Azure Active Directory and localhost - asp.net-mvc

I have an issues with AAD on localhost.
I have well followed this how-to
The first step was to declare my app in registration and it is working on my azurewebsite.net.
Second step was to declare my https://localhost:443/ and add Autorize attribute with connected services. But in this case, I've got ever a 401.
My web.config is populated with this settings
<add key="ida:ClientId" value="[GUID from App Id]" />
<add key="ida:Tenant" value="[tenant url]" />
<add key="ida:Audience" value="[App Id URI]" />
<add key="ida:Password" value="[hash]" />
<add key="ida:MetadataAddress" value="https://login.microsoftonline.com/[tenant url]/federationmetadata/2007-06/federationmetadata.xml" />
On AppServices > Settings, I've updated this value
HomePage : https://localhost:443/
Reply Url : https://localhost:443/ (tried with https://localhost:443/.auth/login/aad/callback but same 401)
What am I missing ?
Thanks for your helps.

You need to update the application registration in the Azure portal. Find your application, and then go to Settings | Reply URLs, and add the .azurewebsite.net URL

Related

Graph Explorer Get Planner Tasks

ok, try to make a prototype creating Tasks in planner from ASP.NET webforms
this is really hard
at the moment stuck in Graph explorer error Message
https://graph.microsoft.com/v1.0/planner/plans/Frczk8wfmEGL---------------
permissions for graph explorer set (User.Readwriteall. Groups.Readwriteall)
got to tasks.office.com
select plan and read planid form uri
(is this really the way how it works?)
trying the samples in Graph Explorer and get a tipp to got to Stackoverflow
just right now also https://graph.microsoft.com/v1.0/me/ doesnt work
(worked sometimes before)
a few hours later Graph Explorer works - must be a Microsoft problem
part II of my question
i created the identity part with create project wizard so end up in 2 sections in web config
should both point to same clientid? or should I keep that one generated by visual studio an the other one created by the https://apps.dev.microsoft.com/ app?
<add key="ida:ClientId" value="496578b3-19d4-4956------ />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:Domain" value="ppedv.de" />
<add key="ida:TenantId" value="d044494e-fc77-4ae0-------" />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44378/" />
<add key="ClientId" value="496578b3-19d4-4956-------" />
<add key="RedirectUri" value="https://localhost:44378/" />
<add key="Tenant" value="common" />
<add key="Authority" value="https://login.microsoftonline.com/{0}/v2.0" />

