Develop Reference

WNS Notification : Channel URL incompatible with caller app

I'm currently developping an mobile application based on Cordova (version 4.0.0) for Windows Phone 8.1.
I implemented the Java code from API Java-WNS (from github of fernandospr) to send notification to my device.
When I push the notification message to WNS, I get this error :
Client in-bound response
403
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-WNS-DEBUG-TRACE: DB5SCH101111133
Date: Fri, 22 Jan 2016 10:44:55 GMT
Content-Length: 0
X-WNS-STATUS: dropped
X-WNS-ERROR-DESCRIPTION: Channel URL incompatible with caller app
X-WNS-MSG-ID: 6D850FC61AE7FDB5
X-WNS-NOTIFICATIONSTATUS: dropped
Here's the different steps to configure my app to receive notifications :
I registered my app from windows developper dashboard
I have a SID package : ms-app://s-1-15-2-[...]-[...]-[...]-[...]-[...]-[...]-[...]-2403721117
I have also my client secret like this (just an example) : Nk2C+pmadqcHNQR51lN6F7LGaJYUTRPb
This is my channel URI obtained from WNS :
https://db5.notify.windows.com/?token=AwYAAAD8sfbDrL9h7mN%2bmwlkSkQZCIfv4QKeu1hYRipj2zNvXaMi9ZAax%2f6CDfysyHp61STCO1pCFPt%2b9L4Jod72JhIcjDr8b2GxuUOBMTP%2b6%2bqxEfSB9iZfSATdZbdF7cJHSRA%3d
Most important, I associated my app to windows store from Visual Studio. Then, package name, publisher display and publisher ID have been added to my appxmanifest.file
Here's the appxmanifest.file (truely name "package.phone.appxmanifest from platforms/windows folder and cordova windows phone project) :
<?xml version='1.0' encoding='utf-8'?>
<Package xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:m2="http://schemas.microsoft.com/appx/2013/manifest" xmlns:m3="http://schemas.microsoft.com/appx/2014/manifest" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest">
<Identity Name="company-name.70**********2" Publisher="CN=02******-****-****-****-***********9" Version="1.1.0.0" />
<mp:PhoneIdentity PhoneProductId="06******-****-****-****-**********k" PhonePublisherId="s*******-****-****-****-***********5" />
<Properties>
<DisplayName>Demo Windows App Phone</DisplayName>
<PublisherDisplayName>My Company Name</PublisherDisplayName>
<Logo>images\StoreLogo.png</Logo>
</Properties>
<Prerequisites>
<OSMinVersion>6.3.1</OSMinVersion>
<OSMaxVersionTested>6.3.1</OSMaxVersionTested>
</Prerequisites>
<Resources>
<Resource Language="x-generate" />
</Resources>
<Applications>
<Application Id="com.company-name.demo" StartPage="www/index.html">
<m3:VisualElements BackgroundColor="transparent" Description="CordovaApp" DisplayName="Demo Windows App Phone" ForegroundText="light" Square150x150Logo="images\Square150x150Logo.png" Square44x44Logo="images\Square44x44Logo.png">
<m3:DefaultTile Square71x71Logo="images\Square71x71Logo.png" Wide310x150Logo="images\Wide310x150Logo.png">
<m3:ShowNameOnTiles>
<m3:ShowOn Tile="square150x150Logo" />
<m3:ShowOn Tile="wide310x150Logo" />
</m3:ShowNameOnTiles>
</m3:DefaultTile>
<m3:SplashScreen Image="images\SplashScreenPhone.png" />
</m3:VisualElements>
<ApplicationContentUriRules>
<Rule Match="https://dev.company-name.fr/demo-windows-app/*" Type="include" />
</ApplicationContentUriRules>
</Application>
</Applications>
<Capabilities>
<Capability Name="internetClientServer" />
<DeviceCapability Name="webcam" />
<DeviceCapability Name="microphone" />
</Capabilities>
</Package>
From server side, I use the authentification to WNS with two parameters :
SID package
Client secret password
I checked differents topics about this error and the most of the useful answer is to associate the app to windows store. But I always did it and I don't work for me.
If I understand well, WNS platform just need to know the ID App (SID package) to find my app and to send notification to my app. I don't need to deploy my app through the windows store.
Do you have an idea about how to fix it ? Do you think I forget something or do a mistake ?
EDIT :
I'm thinking I find the problem ! I'm working on it and when I'll resolve my problem, I'll come back here to post my solution.

