I am trying build up a Staging Environment for an ASP.NET MVC Web App, but am stumbling from problem to problem, the last one having been this one: HTTP 500.79 Error / System.UriFormatException when deploying ASP.NET App to Azure Web App
Currently I am getting a HTTP 403 - Forbidden, "You do not have permission to view this directory or page." error when trying to access the page.
Authentication-wise the App uses Azure Active Directory as Authentication Provider, which is working fine in local testing (using a Test-AAD) and in production. The local and productive apps are not using Azure Web Apps. I noticed on the Azure App Service page that there is a possibility to specify authentication right within Azure, but I don't really want / need to use that, as everything is specified within the app resp. configured in the web.config (ClientID, ClientSecret and Tenant). Anyway, when I tried filling in the Authentication on Azure directly it did not work either, so I removed it again.
What happens now is that the redirect to the Login page on login.microsoftonline.com works, and according to the AAD Admin the login attempt is being successful, or at least shows no pecularities. However, when being redirected back to my page, I get a generic 403, without any additional information that could help pin the problem down.
I did check all sorts of logs for further details, and the only pecularity I found is that for some very odd reason, all requests are made to a completely gibberish URL:
Requested URL / specified Reply URL: https:\\skillmanagementtest.azurewebsites.net
Actually requested URL according to logs: https:\\Skillmanagementtest:80
I have absolutely no clue where this URL originates from, however, "Skillmanagementtest" with that capitalization seems to be the name I specified for the Azure Web App:
Screenshot resource group items
The web.config is being transformed properly during the CI/CD pipeline and I double-checked the auth settings there (tenant, clientID, clientSecret), and I am really out of ideas what may be causing this problem.
One hint I found on other problems was to check the IIS logs, but when I attempted accessing the directory these logs were said to be placed in I was rejected access, even though I have owner permissions on the App Service...
UPDATE
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
Check to ensure that what you have in your web.config and app settings matches what you have in the reply URLs for your app registration in the portal. There may be some reference somewhere where the reply URL does not match.
Are you using the openid sample? https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
Also ensure that you are logging in with a user who has the right permissions under the tenant and to the app itself. My colleague and I made a short video that includes the right configurations that may be helpful for this use case. https://www.youtube.com/watch?v=MohaxN6fsDs
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
Related
I'm trying to migrate from local NLTM authentication to Azure AD login for an on premise app. I have set up the connected service, but everytime the SignIn method is called:
The request is already authenticated and it's using my local PC name, so the O365 log in is never triggered. Debugging doesn't help as the User info and Request don't seem to exist outside of the AccountController. Does anyone know what is going on and how I can get it to load up the login instead?
If anyone else finds this, check and triple check your web config and project files for any lingering windows authentication variables. Failing that try creating a new project with authentication and then copy the content of the old project across bit by bit. It turned out for me to be something dodgy in the project, but even using a comparison tool afterwards showed no discernible differences.
Only thing I can think of is that the Authentication with Azure Active Directory Connected Services made changes that broke something, but using the auth option during project creation did it properly.
I have searched for solutions to this issue but everything I've found seems to be applicable to a firebase web app, not to iOS implementations.
When verifying a user using firebase phone auth for iOS, I understand the recaptacha is very unlikely to appear. However in the event it does, it creates a webview for the recaptcha like so:
Is there any way for me to hide the myProjectId-12345.firebaseapp.com from the user? It's not very clean or secure I'm afraid. I haven't been able to find anything in the way of documentation on this topic, and most stack overflow answers that solved the issue seem to be applicable to the firebase web sdk only.
Am I missing it somewhere? I have followed the documentation for silent notifications as well, so normally the recaptcha does not appear. From the documentation, "only a very small percentage of users will experience the recaptcha", but I would still like to account for those users.
Set up your domain for Hosting
Step 1: Add domain
From your project's Hosting page, enter the wizard for connecting a
custom domain:
If you have only one Hosting site, click Connect domain. If you have
more than one Hosting site, click View for the desired site, then
click Connect domain. Enter the custom domain name that you'd like to
connect to your Hosting site.
(Optional) Check the box to redirect all requests on the custom
domain to a second specified domain (such that example.com and
www.example.com redirect to the same content).
Click Continue to initiate the validation process.
Step 2: Verify domain ownership
If requested in the Connect Domain setup wizard, verify your apex domain.