Get access to Google AdWords API v201506 with ASP.NET MVC

I need to use AdWrods Api v201506 for some simple operations, but i still get authorization error (I will pass it in the bottom of this post). I think the problem is not in the code (I just copy-paste it from googles documentation) but in the account settings, so the best way to find out error is show you what I do in every step.
Create production MCC account here (production-mcc#gmail.com). Notice that I chosen "To manage other people's accounts." as an answer for "How will you primarily use this AdWords manager account?".
Get developer token for production-mcc#gmail.com. It's still "waiting for approve" but it's not a problem because I will use test account.
Create test MCC account here (for To manage other people's accounts., test-mcc#gmail.com).
Create new Project in Console Google Developer as test-mcc#gmail.com (MyProject).
Create app in consent screen (MyProject_App).
Create new Client ID for web application:
JavaScript origins: http://localhost:50194/
Redirect URIs: http://localhost:50194/oauth2callback (autogenerated) and http://localhost:8080/ - without this url I not be able to generate refresh token with OAuthTokenGenerator.exe (from here). Installed application as an "Other" type and generate refresh token with OAuthTokenGenerator.exe (from here).
Go to Google Adwords and add client account (button +Account -> Create New AdWords Account). Save changes and copy his id.
Now get Client ID, Client Secret and successfully generate refresh token.
Install with NuGet Google.AdWords and Google.Ads.Common packages in MVC project.
Edit <AdWordsApi> sections in web.config file as below:
<!-- Settings related to SOAP logging. -->
<add key="MaskCredentials" value="true" />
<!-- Settings related to general library behaviour. -->
<!-- Use this key to automatically retry a call that failed due to a
recoverable error like expired credentials. -->
<!-- <add key="RetryCount" value="1"/> -->
<!-- Set the service timeout in milliseconds. -->
<!-- <add key="Timeout" value="100000"/> -->
<!-- Use this key to enable or disable gzip compression in SOAP requests.-->
<add key="EnableGzipCompression" value="true" />
<!-- Proxy settings for library. -->
<add key="ProxyServer" value="" />
<add key="ProxyUser" value="" />
<add key="ProxyPassword" value="" />
<add key="ProxyDomain" value="" />
<!-- Settings specific to AdWords API.-->
<add key="UserAgent" value="RANDOM_STRING" />
<add key="DeveloperToken" value="DEV_TOKEN_FROM_2_PARAGRAPH" />
<!-- If your application is a simple script that makes calls to only a
single Adwords account, then you can set your customer ID here. If you
have multiple customer IDs to deal with in your account, then you can
comment out this key and set the value at runtime by setting
((AdWordsAppConfig) user.Config).ClientCustomerId = "xxx";
-->
<add key="ClientCustomerId" value="CLIENT_ID_FROM_7_PARAGRAPH" />
<!-- Use the following settings to skip the report header and summary rows
when downloading a report in CSV, TSV or their gzipped formats. -->
<add key="SkipReportHeader" value="false" />
<add key="SkipReportSummary" value="false" />
<add key="SkipColumnHeader" value="false" />
<!-- Use the following setting to include zero impression rows when
downloading a report. If this setting is commented out, then the server
behaves as explained in
https://developers.google.com/adwords/api/docs/guides/zero-impression-reports#default_behavior.
-->
<!-- <add key="IncludeZeroImpressions" value="true"/> -->
<!-- Settings specific to use OAuth2 as authentication mechanism. You could
run Common\Util\OAuth2TokenGenerator.cs to generate this section of the
config file.
-->
<!-- Provide the OAuth2 client ID and secret. You can create one from
https://console.developers.google.com. See
https://github.com/googleads/googleads-dotnet-lib/wiki/Using-OAuth2
for more details.
-->
<add key="OAuth2ClientId" value="CLIENT_ID_FROM_8_PARAGRAPH" />
<add key="OAuth2ClientSecret" value="CLIENT_SECRET_FROM_8_PARAGRAPH" />
<!-- The following OAuth2 settings are optional. -->
<!-- Provide a different OAuth2 scope if required. Multiple scopes should be
separated by spaces. -->
<!-- <add key="OAuth2Scope" value="INSERT_OAUTH2_SCOPE_HERE" /> -->
<!-- Use the following keys if you want to use Web / Installed application
OAuth flow.-->
<add key="OAuth2Mode" value="APPLICATION" />
<!-- If you are using a single MCC account's credentials to make calls to
all your accounts, then you can run OAuth2TokenGenerator.cs to generate
a RefreshToken for that account and set this key in your application's
App.config / Web.config. If you are making calls to multiple unrelated
accounts, then you need to implement OAuth2 flow in your account and
set this key at runtime. See OAuth folder under Examples folder for a
web and a console application example.
-->
<add key="OAuth2RefreshToken" value="REFRESH_TOKEN_FROM_8_PARAGARAPH" />
<!-- Optional: Specify an OAuth2 redirect url if you are building a
web application and implementing OAuth2 web flow in your application.
-->
<!-- <add key="OAuth2RedirectUri" value="" /> -->
<!-- Use the following keys if you want to use OAuth2 service account flow.
You should comment out all the keys for Web / Installed application
OAuth flow above. See
https://developers.google.com/adwords/api/docs/guides/service-accounts
https://github.com/googleads/googleads-dotnet-lib/wiki/Using-OAuth2
for more details.
-->
<!--
<add key="OAuth2Mode" value="SERVICE_ACCOUNT" />
<add key="OAuth2ServiceAccountEmail"
value="INSERT_OAUTH2_SERVICE_ACCOUNT_EMAIL_HERE" />
<add key="OAuth2PrnEmail" value="INSERT_OAUTH2_USER_EMAIL_HERE" />
<add key="OAuth2JwtCertificatePath"
value="INSERT_OAUTH2_JWT_CERTIFICATE_PATH_HERE" />
<add key="OAuth2JwtCertificatePassword"
value="INSERT_OAUTH2_JWT_CERTIFICATE_PASSWORD_HERE" />
-->
Now, I just copy-paste code from example in Google Developers Documentation.
After running I got exception in:
BudgetReturnValue budgetRetval = budgetService.mutate(
new BudgetOperation[] {budgetOperation});
and it call: [AuthorizationError.USER_PERMISSION_DENIED # ; trigger:'<null>']
According to documentation it means: "User doesn't have permission to access customer.".
My question is: what I'm doing wrong with authorization? Which token or id is invalid?
PS. I described all steps which I done - not less not more.
I found solution for exception ([AuthorizationError.USER_PERMISSION_DENIED # ; trigger:'<null>'] ): the problem was in refresh token - when I generated his I was loggin in my private account not as a test-mcc#gmail.com. So when you will use OAuthTokenGenerator.exe make sure that you sigin in proper account when generator shows new window and ask for permission.