I found the solution about my problem. I'm stupid because I didn't see the relationship between the association of my app to windows store and the appx archive which must have generated. I deployed the wrong appx and that's why I never received the notifications windows. In fact, the wrong appx was never associated to the windows store...
So, here's the steps (from Visual Studio 2015 RC) to deploy the appx archive linked to windows store :
Go to project tab and select windows store
Click on create app packages
Following the differents steps to generate an appx archive with the windows store informations associated (one of steps will be associate your app with the windows store)
the appx archive generated is stored to the following folder (in my case) : C:\Users\pcharpin\Documents\Visual Studio 2015\Projects\demo-app-windows\demo-app-windows\AppPackages\CordovaApp.Phone_1.1.0.0_arm_Test
To deploy this archive on your remote device, use the Windows Phone Application Deployment 8.1 tool. Select target as remote device and select also the app package which is CordovaApp.Phone_1.1.0.0_arm_Test. To finish, click on deploy and your app will be deploy on your remote device.
You're ready to send notifications windows and receive them to your windows phone device
So, don't forget to create an app package to associate it to the windows store and can receive the notifications windows.
You can retrieve the guidelines about this from documentation of Create a Windows 8.1 app package (excepted about the deployment's step).

If the notification is still not working after associating the application, double check the below configuration as well.
Goto Windows Dev Center of your account -> Dashboard
Select you app -> Services -> Push notifications
Click on "Live Services site" link
Below "Package SID" there is config for "Application Identity" like,
< Identity Name="09FSERVSD.YourAppName" Publisher="CN=xxxxxx"/>
Open your application appxmanifest in the text editor and make sure the same name is added in the Identify tag.
Associating the app through the VS tool ideally should update this entry with "Name" and "Publisher". But in my case it updated only "Publisher" and I had to manually set this value to make it work. This way WNS will know that the target application is same as the one which is associated and the notification should go through.
Hope this helps for those who is struggling with error "Channel URL incompatible with caller app" while testing WNS.

Thanks to all of you guys,
In my case it was the Publisher field (in package.windows10.appxmanifest, package.windows.appxmanifest and package.phone.appxmanifest) that defaulted to CN=$username$.
<Identity Name="com.CordovaApp" Publisher="CN=$username$" Version="2.2.11.0" />
Once set as such, everything went smooth:
<Identity Name="COM.CordovaApp" Publisher="CN=11111111-2222-3333-444444444444" Version="2.2.11.0" />

If you continue receiving the error message "X-WNS-ERROR-DESCRIPTION: Channel URL incompatible with caller app" after you've setup the correctly, try to delete the *_TemporaryKey.pfx file from the project directory.

Get All Sales Order from Quick Book via QuickBook WebConnector using asp.net

I am using QuicBook Premier Edition UK , I have a company file open inside QuickBook. Build a sample WebService provided in samples and host in IIS. Added that application in WebConnector by using qwc file in samples.
I understood the callback methods required by WebConnector in soap service.
• authenticate
• clientVersion
• closeConnection
• connectionError
• getLastError
• receiveResponseXML
• sendRequestXML
I have tested web service by using WebConnector by using Update Selected button and it gives response 'OK' . But I am still confused how to get started with soap service , samples include 3 Xml request
CustomerQuery,
InvoiceQuery and
BillQuery .
How I test these request and see the response by using service . Can anyone explain the steps required to get me started with my own request of Get all Sales Order.
Thanks
Here is the screenshot
Here is the Last Output.
Version:
2.0.0.1
Message:
OK
Description:
Via closeConnection(): CloseConnection called to application.
Response received from application = OK

