Edit: I found the solution, look at the end.
I have an ASP.NET Web Role for Azure that I'm currently running with the emulator. I modified the default implementation so that I can use Google and Live ID as Identity Providers. I used the Identity & Access Extension to adapt my Web.Config file.
The problem is that when i access the claims via User as ClaimsPrincipal then I see only the claims from the Identity Provider (e.g. Google). The rule group for my relying party program (defined in ACS Portal) doesn't even have a passthrough rule associated but still i get those claims. On the other side I added a Claim Rule to change the name claim type provided by Google to a custom output value but from code behind I only see the value that comes from Google.
My Question:
What do I need to do to be able to issue a token from the issuer (STS) based on the claims of the Identity Provider and how do I access this token from Code?
I'm using:
Visual Studio 2012
.NET Framework 4.5
Parts of my Web.config:
<system.web>
<authentication mode="None" />
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
...
</system.web>
...
<appSettings>
<add key="ida:FederationMetadataLocation" value="https://mynamespace.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Issuer" value="https://mynamespace.accesscontrol.windows.net/v2/wsfederation" />
<add key="ida:ProviderSelection" value="ACS" />
</appSettings>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=bla" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=bla" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="http://127.0.0.1:7777/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=bla">
<trustedIssuers>
<add thumbprint="myRelyingPartyThumbprint(from ACS Portal)" name="https://mynamespace.accesscontrol.windows.net/" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://mynamespace.accesscontrol.windows.net/v2/wsfederation" realm="http://127.0.0.1:7777/" requireHttps="false" />
</federationConfiguration>
The url that is used to redirect users to login page is: "https://mynamespace.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2f127.0.0.1%3a7777%2f"
My test rule lools like this:
Solution: The problem was that I had "http://localhost:7777/" as realm in the ACS but I specified 127.0.0.1 at the Identity & Access tool. When my program requested the ACS in order to choose an Identity Provider a relying party named WebRole11 was automatically created for 127.0.0.1 including pass-through rules. So my custom rules weren't applied because the automatically created Relying Party Application Settings were used instead of mine.
Related
I am trying to implement Azure cache for redis to manage session's in my application. This is working on localhost. After hosting to IIS got compile error in webconfig file.
I have created azure cache for redis in azure portal. I have made respective changes in code. It's working when I run with source code on local host. After hosting to IIS got the following error
"Provider must implement the class
System.Web.SessionState.SessionStateStoreProviderBase
<sessionState mode="Custom" customProvider="MySessionStateStore">
<providers>
<add name="MySessionStateStore" type="Microsoft.Web.Redis.RedisSessionStateProvider" host="myhostname" accessKey="Key1" ssl="true" />
</providers>
</sessionState>
Module added as following
<system.webServer>
<modules>
<remove name="Session" />
<add name="Session" type="Microsoft.AspNet.SessionState.SessionStateModuleAsync, Microsoft.AspNet.SessionState.SessionStateModule, Version=1.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" />
</modules>
</system.webServer>
I expected sessions values to store on azure cache for redis. But It's not working after hosting on IIS.
You can try this under app.config/web.config
<modules>
<remove name="Session" />
<add name="Session" type="Microsoft.AspNet.SessionState.SessionStateModuleAsync,Microsoft.AspNet.SessionState.SessionStateModule, Version=1.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" />
if this doesn't work as well, if you have an option, use non-SSL port and see if that works.
For anyone passing by that might have the same issue and for whom adding the Session tag didn't work, your application pool might be configured as 'Classic'
From this post, it seems Microsoft.AspNet.SessionState.SessionStateModuleAsync doesn't support classic application pools
You need to switch it to 'Integrated' like so :
Microsoft official application pools documentation
In VS2013 project settings I changed my ASP.NET Web API application to run in IIS from IIS EXPRESS on the same computer. It worked in IIS Express but I can't get it to run in IIS without this error about ExtensionlessUrlHandler-Integrated-4.0 and
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
I have tried everything in the posts below but nothing works to stop this error except changing the app pool to from Integrated to Classic. That option doesn't work either because brings more errors.
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode
WebDAV and WebAPI together cause Error: Handler “ExtensionlessUrlHandler-Integrated-4.0” has a bad module “ManagedPipelineHandler” in its module list
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode
Handler “ExtensionlessUrlHandler-Integrated-4.0” has a bad module “ManagedPipelineHandler” in its module list
I'm using VS 2013, ASP.NET 4.5.1, IIS 7.5, and it's running on Windows Server 2008 R2 Standard
This is my web.config system.web and webserver sections
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<customErrors mode="Off" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="false">
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
This is the error returned
Server Error in Application "DEFAULT WEB SITE"
Internet Information Services 7.5
Error Summary
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in
Integrated managed pipeline mode.
Detailed Error Information
ModuleConfigurationValidationModule NotificationBeginRequest HandlerExtensionlessUrlHandler-Integrated-4.0
Error Code0x80070032
Requested URL http://localhost:80/Token
Physical Path C:\inetpub\wwwroot\Token
Logon Method Not yet determined
Logon User Not yet determined
Failed Request
Tracing Log Directory C:\inetpub\logs\FailedReqLogFiles
Most likely causes: system.web/identity#impersonate is set to true.
