Has anyone suddenly encountered login errors from their users trying to connect to salesforce.com from a Flex app using as3salesforce.swc?
I get the following error... password removed to protect the innocent...
App Domain = null
Api Server name = na3.salesforce.com
_internalServerUrl = https://na3.salesforce.com/services/Soap/u/14.0
loading the policy file: https://na3.salesforce.com/services/Soap/cross-domain.xml
Your application must be running on a https server in order to use https to communicate with salesforce.com!
login with creds
loading the policy file: https://na3.salesforce.com/services/crossdomain.xml
Your application must be running on a https server in order to use https to communicate with salesforce.com!
invoke login
intServerUrl is null
intServerUrl = https://na3.salesforce.com/services/Soap/u/14.0
_invoke login
'5A5D3012-7717-E3C2-9B39-FFBBFF1F1B47' producer set destination to 'DefaultHTTPS'.
Method name is: login
'direct_http_channel' channel endpoint set to http://localhost/pm_server/pm/
'5A5D3012-7717-E3C2-9B39-FFBBFF1F1B47' producer sending message 'E32C7199-72C1-B258-B483-FFBC1641173D'
'direct_http_channel' channel sending message:
(mx.messaging.messages::HTTPRequestMessage)#0
body = "<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/"><se:Header xmlns:sfns="urn:partner.soap.sforce.com"/><se:Body><login xmlns="urn:partner.soap.sforce.com" xmlns:ns1="sobject.partner.soap.sforce.com"><username>simon.palmer#dialectyx.com</username><password>******</password></login></se:Body></se:Envelope>"
clientId = (null)
contentType = "text/xml; charset=UTF-8"
destination = "DefaultHTTPS"
headers = (Object)#1
httpHeaders = (Object)#2
Accept = "text/xml"
SOAPAction = """"
X-Salesforce-No-500-SC = "true"
messageId = "E32C7199-72C1-B258-B483-FFBC1641173D"
method = "POST"
recordHeaders = false
timestamp = 0
timeToLive = 0
url = "https://na3.salesforce.com/services/Soap/u/14.0"
'5A5D3012-7717-E3C2-9B39-FFBBFF1F1B47' producer connected.
Method name is: login
Error: Ignoring policy file at https://na3.salesforce.com/crossdomain.xml due to meta-policy 'by-content-type'.
'5A5D3012-7717-E3C2-9B39-FFBBFF1F1B47' producer acknowledge of 'E32C7199-72C1-B258-B483-FFBC1641173D'.
responseType: Fault
Saleforce Soap Fault: sf:INVALID_LOGIN
INVALID_LOGIN: Invalid username, password, security token; or user locked out.
Comunication Error : sf:INVALID_LOGIN : INVALID_LOGIN: Invalid username, password, security token; or user locked out. : [object Object]
Obviously nobody else out there is building Flex apps on top of salesforce.com..
yippee, I'm first.
Anyhow, I just found out that this is a bug at salesforce.com as at 6th December 2008. The issue is that the scripts which handle login do not cope adequately with the redirect necessary because of load balancing on the salesforce.com servers.
It should be possible to go through the www front door of salesforce.com's api with a URL such as...
"https://www.salesforce.com/services/Soap/u/13.0";
where the 13 represents the version of their API you are targetting. However, all users are actually assigned to a specific server, so the front door should redirect the login request to the approriate place, and it doesn't if you are coming from Flex.
A workround is to specify your server in the URL, such as...
"https://na5.salesforce.com/services/Soap/u/13.0";
...which is what I was doing. That's fine if you are a single user accessing the same resources continually and your account remains attached to that server. However if...
You are distributing your app so anyone who has a salesforce.com enterprise account can log in OR
Your account gets moved because of some internal load balancing (which is what happened to me)
then the approach of providing a fixed server won't work.
The bug (as far as I understand it) is that the www route doesn't adequately redirect to your host server. Last intelligence was that it will be fixed "soon".
I wish I could mark this as the answer...
Related
I'm trying to adapt the Qt Network Authorization OAuth2 example for Reddit to work with Azure AD.
I went to https://portal.azure.com/ -> Azure Active Directory -> App registrations then clicked "New application registration" and entered:
Name: QtNetworkAuthProject
Application type: Name
Redirect URI: http://localhost:1337/
I copied the resulting Application ID into the app then got the URIs from Authorization Code Grant Flow:
Authorization Code Request: https://login.microsoftonline.com/common/oauth2/authorize
Access Token Request: https://login.microsoftonline.com/common/oauth2/token
The first part appears to work; the webpage opens and asks me to authenticate the login. But then the token request seems to fail. My logging shows:
AzureWrapper::grant()+
setModifyParametersFunction(): stage = RequestingAuthorization
AzureWrapper::grant()-
statusChanged(): status = TemporaryCredentialsReceived
setModifyParametersFunction(): stage = RequestingAccessToken
qt.networkauth.oauth2: Unexpected call
qt.networkauth.replyhandler: Error transferring https://login.microsoftonline.com/common/oauth2/token - server replied: Bad Request
What have I done wrong?