Explanation:
After calling authenticate(...), the Web Connector will call the sendRequestXML(...) method.
The sendRequestXML(...) method is essentially the Web Connector's way of saying "Hey, what do you want me to do?"
You should respond with a qbXML request telling QuickBooks/the Web Connector to do something. For example, if you are trying to get sales orders from QuickBooks, you could respond with a SalesOrderQuery qbXML request, something like this:
<?xml version="1.0" encoding="utf-8"?>
<?qbxml version="8.0"?>
<QBXML>
<QBXMLMsgsRq onError="stopOnError">
<SalesOrderQueryRq requestID="2">
</SalesOrderQueryRq>
</QBXMLMsgsRq>
</QBXML>
The Web Connector will then send that request to QuickBooks, it will be processed, and the Web Connector will then call your receiveResponseXML(...) method.
The receiveResponseXML(...) method is essentially the Web Connector's way of saying "Hey, you told me to do something, I did it, and here's all of the data I got back: ... (big blob of XML from QuickBooks here)".
TLDR:
Return a qbXML request from the sendRequestXML method. A qbXML response will be sent to you in the receiveResponseXML method.
More notes:
Bigger explanation of the Web Connector here: http://www.consolibyte.com/docs/index.php/QuickBooks_Web_Connector_Overview
Lots of qbXML examples here: http://www.consolibyte.com/docs/index.php/Example_qbXML_Requests
Hundreds of pages of documentation in the QuickBooks SDK: https://developer.intuit.com/docs/0250_qb/0020_get_set_up/sdk_downloads

Intercepting encrypted SOAP message with SoapUI

I try to intercept encrypted soap message with SoapUI. The reference site of WS Security with Wildfly 8 and Eclipse IDE is
https://docs.jboss.org/author/display/JBWS/WS-Security#WS-Security-Authenticationandauthorization
WS Security implementation is successful and the response message is encrypted successfully. The main key in WS security is manifest.mf. I add the following lines in manifest.mf file and it works well in Eclipse IDE.
Manifest-Version: 1.0
Dependencies: org.apache.cxf.impl, org.apache.ws.security services
Class-Path:
But in SoapUI application soap message encryption is failed. Me reference site is
http://www.soapui.org/soapui-projects/ws-security.html
http://blog.thilinamb.com/2011/02/invoking-secured-web-service-with.html
The SEI throws the following exception.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EndorsingSupportingTokens: The received token does not match the endorsing supporting token requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
The same exception was thrown in Eclipse IDE when I did not add the Dependancies line in manifest.mf file. Do you think those are related and have the same configuration problem?

Azure Access Control Service (ACS) - ACS50001: Relying party with identifier 'https://[namespace].accesscontrol.windows.net/' was not found

I have an ACS namespace with a WS-Federation identity provider set up. Since I'm using Visual Studio 2012, I used the Identity and Access Tool to create the relying party. The tool uses the realm and return url values that I give it when it creates the relying party (I use the Azure cloud service url where I'm deploying my project - i.e. http://myapp.cloudapp.net). There is only one rule in the rule group for my relying party after I run the tool - Pass through all claims for [Relying Party]. I tested the ACS for my app with just that one rule, and also after generating all the rules for the WS-Federation identity provider.
Regardless of the rules in the rule group, I get the error in the title of my question. My browser is redirected to ACS, however for some reason it can't find the correct relying party. I have created an ACS namespace, identity provider, and relying party in two different Azure accounts, with exactly the same result.
I've also tried publishing my project to the Azure cloud service with both http and https endpoints, and both endpoints yield the same result.
The WS-Federation identity provider's federation metadata is coming from Windows Azure Active Directory.
UPDATE
FederationConfiguration section from web.config:
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://[MyNamespace].accesscontrol.windows.net/v2/wsfederation" realm="http://[MyApp].cloudapp.net/" requireHttps="false" />
</federationConfiguration>
UPDATE 2:
Still no solution. It looks like the issue stems from the fact that I set up my own ACS identity provider, and downloaded the federation metadata from Windows Azure Active Directory (WAAD) for that identity provider. That essentially chains 2 ACS instances together. When my app redirects to my ACS, it passes my app's url as the realm. Then, my ACS redirects to the identity provider, WAAD, and passes its own url as the realm. That's why the error I get back has the strange characteristic of a relying party identifier = the url of my own ACS admin portal. I'm not sure why it's not passing the realm all the way through from my app to WAAD.

