I want to be able to get the default credentials from a within a windows service. However if I call
var credentials = CredentialCache.DefaultCredentials;
Or
var networkCredentials = CredentialCache.DefaultNetWorkCredentials;
The NetworkCredential returned (as an ICredential) the UserName and Domain etc are empty. I am running the windows service under a domain account.
If I create a simple console application then a valid credential is returned.
The reason I need this is to be able to set the credentials on a signalR HubConnection. The SignalR service is running in IIS with Windows Authentication enabled. The only way I can see to do this is to set the HubConnection.Credentials property. But as explained above I cannot get the credentials when I am running in a windows service.
Can anyone help?
I found this was not the issue after all and not being able to retrieve the credentials was a red herring (I found I could not retrieve them in the console either), when calling into the SignalR hub the identity is passed and the request authenticated by IIS.
But to conclude. This was my stupid mistake, nothing to do with the default credentials.
As a side note, the credentials are not available to retrieve on purpose see
link
Related
i try to run wso2 idenitity on IIS server, all work normally but when i try it on server i get wrong signin-callback.
The following is a picture of the callback-uri that I registered with the service provider
registered callback uri like this regexp=(http://localhost:4003/api/oauth2/v2/signin-callback)
what I get next when I try to login using the service provider:
callback url like this https://host/api/oauth2/v2/signin-callback?code=d3d16661-0312-3be1-bebb-5940dd267000&session_state=1331111359c3f5029f733f196037241203bc22c164f7910572d38647c4269a16.6KtgBQ2Z7AIOjVALA6UYdQ
authorize payload when logging in:
payload redirect uri when authorized
Please check the properties file of your service provider and change the value of callBackUrl property to http://localhost:4003/api/oauth2/v2/signin-callback. For example if its pickup-dispatch app[1] hosted in tomcat, you can find the properties file in <TOMCAT_HOME>/webapps/pickup-dispatch/WEB-INF/classes/dispatch.properties file.
If this doesn't solve your issue, please provide any error logs printed and the SP properties file for further analysis.
[1] https://is.docs.wso2.com/en/latest/guides/login/sso-for-oidc/#pickup-dispatch_1
I have an ASP.NET MVC app. It is hosted on Windows Server 2012 R2 joined to an AD domain.
The operating regime requires a Http proxy and credentials. When using a browser, the logged in credentials of the (human) domain user are applied transparently.
My ASP.NET app uses HttpWebRequest. Although the documentation says it would use the proxy as set in Internet Explorer, it does not appear to be doing so. So I assign the proxy manually and set UseDefaultCredentials to true, which the documentation says the credentials of the "currently logged on user" will be used. But the response came back with:
The remote server returned an error: (407) Proxy Authentication Required.
Under IIS Authentication settings, I already have enabled ASP.NET Impersonation: <identity impersonate="true" />. (Is this the right thing to do?) How do I find out the identity of the process that is used to make the HttpWebRequest?
Or what must I do to use the credentials of the logged in domain user using my app to access the proxy?
I think you may refer to this answers on another question right here
I think it's exactly related to your question
I have a number of web api services created that need to get the authenticated user.
I have gotten the id server v3 working such that I can enter /core and /connect/token and my client gets a token and is passing it back to the server.
single iis server running all of the web app and web services and id server.
when I add the token authentication package I am getting an error that the well known configuration can not be found.
I am looking for what I need to change to make this work so that api calls get an authenticated identity.
I think this is a startup problem but I have my app.map() first and then the app.UseIdentityServerBearerTokenAuthentication() after.
so do I make it wait fro the first to complete ? async ? await ?
ok I am slow, I found an option to delay load the metadata and that fixed that.
now the api calls show that the user is authenticated.
I have created a project in MVC that connects to TFS and brings the work items , i am displaying those work items according to my requirement. My project worked well on localhost , as soon i deployed it on some server , i am failing to connect to TFS , all it says is "Unauthorised".
Any help ?
You are running into the dreaded double hop authentication problem.
In AD you are authenticated by virtue of a Kerberos token. That token is issues to the machine that you are logged into and is only valid on that machine or one it directly connects to.
So you can use your local host token to authenticate to TFS, but as soon as you have a second hop (local->webserver->tfs) your authentication fails.
This is security by design.
To resolve this you need to use SetSPN to create a Service Principal Name (SPN) in AD that allows you to reuse the token on the web server.
You can create an SPN that only works for the webserver but you can't then deploy elsewhere. A better way is to create an SPN for the service account that you run the WebServer AppPool under. Then you can run it anywhere.