Azure AD needs in either the authorization code request or in the access token request the App ID URI of the target web API (secured resource) that you want to use. (See https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code)
You can add this extra resource parameter in the authorization code request like this:
oauth2.setModifyParametersFunction([](QAbstractOAuth::Stage stage, QVariantMap* parameters) {
if (stage == QAbstractOAuth::Stage::RequestingAuthorization) {
parameters->insert("resource", "<App ID URI>");
}
});
I need to make calls to a rest API service via BizTalk Send adapter. The API simply uses a token in the header for authentication/authorization. I have tested this in a C# console app using httpclient and it works fine:
string apiUrl = "https://api.site.com/endpoint/<method>?";
string dateFormat = "dateFormat = 2017-05-01T00:00:00";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("token", "<token>");
client.DefaultRequestHeaders.Add("Accept", "application/json");
string finalurl = apiUrl + dateFormat;
HttpResponseMessage resp = await client.GetAsync(finalurl);
if (resp.IsSuccessStatusCode)
{
string result = await resp.Content.ReadAsStringAsync();
var rootresult = JsonConvert.DeserializeObject<jobList>(result);
return rootresult;
}
else
{
return null;
}
}
however I want to use BizTalk to make the call and handle the response.
I have tried using the wcf-http adapter, selecting 'Transport' for security (it is an https site so security is required(?)) with no credential type specified and placed the header with the token in the 'messages' tab of the adapter configuration. This fails though with the exception: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
I have tried googling for this specific scenario and cannot find a solution. I did find this article with suggestions for OAUth handling but I'm surprised that even with BizTalk 2016 I still have to create a custom assembly for something so simple.
Does anyone know how this might be done in the wcf-http send adapter?
Yes, you have to write a custom Endpoint Behaviour and add it to the send port. In fact with the WCF-WebHttp adapter even Basic Auth doesn't work so I'm currently writing an Endpoint Behaviour to address this.
One of the issues with OAuth, is that there isn't one standard that everyone follows, so far I've had to write 2 different OAuth behaviours as they have implemented things differently. One using a secret and time stamp hashed to has to get a token, and the other using Basic Auth to get a token. Also one of them you could get multiple tokens using the same creds, whereas the other would expire the old token straight away.
Another thing I've had to write a custom behaviour for is which version of TLS the end points expects as by default BizTalk 2013 R2 tries TLS 1.0, and then will fail if the web site does not allow it.
You can feedback to Microsoft that you wish to have this feature by voting on Add support for OAuth 2.0 / OpenID Connect authentication
Maybe someone will open source their solution. See Announcement: BizTalk Server embrace open source!
Figured it out. I should have used the 'Certificate' for client credential type.
I just had to:
Add token in the Outbound HTTP Headers box in the Messages tab and select 'Transport' security and 'Certificate' for Transport client credential type.
Downloaded the certificate from the API's website via the browser (manually) and installed it on the local servers certificate store.
I then selected that certificate and thumbprint in the corresponding fields in the adapter via the 'browse' buttons (had to scroll through the available certificates and select the API/website certificate I was trying to connect to).
I discovered this on accident when I had Fiddler running and set the adapter proxy setting to the local Fiddler address (http://localhost:8888). I realized that since Fiddler negotiates the TLS connection/certificate (I enabled tls1.2 in fiddler) to the remote server, messages were able to get through but not directly between the adapter and the remote API server (when Fiddler WASN'T running).
I am testing my application with PayPal sandbox.
The URI I use for the transaction is https://sandbox.paypal.com/cgi-bin/webscr?cmd=_xclick.
In my return page I read the data from PayPal then I form a new string to send back with cmd = _notify-validate.
When I make a call to https://sandbox.paypal.com/cgi-bin/webscr I am getting error saying "The remote certificate is invalid according to the validation procedure."
I tried making a call to https://www.paypal.com/cgi-bin/webscr instead and it always return t "INVALID".
This appears to be an SSL issue: This error message is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request. The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.
