I have a ASP.NET Core 2.2 MVC application setup to use OAuth for authentication. As it is deployed as an Azure Web App, it has data protection services configured with keyvault and blob storage; however I'm still seeing correlation failures like below in our logs in production.
Message: '.AspNetCore.Correlation.OAuth.VkmnPxJJLn91wYEb5HSO7A6zGjULwiVTKeEPHoO2GcA' cookie not found..
I do not see these errors locally or in our test environments, and we haven't experienced these errors when testing the website in production so don't know why we're seeing these in our logs. Any help identifying what could be causing these would be greatly appreciated.
Related
I am currently developing in a standalone (Not .Net Core Hosted) Blazor WebAssembly app in .Net 5.0. I have been trying to convert a couple Asp.Net MVC WebAuthn examples over into my Blazor app for Passwordless Authentication.
The issue I am experiencing now is due to this app's architecture since it is not a Blazor Server app. The Asp.Net MVC example I am following has everything including the client hosted on the server whereas my app is split Web Client/ Web API architecture.
So far however, I have managed to get most of the way through these differences but now the issue I am having is in the last functionality of registering the credential with the server within the Make Credential request of the Fido2NetLib Library. on line:
// 2. Verify and make the credentials
var success = await _lib.MakeNewCredentialAsync(attestationResponse, options, callback);
I am receiving an error saying: "Origin https://localhost:44325 not equal to original origin https://localhost:44309". Now of course this is a dev environment but it will be exactly the same in production as the API and the client are hosted in two different domains.
Any ideas would be greatly appreciated. I am hoping I can "white list" certain domains?
WebAuthn defines the origin to be the fully qualified origin. Per referenced RFC6454, this is the tuple of scheme, host, and port. You can't go breaking the rules without deviating from the standard.
WebAuthn gels very well with using a separate identity provider (e.g. something Open ID Connect/IdentityServer4-based) as the origin that deals with credentials will always be the same regardless of the relying parties involved.
I have developed an ASP.NET MVC 5 application and it is hosted on shared hosting - IIS 10.
For authentication, I am using identity to check authentication.
I'm logging in and out multiple times in my application. After 6 or 7 attempts, it directs me to the 403 error page.
After clearing the cache from the browser, it works fine again.
Please assist me to find a solution.
I updated the machine key as well. still getting the same issue.
The error initiates from the dynamic compression module when we check the tracing
I got an answer from the Hosting team. They have installed (ModSecurity)WAF to block requests from understanding the behavior of requests. After disabling this works fine now.
It will definitely help someone.
Thanks.
I have a few web applications running on production server.
Scenario:
Web App1(e.g. www.test.com): In this web application, User logs in and cookies are created in this application. User can do some other functionalities here, although on click of 1 button, it is required to redirect to another web application (WebApp2)
Web App2 (on different subdomain, e.g. abc.test.com): The session created earlier is to be passed here. Hence, I had used same machine key for Web.config in two webapps (Web App1 and Web App2) (As suggested on Link: Sharing sessions across applications using the ASP.NET Session State Service).
Issue:
Although, the session is getting shared fine and everything works great on staging.
But, on production, I am getting this error:
Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Web.Security.FormsIdentity'
It seems to me that the session sharing is not happening for some reason on production. Can you please guide me on the possible cause of this issue.
Either: Enable Forms authentication on production IIS
or: ensure your web.config on production (sessionState)
It looks like roots are configuration issues on production.
I am trying to get a SAML 2.0 token from an ADFS 2.0 ws-trust service using C#. The popular sample is this one http://leastprivilege.com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentication-with-ws-trust/. However, this sample uses a UserNameWSTrustBinding which, according to this article http://msdn.microsoft.com/en-us/library/jj157091.aspx, did not make the jump to the System.IdentityModel namespace for 4.5.
I have been experimenting with this sample and some variants that I have found, but so far, the only results that I can get are a variety of error messages. I am wondering if there is any good way to debug the latest one, "The request for security token has invalid or malformed elements.". I turned on WCF logging on and determined that this message is being returned as a fault by the ADFS service.
Reviewing the AD FS 2.0/Admin events on the ADFS server, there is no indication of an error. Several posts indicate that this is common in an ADFS farm environment, but mine is a simple single server configuration.
Does anyone have a good way to diagnose this? Or, is there a good sample that comes with any configuration requirements on the ADFS server side?
This link http://social.msdn.microsoft.com/Forums/en/Geneva/thread/33fc091b-505c-481c-a61c-a8541a5ccf23 shows how to enable WCF and WIF tracing for the server side of ADFS 2.0. Modify the config file at C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config. (Change the three switchValue settings to Verbose and modify the trace listeners.) While following the instructions, make sure to change the types on the listeners. Something like
<add name="ADFSWifListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="c:\logs\adfs1.svclog" />
I also had to grant "Everyone" full access to the C:\Logs folder, you can refine those permissions with auditing if you like. Once the .svclog files have been created, they can be viewed with SvcTraceViewer.exe in %ProgramFiles%/Microsoft SDKs/Windows/v8.0A/bin/NETFX 4.0 Tools (or any other SDK version probably).
NOTE: Microsoft will not support the notion of logging trace data directly to a file, so you will want to turn this off or configure according to this article http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(WS.10).aspx for a production deployment.
Recently I have been using IIS Express and it works really great. However, I have on scenario I am unable to solve.
I am developing a webapp where users should be able to login with their AD account. Since the server which will run the webapp is outside the domain I use ADFS 2.0 as a SSO solution to solve this problem.
To make development for this project easier, I have chosen to use IIS Express when developing.
To be able to exchange claims information with the ADFS 2.0 server from my development environment, I have to configure the application pool for the site to have Load User Profile set to true (like i.e. IIS 7.5). I have searched around the web, and have so far found very little documentation on how to configure application pools in IIS Express.
This has nothing to do with ADFS but it's the way WIF uses to sign and encrypt the cookie that will be used to identify the user after the initial sign in. The default implementation in WIF uses DPAPI which relies om the user profile to get key material.
You can override that default and use the machinekey as key material instead. Indeed thats the way it works in NET 4.5 by default precisely because all the issues with DPAPI. Here you have the way to do it in Net 4
http://leastprivilege.com/2012/07/12/machinekey-based-session-protection-for-wif/