Well, the answer to this was much more obscure than I had expected - I had to run the following powershell script against my CRM Online WAAD:
Connect-MsolService
Import-Module MSOnlineExtended -Force
$replyUrl = New-MsolServicePrincipalAddresses –Address "https://lefederateur.accesscontrol.windows.net/"
New-MsolServicePrincipal –ServicePrincipalNames #(“https://lefederateur.accesscontrol.windows.net/”) -DisplayName “LeFederateur ACS Namespace” -Addresses $replyUrl
This told WAAD to recognize my ACS namespace, so it wouldn't throw the error saying the ACS namespace was not a valid relying party identifier. Read the whole process here:
http://www.cloudidentity.com/blog/2012/11/07/provisioning-a-directory-tenant-as-an-identity-provider-in-an-acs-namespace/
Thanks to Azure support, I'm now past the error.

Go into the Azure ACS Management Portal. Open Relying Party Applications, and select the relying party you have configured for this app. Make sure that the field "Realm" matches exactly what you have for Realm in the web.config under <federationConfiguration><wsFederation realm=""/>.

All you require is to setup access to ACS in Active directory
After installing powershell Azure Commandlets, run the below commands as mentioned by Andrew
Connect-MsolService
Import-Module MSOnlineExtended -Force
$replyUrl = New-MsolServicePrincipalAddresses –Address "https://xxx.accesscontrol.windows.net/"
New-MsolServicePrincipal –ServicePrincipalNames #("https://xxx.accesscontrol.windows.net/") -DisplayName "xxx ACS Namespace" -Addresses $replyUrl

In case anyone else stumbles on this, double check your realm code here:
wsFederation passiveRedirectEnabled="true" issuer="must match endpoint" realm="must match audience URI " requireHttps="true"
AND
<add key="ida:Realm" value="must match audience uri" />
<add key="ida:AudienceUri" value="must match audience uri" />
my issue was a / at the end of my URI that I added instinctively - i.e. https://somuri.com/ - whereas the portal setting was https://someuri.com
Removal of the / worked.

SAP, IIS and SSO - Kerberos SSPI not usable with this User account

My goal is to let intranet user's credentials pass through a asp.net webpage to an SAP RFC.
Background
We have SAP SSO setup with our AD system. Users can open the SAP gui and login without entering a username/password.
We are using ERPConnect to call RFCs in SAP. If we supply credentials to the connection string it works great. We can also use the following code below to use SSO if the webpage is running on our local machine.
Dim db As New SAPContext("ashost=sapsandbox.xxxsap.ad.xxx.com snc_mode=1 sysnr=00 SNC_QOP=9 snc_partnername=p:SAPUserAccount#xxxSAP.AD.XXX.COM SNC_LIB=C:\windows\system32\gsskrb5.dll")
When we move to a windows 2003 server machine running IIS6 we get the following error.
SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00
LOCATION CPIC (TCP/IP) on local host
ERROR GSS-API(maj): Miscellaneous Failure
GSS-API(min): Kerberos SSPI not usable with this User account
STOP! -- initial call to gss_indicate_mechs() failed
TIME Fri Sep 02 14:13:47 201
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -1
MODULE sncxxdl.c
LINE
I have disabled anonymous access on my IIS6 site. I have also followed this article on how to enable kerberos authentication on IIS6.
Does anyone know how to get this working? We could move to IIS7 if there is an easier way to get it to work with that.
EDIT
I set <identity impersonate="true" /> and I get a new error now.
SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00
LOCATION CPIC (TCP/IP) on local host
ERROR GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI::AcqCredHdl(INI)==No credentials available
in secur
Could't acquire DEFAULT INITIATING credentials
TIME Tue Sep 06 11:45:11 201
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE snc
EDIT
I think I have to have AD setup to use SPN. Here's what I saw on this question.
Set up a SPN on your application pool account for your front end application

Not familiar with SAP, but delegation is key here in addition to SPN, AD has to trust the machine sending the kerberos ticket, I'd highly recommend reading this article:
Understanding Kerberos Double Hop