I am trying to wire up Azure Key Vault in my ASP.NET (.Net Framework) MVC Web App using Visual Studio 2017 Community 15.7.5 Connected Service targeting .Net 4.7.2.
It adds a configBuilder with the name AzureKeyVault with an attribute called vaultName that throws a "The 'vaultName' attribute is not allowed." warning.
When I run the application I get an error that the configBuilders attribute on the appsetting tag is not good like so:
I am using the following package versions which are all current:
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
There is an update to Microsoft.Azure.Services.AppAuthentication but it is a preview and it caused dependency issues with other packages.
tldr; - you probably don't have the appropriate permissions to access the key vault.
In currently released versions of the .Net framework, detailed errors about config builders are not always easily discoverable in the ASP.NET yellow screen. We have changes in vNext to address this issue, but it is currently a problem for 4.7.1/2. For the time being, if you create a simple console app to read appSettings with the same config builder configuration, you should see more exception information in the stack that gets spit out.
Based on the yellow screen you posted though I would guess (and its really just an educated guess based on past reports and nothing specific in your case) you are running into an authentication issue in the Microsoft.Azure.Services.AppAuthentication library. When running in Visual Studio, that library can use your personal credentials to access the key vault. If deployed in Azure, they use a different magic technology to authenticate the application to the key vault. If you want to eliminate the "magic" and take more control over this, you can specify more detailed connection information with the 'connectionString' attribute. There is more information as well as a link to connection string details on our GitHub page (MicrosoftConfigurationBuilders).
As for the "The 'vaultName' attribute is not allowed." warning... it's just a warning. The .xsd that VS uses to validate configuration was not correctly updated to allow random attributes on configBuilder definitions. We hope to address this in a future VS release around the time that the next framework ships.
Steve Molloy was correct in that the Configuration Error was a red herring. I created a console app and the error messages were much better but they still required some investigation. Here's my Console App Code and packages:
static void Main(string[] args)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider
(azureAdInstance:"https://InsertAADSubscriptionName.onmicrosoft.com/");
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(
"https://InsertKeyVaultName.vault.azure.net", "InsertSecretYouWantBack").GetAwaiter().GetResult();
}
<packages>
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime" version="2.3.13" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime.Azure" version="3.3.15" targetFramework="net472" />
<package id="Newtonsoft.Json" version="11.0.2" targetFramework="net472" />
</packages>
I put a breakpoint on the last bracket and kept looking for my secret value in the variable secret. I kept getting the following error indicating that Azure AD wasn't able to authenticate my local environment and return an access token.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried the following 4 methods to get an access token,
but none of them worked.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Managed Service Identity.
Unable to connect to the Managed Service Identity (MSI) endpoint.
Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Visual Studio.
Access token could not be acquired.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Azure CLI. Access token could
not be acquired. ERROR: Please run 'az login' to setup account.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Active Directory Integrated
Authentication. Access token could not be acquired. get_user_name_failed:
Failed to get user nameInner Exception : No mapping between account names
and security IDs was done
The problem was that since I was running the app locally I needed to be logged in to Azure CLI locally. To do this: first install Azure CLI on your machine, then go to a CMD or a PowerShell prompt and type az login and follow the instructions returned.
This did the trick; the console app was able to get an access token.
I tried it on my web app in the original question above and it worked as expected.
Related
I am developing a Self-hosted .Net Core Rest API to be hosted in Docker Container in Service Fabric. I am unable to configure to SSL/Https in Service Fabric. Http seems to work. I am using HttpSys as web server, not Kestrel since I read it is not recommended option for services without reverse proxy(like IIS).
Here is the web server code snippet.
return WebHost.CreateDefaultBuilder(args)
.UseApplicationInsights()
.UseStartup<Startup>()
.UseHttpSys(
options =>
{
options.Authentication.Schemes = AspNetCore.Server.HttpSys.AuthenticationSchemes.None;
options.Authentication.AllowAnonymous = true;
}
)
.Build();
Here is ServiceManifest.xml Endpoints snippet.
<Endpoints>
<Endpoint Name="ServiceEndpoint" Protocol="http" Port="80" />
<Endpoint Name="ServiceEndpointHttps" Protocol="https" Port="443" Type="Input" CertificateRef="SSLCertificate" />
</Endpoints>
Here is ApplicationManifest EnvironmentVariable snippet.
<EnvironmentVariable Name="ASPNETCORE_URLS" Value="https://*:443/;http://*:80/"/>
Here is ApplicationManifest.xml Policies snippet.
