We have a web app in Azure that needs to call a site in our on-prem location, we have configured Azure Relay and it works fine for HTTP if we use HTTPS we get
Could not establish trust relationship for the SSL/TLS secure channel with authority
Error Status 500 - Internal Server Error. URL
Does the web site on the internal site need to use a public cert rather than an internal one from our CA?
Related
Requesting for some help here. Kind of stuck with a use case. We are trying to integrate OneLogin with our app via Spring security.
The entry point to our application is Azure App Gateway that routes the requests to load balancer further routing to the VMs where the service is deployed. Everything works fine if we DONOT override the hostname in Backend settings for any incoming request, leading to the App Gateway host only getting passed for every request. Here the App Gateway URL being set as the redirect URI in Spring security auth endpoint call.
The problem appears when the Apigee is used as the entry point to our application. Apigee routes the request to App Gateway routing it further to load balancer and VMs. Here, we DO have to override the host as Apigee host name in order to authenticate the client to the OneLogin server. The Apigee endpoint is set as the redirect URI in the Spring security auth endpoint call.
However, the server responds back with "possible CSRF detected - state parameter was required but no state could be found" error. Tried different possible solutions from other SO links to resolve this error like providing a session cookie name, but did not help. Our OneLogin server and client application are also in different domains.
The only thing that works here is when we DONOT override the hostname in Azure App Gateway Backend settings and pass the App Gateway URL as the redirect URI in auth endpoint call. But the problem is it shows the App Gateway URL in the user browser, which we do not want because in an ideal scenario, the user should see only the Apigee host in the browser url and not the App Gateway host. So, is there any way to re-route/redirect/override the URL to Apigee URL in Azure App Gateway settings without the call being made to Apigee endpoint. Just the user sees the Apigee url in the browser, but internally all calls are made to App Gateway endpoint only.
Or the other solution could be to prevent the CSRF issue when Apigee hostname is used as the redirect URL in the auth endpoint instead of App Gateway host. But not sure how to resolve that.
• In your scenario, when you are not overriding the hostname in the Azure application gateway backend settings and pass the ‘Application Gateway’ URL as redirect URL in the ‘Authorization endpoint call’, the application gateway URL is shown in the user’s browser which is not desired since the Apigee host redirects the authentication requests to the ‘App gateway’ endpoint.
Therefore, without the call to be made to the ‘Apigee’ endpoint, you can surely redirect it to the Apigee redirect URL in the Azure application gateway settings by configuring the ‘Rewrite URI rules’ in the gateway. These rewrite rules will check for any presence of configured URLs or specific paths and will therefore, change the original URI path to the new path configured. As a result, please follow the below given snapshots as steps for configuring the same as stated above: -
Thus, as shown above, you can configure the ‘Rewrite rules’ in a ‘Standard V2’ SKU application gateway for redirecting response requests of ‘authorization endpoint call’ from application gateway URL to the Apigee endpoint hostname configured. In this way, when the application gateway URL is shown in the browser, it will be rewrited to the apigee endpoint hostname’s URL in the browser and accordingly the user at the receiving end will be able to see the Apigee endpoint hostname as a result fulfilling your requirement.
For more details regarding the above, kindly refer the below link: -
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#modify-a-redirection-url
I have created an MVC Web application application and a storage account(Table). I'm getting the error
StatusMessage:The account being accessed does not support http.
ErrorCode:AccountRequiresHttps
When I created an MVC application, I have ticked Configure for Https. Would anyone know where I can configure it to use https and why I'm not able to access it? (I tried running on both IIS express and IIS)
Thanks in advance
Explanation
By default, an Azure Storage account requires secure access (that means access over HTTPS) by default.
The box you checked (Configure for HTTPS) means that the MVC Web Application is accessible via HTTPS (only). The error you're getting is that you are accessing the Storage Account over HTTP. So that's an outgoing connection to your storage account from your web application. This is not covered by the box you checked.
Solution
If you want to connect to the Storage Account using HTTPS, make sure the connection string you are using for the storage account contains/starts with DefaultEndpointsProtocol=https;. This configures the storage account client to access the storage account over HTTPS.
Additional info
The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when 'secure transfer required' is enabled.
EDIT:
If you're using the constructor for the CloudStorageAccount class to 'build' the connectionstring, make sure to pass in true for the useHttps parameter.
If you are using Azure Web Apps to host your web application (let it be an ASP.NET MVC web app) you do not have the possibility to set up the IIS behind the Azure Web App to accept client certificates through an HTTPS connection. My application has some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate. So in my case the only way is to accept client certificates.
I am not sure about that, but if I know well I can still get the client certificate by using OWIN while the SSL Settings in IIS is set to Ignore. If I use OWIN and go through the OWIN environment I can see a key called ssl.LoadClientCertAsync.
I am implementing endpoints that a third-party service will call, so I have no control over the content of the request. I know that there is a ssl.ClientCertificate key, with type X509Certificate, but in my case this key doesn't exist.