Umbraco 7 Custom Membership Provider use both Umbraco Users and external Members

how can i use in Umbraco 7 the internal Users and roles who use the BackOffice and my custom users and roles (which comes from an external SQL database.
i want log in umbraco backoffice with the umbraco users as it is and with seperate Login want use external users. i have already changed the web.config
<add name="mynewMembershipProvider" type="mynewMembershipProvider, mynew"
<add name="mynewrovider" type="mynewrsRoleProvider"/>
when i go now to my custom Login i can Login my custom user . but when i try
User.Identity.IsAuthenticated
or
User.IsInRole("xyz")
umbraco is always looking at the umbraco roles.
what did i have done wrong
best regards Michael
If I understand you correctly, you are leaving CMS and back office Users as-is, and you want to allow Member login on the public facing side of your site with a custom provider?
Did you set the default provider to your new membership provider?
<membership defaultProvider="mynewMembershipProvider">
...
</membership>
The default provider in the membership section should always point to the provider being used for public-facing Members - the backoffice interally asks for the UsersMembershipProvider every time it needs to authenticate, so changing the default will not affect it at all.
It is also possible depending on your set up (I haven't tried this) that if you did not include a <clear/> directive then the original Umbraco member provider is causing problems.
Here is a full working <membership> section using a custom BCrypt hashing provider from an Umbraco 7 install of mine:
<membership defaultProvider="BCryptMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="BCryptMembershipProvider"
type="cFront.Web.Security.BCryptMembershipProvider"
connectionStringName="umbracoDbDSN"
requiresUniqueEmail="0"
/>
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="BCryptRoleProvider">
<providers>
<clear />
<add name="BCryptRoleProvider" type="cFront.Web.Security.BCryptRoleProvider"
connectionStringName="umbracoDbDSN"
availableRoles="SuperUser,Administrator,Manager,User"
/>
</providers>
</roleManager>

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry

I am trying to implement a Simple STS web site alongside my MVC application in a development environment. I was able to get this working properly on my local machine. I would navigate to my MVC app, kicked out to the STS web application, I login, then am redirected back to my MVC app. This is not using AFDS by the way.
When I migrated this to my Development environment, I see similar activity but I get the error below when I login. I have checked about 20 times that my thumbprint in the MVC app is the exact same as the cert.
(The login is working fine as I don't get redirected until the authentication succeeds.)
Any guesses?
Error message I recieve:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer
web.config from STS website:
<appSettings>
<add key="IssuerName" value="STSTestCert"/>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value=""/>
</appSettings>
web.config from MVC application:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:57543/mySTS/" realm="http://localhost/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://localhost:57543/mySTS/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="‎11111" name="http://localhost:57543/mySTS/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
Copying your thumbprint adds hidden unicode characters. Try typing it in.
As MJCoffman mentioned it is most probably because you copied the thumbprint with hidden character. You can find more details here.
In my case the problem was also that copying the thumbprint and pasting it was adding some characters that a regular text editor do not show. I found the following instructions very useful to remove the special characters (look #4). posted by Edwin Guru Singh
Do this to get rid of the special characters using Visual Studio:
Close the web.config
Right-click on it and open it with binary editor
Find where the thumbprint is and delete additional characters (everything that is not a number, usually dots).
Save and try again, it should work.

Run WIF without LoadUserProfile = True is throwing null error

I am using WIF SSO for authentication in my website. Everything works perfect in development environment. But on deployment I got issue
Message: The data protection operation was unsuccessful. This may have
been caused by not having the user profile loaded for the current
thread's user context, which may be the case when the thread is
impersonating. ExceptionStackTrace: at
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData,
Byte[] optionalEntropy, DataProtectionScope scope) at
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[]
value)
Searching abt this issue leads me to this stackoverflow question
Is it possible to run WIF without LoadUserProfile = True
I added the code mentioned but now I am getting
Value cannot be null
I am getting e.ServiceConfiguration.ServiceCertificate ServiceCertificate null. My question is what kind of certificate is this and where can I define this in my config. Do I need to place the same certificate on ACS.
here is my config section
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost:9494/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://devworks-sb.accesscontrol.appfabriclabs.com/v2/wsfederation" realm="http://localhost:9494" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'https://devworks-sb.accesscontrol.appfabriclabs.com/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" optional="true" />-->
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="BE9D0A516BEC2BC820C23D5C2EA79F068C094382" name="https://devworks-sb.accesscontrol.appfabriclabs.com/" />
</trustedIssuers>
</issuerNameRegistry>
</service> </microsoft.identityModel>
thanx
First thing you mentioned that the problem occurred after deployment, is that right? In your web.config have you changed the audienceUris to http://whatever_service_name.cloudapp.net?
<audienceUris>
<add value="http://localhost:9494/" /> <== This is wrong
</audienceUris>
Next your question about certificate is NULL at e.ServiceConfiguration.ServiceCertificate, please verify the following:
A. Endpoint is added in your application Service Definition:
B. Certificate thumbprint is set in Service Configuration
C. Certificate is set in web.config which is correct above
D. Finally added the following in your web.config so certificate can be search by thumbprint:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="CERT_THUMB" />
</serviceCertificate>
Study these two resources which will be very helpful:
http://www.jimandkatrin.com/CodeBlog/post/Troubleshooting-Azure-issues.aspx
http://blogs.msmvps.com/marcelmeijer/blog/2012/05/04/windows-azure-wif-access-control-acs/
The root cause is likely to be you’re using DPAPI (the default configuration of WIF). Please try to do a few modifications for the application to work in Windows Azure. I would like to suggest you to check http://msdn.microsoft.com/en-us/IdentityTrainingCourse_WIFonWAZLab2010 for a tutorial.
Best Regards,
Ming Xu.

Resources