Develop Reference

Can't get simple Azure AD ASP.NET authenticated web app to work

I have used the Visual Studio template for an ASP.NET Webforms app with Azure AD authentication to create a simple web app. It works 100% fine locally. I can sign in, sign out, all good. Whenever I deploy to either AWS or Azure however, the behavior changes. The sign in still comes up fine, no issues at all, but after signing in, instead of taking me to the site, the browser just thinks for ages before dumping me to this error in the browser:
Server Error in '/' Application.
Runtime Error Description: An application error occurred on the
server. The current custom error settings for this application prevent
the details of the application error from being viewed remotely (for
security reasons). It could, however, be viewed by browsers running on
the local server machine.
Details: To enable the details of this specific error message to be
viewable on remote machines, please create a tag within
a "web.config" configuration file located in the root directory of the
current web application. This tag should then have its
"mode" attribute set to "Off".
I have tried adding the web.config setting and redeploying and it makes zero difference. Because I'm using App service on Azure for instance, I can't run the site on the actual web server as I don't have access to it. I tried looking at diagnostic log streaming, and got the below? Please help? Anyone? I have no idea why this isn't working. Interestingly, although I have asked that the site be http and it runs locally as http, once uploaded the url becomes https. Not sure if that' related.
From streaming logs (Azure)
HTTP Error 500.0 - Internal Server Error The page cannot
be displayed because an internal server error has occurred.
Most likely
causes: IIS received the request; however, an internal
error occurred during the processing of the request. The root cause of
this error depends on which module handles the request and what was
happening in the worker process when this error occurred.
IIS was not able to access the web.config file for the Web site
or application. This can occur if the NTFS permissions are set
incorrectly. IIS was not able to process configuration for
the Web site or application. The authenticated user does not
have permission to use this DLL. The request is mapped to a
managed handler but the .NET Extensibility Feature is not
installed. Things you can try:
Ensure that the NTFS permissions for the web.config file are
correct and allow access to the Web server's machine account.
Check the event logs to see if any additional information was
logged. Verify the permissions for the DLL.
Install the .NET Extensibility feature if the request is mapped
to a managed handler. Create a tracing rule to track failed
requests for this HTTP status code. For more information about
creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module __DynamicModule_Microsoft.Owin.Host.SystemWeb.OwinHttpModule,
Microsoft.Owin.Host.SystemWeb, Version=3.0.1.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35_79846f5c-7e22-4a97-8a1c-24bc400cf7db
Notification EndRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x00000000
Requested
URL https://SimpleADApp:80/
Physical
Path D:\home\site\wwwroot Logon Method Not yet
determined Logon User Not
yet determined
More Information: This error means that there was
a problem while processing the request. The request was received by
the Web server, but during processing a fatal error occurred, causing
the 500 error. View
more information » Microsoft Knowledge Base
Articles:

Access network file from ASP.NET web handler's process?

I have the following setup:
IIS 8.0
a web handler call it test.ashx
Impersonation & Windows Authentication are both configured. Kerberos is showing as the authentication type.
test.ashx uses the unmanaged API: CreateProcessAsUser() method to run "cmd.exe /c myScript.cmd"
I put statements in myScript.cmd and see that it is running as the requesting user as I need it to. The problem I am experiencing is that the script cannot reference network files (either mapped drives or UNC path)
I need myScript.cmd to run as the requesting user and to be able to access network file resources. How do I get this to work?

I found one item that made a big difference on getting kerberos authentication to work, which is required to do impersonation and delegation. In IIS Manager I had to choose the web site, then run the Configuration Editor. Once it opened I had to choose the as from: DefaultWebSiteWeb.Config, and as the section: system.webServer/security/authentication/windowsAuthentication. Then set: useAppPoolCredentials = True. Note: useKernelMode was already set to true.
Additionally, for the web site I have the following set for Authentication:
ASP.NET: Enabled
Windows Authentication: Enabled, Provider: Negotiate, Kernel mode enabled.
Now my ASHX web handler (in C#) can start a process as the user, run a .cmd file that accesses network resources.

Cant add bindings to IIS programmatically - redirection.config permissions (with a video!)