I use SignalR 1.0.1 as a chat core for ASP.NET MVC3 application. Using IIS 7.5
There are two methods in MVC controller which provides access to chat views:
1. First method is public, allowing anonymous users to chat - no authorization.
2. Access to second method is restricted with [Authorize] attribute, for domain users - chat agents.
There is no explicitly specified authorization in the Hub.
For this scenario I involved both Windows and Anonymous authentication on IIS.
I also implemented custom Role Provider, which operates only in memory - not persisting anything to database.
What happens is that using '[Authorize]' attribute in controller method leads to responsing 500 from Hub, both when call is coming from authorized view, and the anonymous one:
Request (send is Hub method for sending messages):
http://localhost:8101/signalr/send?transport=serverSentEvents&connectionToken=VIXEZzWQSn5SNlA8RUy4iaOPDFdvuPBjMvFBiG2FLfvfxF347XHwtapsEV5ndU4OEI0Xb64W2ZRXTqwBiL2CXg2_JlTaTJ2RnVOj4bjvx6tQaYhAqTaXs9k2853GYqzd0
Response:
The connection id is in the incorrect format.
Server stack trace:
at Microsoft.AspNet.SignalR.PersistentConnection.GetConnectionId(HostContext context, String connectionToken)
at Microsoft.AspNet.SignalR.PersistentConnection.ProcessRequest(HostContext context)
at Microsoft.AspNet.SignalR.Owin.CallHandler.Invoke(IDictionary2 environment)
at Microsoft.AspNet.SignalR.Owin.Handlers.HubDispatcherHandler.Invoke(IDictionary2 environment)
at Microsoft.Owin.Host.SystemWeb.OwinCallContext.Execute()
at Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object extraData)<br/><br/>
But notice, that connecting to Hub works fine, returns 200 OK:
http://localhost:8101/signalr/connect?transport=serverSentEvents&connectionToken=dYOwFxa1mkgdpzw-jitRpWq9oxRlrTet8U_dAzWjFQEdGNJfVXeG7Op0NZZwvznxeNdJCuPT75CKzQqI9HRPThV3uEDt-Z2qtIl9E02gF481&connectionData=%5B%7B%22name%22%3A%22chathub%22%7D%5D&tid=9
I found little similiar thread here on stackoverflow:
signalr The connection id is in the incorrect format
from which I understand, that when invoking my Send method, the Hub is processing request with Identity different than the one used to connect to Hub, OR Hub's GetConnectionId finds, that user is actually not authorized - but how it checks that assumption, when there is no authorization specified on the Hub itself?
Can someone put some light on this?
Thanks in advance :)
SignalR signs both your connection id and your Identity together in order to create a new connectionToken every time you start a new connection. This connectionToken is then sent to the SignalR client as part of the negotiate response.
Every time you make a request to SignalR, whether it be a connect, reconnect, or send request, SignalR verifies that your connectionToken matches both your client's connection id AND Identity.
The connectionToken is essentially a CSRF token used in order to prevent attackers running third-party websites from surreptitiously making SignalR requests on behalf of shared clients. Obviously this doesn't help if you've enabled SignalR's cross-domain support, but the connectionToken still works the same in this case.
Taylor's answer was correct. You should stop and then start your SignalR connection when your client's Identity changes. This will force a new negotiate request which will give your client a new connection id with a new connectionToken signed with your client's updated Identity.
P.S. The server-sent events connect request isn't failing because it was established before your client's Identity was changed. The connectionToken is only checked at the request is received, but server-sent events keeps the response open indefinitely.
That's all true what you said and it actually takes place in my issue.
But I also found the the root cause:
One of main assumptions during design was to allow both anonymous users to use the chat without need to sign-in and the back-end users (agents) to sign-in to restricted area of chat using their Windows credentials.
So on the IIS manager I enabled both Anonymous authentication (allowing anonymous users to use the chat) and the Windows authentication (allowing agents to access using their Windows credentials).
MVC application is configured to use Windows authentication - the [Authorize] attribute mentioned in question, but only to restrict access for agent's view of chat.
What actually happens with above configuration is:
1. When client (agent) requests restricted View (let's say it's /Chat/Agent) the [Authorize] attribute initializes authentication (Windows)
2. Client-side Javascript requests Negotiate, what generates connectionId and binds it with client's Windows Identity
3. Here is the tricky part: Because Hub not uses any authentication explicitly, calling send method does not result in any authentication request - IIS Anonymous authentication takes precedency before Windows authentication, and send request is sent with anonymous Identity - but in Hub actual connectionId is related to Identity passed in point 2.
This scenario leads to situation you described - connect is called with different Identity than send and Hub returns The connection id is in the incorrect format.