I have developed MVC application with the single sign on as an authentication (Company Azure Active Directory) and hosted on Azure as a Cloud service. It was working till now. But before few days, i got the below error in my production
No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://sts.windows.net/{TenantID}/'
Then I searched on the internet and found the below blog
WIF10201: No valid key mapping found for securityToken
Then as suggested in the blog, i have fetched the thumbprint and updated my web.config and it worked.
Now again i got the same error today and i needed to do the same steps and found that thumbprint has been changed.
So can anyone please suggest me the permanent solution as it is affecting my production environment.
It seems that the application were not supported signing key rollover automatically. To support the signing key rollover automatically from old project, it depends on how the app integrate with Azure AD.
Based on the description, it seems you were integrate the application with Azure AD for SSO. We can use the .Net OWIN OpenId connect which already has the necessary logic to handle key rollover automatically to authenticate with Azure AD. More detail about this topic, you can refer the document Signing key rollover in Azure Active Directory.
Related
We do our builds and sign them within our windows server using Jenkins
Recently our code signing provider stopped sales/renewals and we had to find another provider but it seems all certificates now come in tokens (USB, hardware). So we decided to get an EV certificate to solve the Microsoft SmartScreen warning as well.
Since Jenkins is in cloud VM I wasn't able to get the token there and we had to do the builds locally, now its about to expire and I've been looking for solutions and it seems that HSM might be the solution to host token/certificate by the cloud provider like Azure then use it (somehow?) to sign the files
I also came across a cloud sign service which was clear but a lot more expensive! (unless I didn't understand HSM cost!)
Can someone explain how HSM works for code signing with Azure/Jenkins?
If I give up on the EV and back to a standard certificate, can this process be automated easily
Any other recommendation
I have created an app using ASP.NET Core 6 MVC application. I am using the Microsoft.Identity platform for authentication (Azure AD authentication). It worked fine locally. User is able to sign-in and sign-out and able to navigate. When signing in with wrong password or username then user getting an error.
But when hosted the same code on Azure App Service and when accessing the app the 401 error occured. HOw I fix that issue. As I mentioned everything works fine locally so no issue with registration clientId or any other registration level info.
WebConfig file
AppService configuration
As mentioned in the question, if you enabled Azure Active Directory, there is no need to you to login and logout explicitly. As you are trying to do those operations locally, it must be they are not configured perfectly locally also. The same error it is causing while moving and accessing in Azure App Service.
Kindly check the following things in configuration:
1. Configuration of IIS before deployment
2. Configuration of AAD
These two steps could solve the issue.
This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.
I have set up a new B2C Tenant in Azure and I'm using oauth2_proxy (more specific: docker-oauth2_proxy) to authenticate against it.
There was a need to configure custom login URLs, but the login process itself is working:
- name: OAUTH2_PROXY_LOGIN_URL
value: https://login.microsoftonline.com/tfp/<my-tenant-name>.onmicrosoft.com/b2c_1_policy/oauth2/v2.0/authorize
- name: OAUTH2_PROXY_REDEEM_URL
value: https://login.microsoftonline.com/tfp/<my-tenant-name>.onmicrosoft.com/b2c_1_policy/oauth2/v2.0/token
However, I get an error after I'm redirected back to https://my-app.example.com:
oauthproxy.go:527: error redeeming code missing email
I tried to have a look at the token that I get back, but could not decode it via https://jwt.ms.
As I don't know what exactly is contained in there, I am reluctant to post it here, but it does start with eyJraWQi..., which can be base-64-decoded to {"kid":"cpimcore_09252015","ver":"1.0","zip":"Deflate","ser":"1.0"}
The full format of the reply is:
/oauth2/callback?state=a0d367fd2d7337b8fbae8d72052022c7%3a%2f&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..[base64*16].[base64*568].[base64*22]
where [base64*n] indicates a string of n characters that look like base 64 encoded data.
Any ideas on how to decode that token?
You can't decode the authorization code that is issued to /oauth2/callback because it is encrypted.
oauth2_proxy's Azure AD provider expects a mail or otherMails claim to be issued. Azure AD issues this but Azure AD B2C doesn't issue it. Azure AD B2C issues the emails claim.
You might have to modify this Azure AD provider to match the emails claim.
No idea if this is still relevant to you, Azure AD B2C essentially uses standard OpenID Connect, however with the addition that you need to supply a policy as additional parameter.
We also had the need to use Azure AD B2C with oauth2_proxy, so we modified the oauth2_proxy generic oidc provider so it can take a B2C policy as additional config option.
If you want, give it a try: https://github.com/karrieretutor/oauth2_proxy#microsoft-azure-ad-b2c
If you're building from source, be aware that you also need to use our forked 'go-oidc' package (on which oauth2_proxy relies, but has part of the issuer URL hardcoded, so we had to change this, too, for including the B2C policy). Take a look at the Dockerfile, this can properly build it.
I have created a sample MVC application and configured Azure AD authentication. This creates an application on Azure Portal automatically. When I run this application, it is working fine.
After this, I published the application on IIS and changed reply URL on azure portal and also I changed PostLogoutURL.
When I configure Azure AD in the sample application, a default connection of LocalDB is created. For hosting on IIS, I have tried LocalDB, SQLExpress & Azure SQL Server but none works.
I get "A task was canceled" error for which I am unable to find a solution.
This is the error I am getting:
Please help.
Thanks in advance.
I came acrosss this kind of issue with my Internet proxy.
Acrroding to the error message, your network may be interrupted by some configuration.As junnas said,
OpenId Connect middleware is trying to download the metadata document
from Azure AD. It needs it to be able to validate tokens
So, you can check if there is proxy or firewall again or run your App in another environment without a Proxy. Also,If you close a proxy on your machine,it may take few minutes to make effect.