Here is a video summary of my problem http://screencast.com/t/v6th4BuRLhV
I am trying to add bindings programmatically to IIS with this code:
public void AddBindings(string sitename, string hostname)
{
ServerManager serverMgr = new ServerManager();
Site mySite = serverMgr.Sites[sitename];
mySite.Bindings.Add("*:80:" + hostname, "http");
mySite.ServerAutoStart = true;
serverMgr.CommitChanges();
}
And I get this error:
Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
I have addressed the permissions on redirection.config (both IUSR and IIS_IUSRS have permissions)
As well as the errors on web.config as suggested here http://www.codeproject.com/Questions/348972/Error-Cannot-read-configuration-file-due-to-insuff
But it still doesn't work.
ANSWER
Websites don't run under the IIS group. Whoever owns the app pool is the user and this is the user that needs permission. Or put that user in the IIS_IUSRS group.

Figure out what account your application pool is running as. Then you need to give that account access to the entire %SystemRoot%\System32\inetsrv\config folder. It wasn't enough for me to give access to just %SystemRoot%\System32\inetsrv\config\redirection.config

in my case "run as administrator" solved the problem

Error hosting WCF on WAS

I am getting this error while hosting my WCF application on windows service. The service is hosted on a server and i want to access it over internet. So i gave it networkservice permission.
Service cannot be started. System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:8085/lupload/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(Tim...
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

NetworkService is actually a limited account, you need to go for LocalSystem which is the equivalent of an Administrator account. That'll solve your problem.

Cause for ASP.NET Security Exception

My application is throwing a Security Exception with the following details:
Description: The application attempted to perform an operation not allowed by the security policy
Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
System.Security.CodeAccessPermission.Demand() +58
System.Net.ServicePointManager.set_CertificatePolicy(ICertificatePolicy value) +54
com.paypal.sdk.core.APICallerBase.SetTrustManager() +114
The application's trust level is set to medium and I've added to the [assembly: AllowPartiallyTrustedCallers] attribute to my project's assembly.
What can I do to address this issue? Does the System.dll allow partial trusted callers?

In digging a bit, the paypal method SetTrustManager() may attempt to reassign the ServicePointManager's Certificate Policy. This is OK, but it requires UnmanagedCode permission for the underlying code group.
I suggest you provide this permission in the .Net Framework Config console, and see if that helps.
Alternatively you can set the application's config "TrustAll" parameter to False so that SetTrustManager doesn't mess with the Certificate policy (assuming of course that the said Certificate policy is readily ok for whatever certs you'll need to use, in other words, this TrustAll thing may move past this permission error, but fail later if the Certificates)
In similar situations, I've found that the tools on this MDSN page can be very useful.
(in resp. to javacavaj note) To allow calls to unmanaged code for some assemblies:
Disclosure: I'm not an expert on .NET security model; the following should allow you alter permissions granted to some of your assemblies for diagnostic purposes for the issue at hand. For production purposes, please have your .NET configuration reviewed by a qualified admin as he/she may both ensure that the configuration is safe and suggest some way to structure the code groups, permission sets and other elements in ways that facilitate administration and deployment.
You can alter the .NET security policy with Mscorcfg.msc, i.e. the .Net Framework Configuration console. The details may vary with the .NET version and Windows host, but in general:
start mscorcfg (Ctrl panel | Admin Tools | Msft .Net Framework Configuration)
Run Time Policy node, then Manchine (or Enterprise, but better mess w/ local cfg first...)
Permission Sets node, Click "Create New Permission Set) on right panel
Provide name/description, next
Security | Add
Select Enable Assy execution, Allow calls to unmanaged assemblies and other permissions you may need | OK
Pick Code Groups Nodes, and navigate down to the group the assembly in question may belong (easier, yet create a group for it; in general you know who qualifies for a given group by seeing the "membership condition" tab in the group properties. Try and use Strong Name or GAC when possible.
In the Code Group properties's select the desired Permission set; optinally verify that this set is as desired for a given permission with the "View Permission" button.
Et voila...
Rather than the above, I wish I knew of a web site where such procedure can be [better] described. Maybe this Overview of the .NET Security Model can be of help. Googling several of the keywords provided can probably yield relevant pointers as well.