<Policies>
<ContainerHostPolicies CodePackageRef="Code">
<RepositoryCredentials AccountName="accountname" Password="password" PasswordEncrypted="false" />
<PortBinding ContainerPort="80" EndpointRef="ServiceEndpoint"/>
<PortBinding ContainerPort="443" EndpointRef="ServiceEndpointHttps"/>
</ContainerHostPolicies>
<EndpointBindingPolicy CertificateRef="SSLCertificate" EndpointRef="ServiceEndpointHttps" />
</Policies>
Here is ApplicationManifest.xml Certificates snippet.
<Certificates>
<EndpointCertificate Name="SSLCertificate" X509FindValue="cert thumbprint"/>
</Certificates>
Initially, I had issues with Certificate deployment when I had SSL certificate only in CurrentUser\My Certificate Store. I resolved it after deploying the certificate in LocalMachine\My Certificate Store. With this fix, Service seems to be working only with HTTP protocol in Port 80, not with HTTPS protocol in Port 443.
Service Fabric Explorer doesn't show any error and no errors in Events Log also. I am facing this issue in both Local Service Fabric and in Azure Service Fabric instances.
Any thoughts/pointers on this would be appreciated.
Using Service Fabric for container and https could follow this doc.
It will inject the certificate into the container as environment variables.
But for linux clusters, there is a problem. The Certificates_ServicePackageName_CodePackageName_CertName_PEM and Certificates_ServicePackageName_CodePackageName_CertName_PrivateKey represented files are having the exact same content.
I'm waiting for the Azure China supporter for further clarification on this, not sure if it's a China specific problem.
We are trying to consume web service from orbeon client code. Everything works fine with one way SSL however we now wish to call the web service using 2 way SSL. We are able to call the web service using 2 way SSL successfully using the Apache CXF framework using Java code.
I followed the steps outlined in the Orbeon Wiki.
Changes made in properties-local.xml
<property as="xs:anyURI"
name="oxf.http.ssl.keystore.uri"
value="/apps/property/ClientStore.jks"/>
<property as="xs:string"
name="oxf.http.ssl.keystore.password"
value="password"/>
<property as="xs:anyURI"
name="oxf.url-rewriting.service.base-uri"
value="http://localhost:8085/Orbeon"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.uri"
value="http://localhost:8085/fr/service/exist"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.exist-uri"
value="http://localhost:8085/exist/rest/db/orbeon/fr"/>
After implementing the changes outlined above we are getting the exception below:
ERROR XFormsServer - xforms-submit-error - setting throwable {throwable:
"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:488)
at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148
Java start up options are:
-Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.keyStore=/apps/property/DMClientStore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/apps/property/trustkeystore.jks
Questions:
Are these properties sufficient for enabling 2 way SSL?
For Apache CXF we need to provide two keystores, one with the client certificate and a truststore. Where do we configure both of these keystores for Orbeon?
I am running a TFS 2012 installation on a virtual machine (inside Windows Azure). Everything works fine, except that files bigger than 5MB cannot be checked in. On the client side it says: "The request was aborted: The request was canceled.".
On the server side the event log contains an error saying:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="TFS Services" />
<EventID Qualifiers="0">4000</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-07-02T15:57:04.000000000Z" />
<EventRecordID>1832</EventRecordID>
<Channel>Application</Channel>
<Computer>gm-tfsserver</Computer>
<Security />
</System>
- <EventData>
<Data>TF53010: The following error has occurred in a Team Foundation component or extension: Date (UTC): 02/07/2013 15:57:04 Machine: GM-TFSSERVER Application Domain: /LM/W3SVC/2/ROOT/tfs-2-130172535704544600 Assembly: Microsoft.TeamFoundation.Framework.Server, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v4.0.30319 Service Host: 7e62b8c5-5065-4b32-9734-fc37fac35a8c (GM) Process Details: Process Name: w3wp Process Id: 3636 Thread Id: 3232 Account name: GM-TFSSERVER\Christian Detailed Message: TF30065: An unhandled exception occurred. Web Request Details Url: http://gm-tfsserver:8080/tfs/GM/VersionControl/v1.0/upload.ashx [method: POST] User Agent: Team Foundation (devenv.exe, 11.0.60610.1, Ultimate, SKU:8) Headers: Content-Length=16778221&Content-Type=multipart%2fform-data%3b+boundary%3d--------------------------8e5m2D6l5Q4h6&Accept-Language=en-GB&Expect=100-continue&Host=gm-tfsserver%3a8080&User-Agent=Team+Foundation+(devenv.exe%2c+11.0.60610.1%2c+Ultimate%2c+SKU%3a8)&X-TFS-Version=1.0.0.0&X-TFS-Session=2801ee9b-62f2-43e9-9a65-c296978716df Path: /tfs/GM/VersionControl/v1.0/upload.ashx Local Request: False Host Address: 77.177.87.232 User: GM-TFSSERVER\Christian [authentication type: NTLM] Exception Message: TF14109: Parts of the file $/GM Software/Legacy Code/Gw Code/GrData.txt were not uploaded. (type IncompleteUploadException) Exception Stack Trace: at Microsoft.TeamFoundation.VersionControl.Server.UploadHandler.ParseRequestParameters(VersionControlRequestContext versionControlRequestContext, String& workspaceName, String& workspaceOwner, String& serverItem, Byte[]& hash, HttpPostedFile& file, Int64& fileLength, Int64& compressedLength, Int64& offsetFrom, CompressionType& compressionType) at Microsoft.TeamFoundation.VersionControl.Server.UploadHandler.Execute()</Data>
</EventData>
</Event>
I tested it with two different internet connections from two different locations. The Virtual machine has port 8080 opened in the azure endpoint configuration.