I have found some C# solution about using this ssl.LoadClientCertAsync key to get the certificate like in the CheckClientCertificate method of Katana or the solution in this C# Corner article. In every solution that I can find in the net, the author gets this type as a Func<Task> and then calls this task, by for example using the await operator.
var certLoader = context.Get<Func<Task>>("ssl.LoadClientCertAsync");
if (certLoader != null)
{
await certLoader();
...
After that they retrieves the certificate by using the ssl.ClientCertificate key.
var asyncCert = context.Get<X509Certificate>("ssl.ClientCertificate");
In this example, my asyncCert variable is always null. There weren't any ssl.ClientCertificate key in the OWIN context. I have tried to use the X509Certificate2 instead of X509Certificate, but I still got null.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN? If yes, why can't I get the certificate using the ssl.LoadClientCertAsync key?
According to your description, I have created my ASP.NET MVC web application for working with client certificate in OWIN to check this issue. The following code could work on my local side:
if (Request.GetOwinContext().Environment.Keys.Contains(_owinClientCertKey))
{
X509Certificate2 clientCert = Request.GetOwinContext().Get<X509Certificate2>(_owinClientCertKey);
return Json(new { Thumbprint = clientCert.Thumbprint, Issuer = clientCert.Issuer }, JsonRequestBehavior.AllowGet);
}
else
return Content("There's no client certificate attached to the request.");
For SSL Settings set to Accept, I could select a certificate or cancel the popup window for selecting a certificate.
AFAIK, we could enable the client certificate authentication by setting clientCertEnabled to true and this setting is equivalent to SSL Settings Require option in IIS.
As How To Configure TLS Mutual Authentication for Web App states about accessing the Client Certificate From Your Web App:
If you are using ASP.NET and configure your app to use client certificate authentication, the certificate will be available through the HttpRequest.ClientCertificate property. For other application stacks, the client cert will be available in your app through a base64 encoded value in the X-ARR-ClientCert request header.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN?
AFAIK, the current SSL Settings for client certificates only supports Ignore and Require for now. When hosting your web application on azure web app, for the client users who access your azure web app with client certificate authentication, they could specify the certificate to a base64 encoded value as your custom request header when sending request to your azure web app, then your could try to retrieve the header and verify the cert if the cert custom request header exists. Details, you could follow this sample.
Additionally, you could use Azure VM or Azure Cloud Service instead of azure web app, at this point you could fully control the SSL Settings in IIS.
I am trying to build authentication system through ASP.NET MVC. I am using Identity Server 4 for authentication. I have already implemented user id and password validation through ResourceOwner.
Now I am trying to implement smart card authentication. When I try to read X509Certificate2 in debug mode, I am able to read the client certificates but when I deploy the application to IIS, I am unable to read the certificate.
I want to accept client certificate on my Identity Server hosted on IIS when request is sent to Identity Server 4 from client ASP.NET MVC. My Identity Server 4 project type is .NET Core on .NET Framework.
I have already tried this:
Installed authorized SSL certificate on IIS
Added HTTPS binding to my identity server 4 app pool with valid port number.
Enable SSL for the identity server site and set to accept client certificate.
I got the client certificate in Identity Server 4 as below but it was without private key :
var clientX509Certificate = new X509Certificate2(this.HttpContext.Connection.ClientCertificate);
I have a WebAPI solution hosted in an Azure Web Site (appnameapi.azurewebsites.net) that has some endpoints exposed to regular http right now.
I also have a client application hosted in a separate Web Site under appname.azurewebsites.net.
I purchased appname.com from hover and am forwarding appname.com to appname.azurewebsites.net with masking. The client application makes requests to appnameapi.azurewebsites.net right now, but not encrypted.
My goal is to get SSL working on the web client so that users see SSL in the browser bar, and so that anything that goes from the client to the api endpoints is encrypted.
I went to rapidSSL and purchased a certificate for appname.com. Now I'm not sure if I need to put this in my WebAPI web site, or my client web site. I've found some documentation on setting up SSL in Azure but nothing that's given me a good grasp of what needs to be done in this scenario.
What's the next step? Do I need one cert per site, and if not, where does the single cert go?
You client web site is appname.azurewebsites.net. You have appname.com mapped to this. Your SSL certificate is for this domain. So, you will need to put the certificate with the client app. As an end user, if I go to appname.com, the certificate your application will present to my browser will be the one you purchased for appname.com. This is for the pages rendered by the client web application.
Now, as the browser renders the page from the client web application, say it needs to make jQuery AJAX calls to your web API site appnameapi.azurewebsites.net. You can use a domain name for this one as well, some thing like api.appname.com but regardless, this will be a cross-origin call, BTW. If this call is also through HTTPS, then for this case also, a valid cert must be presented to the browser. Assuming you have api.appname.com which is a sub-domain of appname.com, you can use the same certificate you bought from rapidSSL with web API site as well provided it is a wild-card cert, which is obviously more expensive. Otherwise, you will need one more certificate for the web api site (or the domain name if you plan to use one for API) and install that new cert in the api app.