I am trying to use Forms Authenication with the httpwebrequest but I seem not to have any success. Here is what I am doing:
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Method = WebRequestMethods.Http.Get;
// Authentication items -------------------------------------------
request.UseDefaultCredentials = false;
request.PreAuthenticate = true;
// Attempt to set username and password:
CredentialCache cc = new CredentialCache();
cc.Add(
new Uri(url),
"Basic",
new NetworkCredential("username", "validpassword", "domain")
);
request.Credentials = cc;
request.AllowAutoRedirect = true;
request.KeepAlive = true;
request.Timeout = 10000;
CookieContainer cookieContainer = new CookieContainer();
request.CookieContainer = cookieContainer;
// request html
response = (HttpWebResponse)request.GetResponse();
The problem is that even with a valid password and username for the domain this is always throwing an exception.
Can anyone help?
NOTES:
Exception Type: WebException
Exception Message: "The remote server returned an error: (401) Unauthorized."
Exception Status: Protocol
Error Exception Occurring at: response =(HttpWebResponse)request.GetResponse();
Exception Stack Trace: None
... sorry
I add Credentials for HttpWebRequest .
myReq.UseDefaultCredentials = true;
myReq.PreAuthenticate = true;
myReq.Credentials = CredentialCache.DefaultCredentials;
I’d like to know the sub status code of the 401 error you encountered. The 401 error contains the following sub status code:
401.1: Access is denied due to invalid credentials.
401.2: Access is denied due to server configuration favoring an alternate authentication method.
401.3: Access is denied due to an ACL set on the requested resource.
401.4: Authorization failed by a filter installed on the Web server.
401.5: Authorization failed by an ISAPI/CGI application.
401.7: Access denied by URL authorization policy on the Web server.
Because the project works well on your machine, I doubt it is a process identity issue. By default the application pool in IIS 6.0 uses “Network Service” as its identity. This account is restricted, so that you may encounter access deny issue.
For troubleshooting purpose, please try to change the application pool’s identity to “Local System”. If this method can resolve the issue, change back the identity to “Network Service”, and grant read/write permission to the xml file you want to read/write.
About how to change application pool’s identity, please refer to the following steps:
1. Open IIS manager (Start | Control Panel | Administrative Tools | Internet Information Services Manager).
2. Expand the “Application Pools” node.
3. Right click the application pool which your project is using, and then select “Properties”.
4. Click “Identity” tab.
5. Choose “Local System” in the Predefined dropdown list.
About how to grant permission to a file, please check these steps:
1. Open Windows Explorer.
2. Right click the file, and then select "Properties".
3. Click the "Security" tab.
4. Add "Network Service" in access list and check "Modify", "Read", and "Write" for it.
In addition, other files may cause this issue too, you can use Filemon to monitor any access file deny issues.
FileMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
I'm trying to obtain a token from ADFS to that I can use it with an on-premise Windows Service Bus installation. I may not have ADFS properly configured because I get the following message:
MSIS3127: The specified request failed.
The code to access the token is as follows:
string adrecaSTS = "trust/13/usernamemixed";
WS2007HttpBinding binding = new WS2007HttpBinding();
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Mode = SecurityMode.TransportWithMessageCredential; //https
string baseSSLUri = #"https://<myadfs>/adfs/services/";
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(baseSSLUri + adrecaSTS));
trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
trustChannelFactory.Credentials.UserName.UserName = "username";
trustChannelFactory.Credentials.UserName.Password = "password";
WSTrustChannel tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
//create a token issuance issuance
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);
//call ADFS STS
SecurityToken token = tokenClient.Issue(rst);
The endpoint is enabled on ADFS and my client (laptop on separate domain) trusts the certificate from ADFS.
Do I need to set up some kind of trust or something further? This error message is not particularly helpful.
See here:
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/blob/master/src/Libraries/Thinktecture.IdentityServer.Protocols/WSFederation/HrdController.cs
The ValidateToken method has most of the code - but you first need to extract the InnerXml from the generic token and turn that into a SAML security token (again using a token handler).
Found the issue. I was trying to log on as an administrator account. When I used a regular user it worked.
I also had to modify the RequestSecurityToken to have a KeyType of KeyType.Symmetric
I see that you solved your issue, but here is some additional inforamation to potentially help others that might have the same error message but a different cause.
The AD FS error, "MSIS3127...", can have multiple causes. For us, it was caused by one of our relying party claim rules specifying an AD FS attribute store that didn't exist.
In order to debug the error, we checked the Event Viewer on all of the servers running AD FS, and that's where we found the detailed message that called out the attribute store problem. So, if anyone else gets the same error message, then I suggest checking the Event Viewer on AD FS to see if there are additional logs.
Note that AD FS logs to the Event Viewer under the folder/node of Applications and Services Logs => AD FS => Admin