Step 3: Go live
In the Connect Domain window of the Firebase console, select Quick
Setup for a new site or Advanced Setup if you already have a site
running on another hosting provider and need a zero-downtime
migration.
Have a look at this for detailed information.
I have a web site that has been using Microsoft accounts for authentication for more than three years. It is a Node web app and is using the passport-windowslive package.
Lately, when users return from login.live.com after logging successfully using their Microsoft accounts, one of two types of errors is received, sometimes:
The provided value for the input parameter 'scope' is not valid. The target '«my web site domain»' does not exist.
or:
The provided value for the 'code' value is not valid. The code has expired.
The error is sporadic. I am unable to reproduce it on my development machine.
As the passport-windowslive package was last changed four years ago and my code has not changed for more than two years, the cause looks like it's at the Microsoft end. What has changed?
Update: The problem is getting worse. Previously, the problem could sometimes be overcome by using an incognito browser session or changing the browser. Now it's happening on all browsers. But I am still unable to reproduce the error when running on localhost (with no http).
Microsoft has changed how its applications can be used for oAuth. They must now be managed from Azure instead of apps.dev.microsoft.com or Microsoft Live.
Existing applications configured in apps.dev.microsoft.com will result in:
AADSTS700016: Application with identifier '000000xxxxxxx' was not found in the directory 'aaaaaaaa-bbbb-cccc-ddd-eeeeeeeeeeee'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
The passport-windowslive module somehow did not bubble up the error response.
I've had a website running on Azure now for a while, and I've not had any problems until today when I discovered that browsing to it via a mobile device (tested on Android (Chrome/Firefox) and Apple (iPhone 6 - Safari) ) I get a:
You do not have permission to view this directory or page
error. I've not changed anything on the site, the last publish was 5 days ago, and it was working then. Both my staging and prod environments have gone down like this.
It looks like it's returning a 403, but I can't see why.
The site is an ASP.NET MVC5 site, running as an Azure Web App.
Update
OK, I've now run up a test version of the site with the [RequireHttps] attribute removed from the controllers - now I can navigate to the pages by just http, but https gives me the permission error.
I've managed to solve the problem, in my web.config I had a URL rewrite to prevent SSL3.0 access (based on this post: Disabling SSL3 in in Azure websites).
After switching on the logs in Azure and loading the pages up I saw the 403 error with the message
SSLv3 connections are forbidden by this site
in it. This came from the url rewrite.
My PC was happy loading as I have BitDefender and that was injecting it's own SSL cert into place over the one supplied by my site. Turning off SSL Scanning in BitDefender gave me the error on all browsers.
So the solution so far is to remove the SSL3 rewrite and look into another way to achieve the same thing.
I am using azure AD authentication to authenticate a user in my MVC
application.And I published my application on azure and it is
working fine.
But, when I run my application locally then it Microsoft's login
page comes up and when I enter credentials and click on SignIn
button then it is giving "Sorry, but we’re having trouble signing
you in.We received a bad request."
But the same application is on azure and if I access it from there then it allow me to login.
To create this apllication I follwed link to add azure AD authentication
If you notice the error message, it clearly indicates that you have not configured https://localhost:44320 as one of the reply addresses.
Please go back to application configuration screen in your Azure AD and add https://localhost:44320 as additional reply address. That should take care of this problem.
Add the below to your Web.config. It must be the same port which you have added at the time of Application registration.
<add key="RedirectUri" value="https://localhost:44320/" />
I hit this, it has cost me a lot of time.
I would check firstly that you have the ability in Azure to access third party applications.
In Azure > Users & Groups > User Settings:
You see the first item (Users can allow apps to access their data) - without this checked I believe it wont work.
As you are running your application locally it is not published to Azure, this means that although it may be within the realms of your organisations network, Azure still views it as a third party application.
Be wary setting this to 'Yes'. I understand that there are ways to then create applications that allow you to behave as an Azure super user....
In case anyone else comes across this, here is what happened to me. I had been switching back and forth between environments within Visual Studio (Project >> Properties >> Debug >> Environment Variables). Well, the last time I switched it, I wrote "Develop" instead of "Development" to switch back. This caused .NET Core to grab the wrong appsettings which connected to the wrong AD which did not have my localhost setup on it. It took me an hour to catch what I had done wrong.
This may not be exactly what has happened to you, but do check to make sure you are picking up the Azure AD settings you are expecting if they are in your appsettings. It could be a good point to start at.