Things you can try: If the application supports it, disable client impersonation.
If you are certain that it is OK to ignore this error, it can
be disabled by setting system.webServer/validation#validateIntegratedModeConfiguration to false.
Move this application to an application pool using Classic .NET mode
- for example, %SystemRoot%\system32\inetsrv\appcmd set app "Default Web Site/" /applicationPool:"Classic .NET AppPool"
(You can set "Classic .NET AppPool" to the name of another application pool running in Classic managed pipeline mode)
The information in the links in my question worked. Specifically
<validation validateIntegratedModeConfiguration="false" />
this
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="managedHandler" />
and this
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
I also opened the Configuration Editor in IIS for the site and changed the validateIntegratedModeConfiguration and runManagedModulesForWebDAVRequests to false
There was something else going on that was keeping me from knowing this was working. I am using ASP.NET Web API membership to authenticate using individual accounts and when I call the /Token to login it was going to root website and my application was in a virtual directory. When that call was made it was raising the Integrated managed pipeline mode error. I created a new site in IIS for the application instead of using a virtual directory. There might be a way get it to work while using the virtual directory but this was on way to do it.
I'm trying to launch my web application (asp.net MVC) with debugging mode using Browser Link To Enable Edit Operations during Browser
but actually when i try to do this (Browser Link Not Working and it ask me to register the page inspector in the Web.Config)
Edit
and when i add the following to web.config nothing Happens
<add key="VisualStudioDesignTime:Enabled" value="true" />
<add key="PageInspector:ServerCodeMappingSupport" value="Enabled"/>
still i can't see that any browser connect through Browser Link
with knowledge that I Have Enabled debug=true in web.config
<compilation debug="true" targetFramework="4.6" />
and knowing that i have uninstall web essentials Package
I found this post very useful.
<system.webServer>
<handlers>
<add name="Browser Link for HTML" path="*.html" verb="*"
type="System.Web.StaticFileHandler, System.Web, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
resourceType="File" preCondition="integratedMode" />
</handlers>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
Take care in that the <modules> element might already exist.
Add the following in your web.config:
<appSettings>
<add key="VisualStudioDesignTime:Enabled" value="true" />
<add key="PageInspector:ServerCodeMappingSupport" value="Enabled"/>
</appSettings>
I am using angularjs and Web API. In order to authenticate user, I use FormAuthenticationTicket (I just create the ticket with user data, encrypt it and then return to the client).
When the client sends request he adds this encrypted cookie to the header of his request.
On remote server I decrypt the ticket, and verify if that user is legit.
On localhost it works perfectly.
on server I have an error, and after very short time the user is not identified.
after many debugging, I noticed that sometimes when the server tries to decrypt the ticket he gets exception: "error occurred during a cryptographic operation"
I googled this error, and from what I understood, the error is because the server tries to decrypt the ticket with another machine key.
thought maybe setting machine key in web.config will resolve the issue, but all the articles that I found were talking about early .net framework versions ( I am using 4.5.1).
This is when I get the error:
FormsAuthenticationTicket fat = FormsAuthentication.Decrypt(enc_ticket);
This is my web.config:
<configuration><appSettings></appSettings>
<system.web> <compilation debug="true" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.1" />
<customErrors mode="Off"/>
<trust level="Full" />
</system.web>
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
</configuration>
After many research this is how I solved the problem:
Generate the machine key here and just add the machinekey values to web.config. This machine key will always be used on any of servers on webfarm where you hosting you website.
Now I'm trying to find out how asp.net mvc authentication works in details. As I understand exactly FormsAuthenticationModule checks cookie and fills up HttpContext.User. But I can't find where FormsAuthenticationModule is registered for my application?
It's inherited from root web.config. For example, if you have .NET 4 installed on x64 machine open C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config. In system.web section you'll find the following modules registered:
<httpModules>
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
**<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />**
<add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />
<add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
<add name="Profile" type="System.Web.Profile.ProfileModule" />
<add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="ServiceModel" type="System.ServiceModel.Activation.HttpModule, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" />
<add name="ScriptModule-4.0" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</httpModules>
ASP.NET merges it with all web.config files it finds down the hierarchy on file system so applications have all the modules enabled by default.
But I can't find where FormsAuthenticationModule is registered for my application?
It's automatically registered by the ASP.NET runtime when you set <authentication mode="Forms"> in your web.config.
If you are interested in the details, you may take a look at the source code of ASP.NET and more specifically the HttpApplication class and the InitModulesCommon private method which is calling the Init method of the FormsAuthentication module if you registered it in your web.config.
The FormsAuthentication module itself, once registered, will subscribe to the AuthenticateRequest event of the HTTP processing pipeline and it will attempt to build an IPrincipal into the current HttpContext based on the values present in the forms authentication cookie sent in the request.