Does anyone have an idea?
Through the client side I tried the following solution which solve my problem with
The request was aborted: The request was canceled.
by adding the app setting key VersionControl.UploadChunkSize to devenv.exe.config (%Program Files%\Microsoft Visual Studio 11.0\Common7\IDE)
<appSettings>
<add key="VersionControl.UploadChunkSize" value="1048576" />
</appSettings>
I figured this from this answer: TFS check in timeout of changeset containing "larger" binary files
Please have a look to the link to get more information.
I think you need to look for deltaMaxFileSize in the web.config file.
Link
So I have created an ABCS BPEL process in JDeveloper, it compiles without any errors. I'm trying to test it via soapUI but I am getting the following error:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): http://REPLACE_WITH_ACTUAL_HOST_AND_PORT/ENVIRONMENT_NAME/com-telekom-xmlns-ng-EnterpriseServices-Core-TroubleTicket-V1-services-CommunicationsTroubleTicketEBS.soap2jms/1.0</faultstring>
<faultactor/>
<detail>
<exception>Unable to access the following endpoint(s): http://REPLACE_WITH_ACTUAL_HOST_AND_PORT/ENVIRONMENT_NAME/com-telekom-xmlns-ng-EnterpriseServices-Core-TroubleTicket-V1-services-CommunicationsTroubleTicketEBS.soap2jms/1.0</exception>
</detail>
</env:Fault>
</env:Body>
</env:Envelope>
Which is strange because in my config plan I have added the following, replacing the REPLACE_WITH_ACTUAL_HOST_AND_PORT/ENVIRONMENT_NAME part with an actual address:
<wsdlAndSchema name="CommunicationsTroubleTicketEBSResponse.wsdl|CommunicationsTroubleTicketEBS.wsdl">
<searchReplace>
<search>http://REPLACE_WITH_ACTUAL_HOST_AND_PORT/ENVIRONMENT_NAME/com-telekom-xmlns-ng-EnterpriseServices-Core-TroubleTicket-V1-services-CommunicationsTroubleTicketEBSResponse.soap2jms/1.0</search>
<replace>http://soainta52:8001/soa-infra/services/ServiceRequestsStubs/TTMCreateTroubleTicketStub/TTMCreateTroubleTicketStub_ep</replace>
</searchReplace>
<searchReplace>
<search>http://REPLACE_WITH_ACTUAL_HOST_AND_PORT/ENVIRONMENT_NAME/com-telekom-xmlns-ng-EnterpriseServices-Core-TroubleTicket-V1-services-CommunicationsTroubleTicketEBS.soap2jms/1.0</search>
<replace>http://soainta52:8001/soa-infra/services/ServiceRequestsStubs/TTMCreateTroubleTicketStub/TTMCreateTroubleTicketStub_ep</replace>
</searchReplace>
</wsdlAndSchema>
When deploying your BPEL you have to select the deployment plan.
Are you make this deployment from JDeveloper or from a the enterprise manager console?
something weird is happening! is a couple of days that my users are experincing a "logging out" isses, the error message is:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Here the data:
the website is running on 3 server behind a load balancer
yes, machine key is the same all across thw websites, because the configuration is shared and all servers are pointing to the same folder on a NAS, this is the key:
<machineKey decryption="AES" decryptionKey=" ... snipped for security reasons ... "
validation="SHA1" validationKey=" ... snipped for security reasons ..." />
I created the keys using an console app as suggested here: http://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_webfarmdeploymentconsiderations
the form auth config is
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" timeout="525960" />
</authentication>
the time on the servers is in sync
... Any other suggestions?
Cheers
Make sure that this patch is installed on every server in the farm.
(It changes ticket handling; installing it on some of the servers will cause issues)