's case sensitive.
That worked for me.
Per this knowledgebase article, you would need the log on locally privilege enabled.
http://support.microsoft.com/kb/200475
I had the exact same error. In my case, I was using a local user defined on the server running FTP. The username was very short (3 characters). I could "run as" this user on the server, confirming that Windows was Ok with it, and allowed it to authenticate. But when testing FTP, it would return User cannot log in.
Solution? I renamed the user to be longer (4 characters). Of course, updated its name under Authorization as well. Then FTP worked. Hope it helps someone!
For me, I've configured the IIS as per usual procedure properly. The anonymous authentication was working but specific user are not.
because, the user accounts were created in IIS. Actually it was also supposed to be created Windows local accounts.
Then it worked.
Please Check the security of folder which is use that ftp .
see if the user or group you select for that ftp is associate with security of that folder .
In my case I had to remove domain from user.
So, your user should be like username, not like domain\username.
Hope it helps to somebody.
For some reason my user was "locked". So I could "unlock" it at local user manager (computer management). Now it works fine. I hope it helps.
I would recommend checking FTP logs first. The status code will give you more information about the issue. Here is the explanation of the status codes: The FTP status codes in IIS 7.0 and later versions
I had this issue because my IIS didn't support passive mode. After entering data in FTP Firewall Support module, the issue was solved.
More scenarios from this post 530 User cannot log in, home directory inaccessible
Authorization rules. Make sure to have an Authorization rule that allows the user or anonymous access. Check “IIS > FTP site > FTP Authorization Rules” page to allow or deny access for certain or all users.
NTFS permissions. The FTP users (local or domain users) should have permissions on the physical folder. Right click the folder and go to Properties. In the Security tab, make sure the user has required permissions. You can ignore Shared tab. It is not used for FTP access.
Locked account. If you local or domain account is locked or expired, you may end up seeing “User cannot log in” error. Check local user properties or Active Directory user settings to make sure the user account is active.
Other permission issues. The user account may not have “Log on locally” or “Allow only anonymous connections security” rights.
I spent long time looking for a solution, I've tried every shared answer on the internet and nothing could solve the issue. It is an issue I was ignoring for years and I never could fix.
Ok, I've Plesk installed and I'm not sure if it has some effect on IIS FTP to do the following behavior ...
Using Process Monitor tool, and making ftp login request and watching the tool and doing your investigation using this tool, you can get a hint about the REAL reason of the problem.
For me, I found out that IIS FTP was trying to access the ftp folder from a path DIFFERENT than the actual ftp path I've set, I do not know why, but maybe Plesk has some effect on this.
The actual ftp path is
C:\inetpub\vhosts\zidapp
The path that IIS FTP was trying to access DURING the login process is
C:\inetpub\vhosts\Servers\7\localuser\zid_app_ftp_user
I fixed the issue by creating a folder link from 'actual' folder path to the path IIS was trying to access - using the tool mklink tool
CMD command
mklink /d C:\inetpub\vhosts\Servers\7\localuser\zid_app_ftp_user "C:\inetpub\vhosts\zidapp"
I've fixed the issue that way, so wen FTP is trying to access the folder from the wrong path, it is now goes to the correct one.
Please note doing folder shortcut wont work for this, you need a link like linux, not a shortcut ...
I hope it will help you :)
You can check the reference account you are using to log in.
Mine happened to be locked out causing the 530 error.

Resources