I've an ASP .NET MVC4 application that uses SimpleMembership and allows users to sign in with their google accounts.
In order to do that I configured the application's AuthConfig class by uncommenting the OAuthWebSecurity.RegisterGoogleClient(); line to add google as an external login method. I didn't really change much inside the external login methods that already come with the ASP .NET MVC4 Internet Application template.
Problem:
Everything works fine when I run it locally (IIS express) or when I deploy it to a 'test' server (IIS 6.1, accessible on the intranet only). When I click my "sign in with google" button, I'm sent to google's authentication page, whose url looks something like this:
https://accounts.google.com/ServiceLogin?service=lso&passive=12096...(long url)
Alas, when I deploy it to the 'production' server (internet facing) and try to access it via internet, Google authentication stops working: when I click my "sign in with google" I'm being sent to an url that looks like this:
http://MY_APPLICATION_NAME.MY_DOMAIN.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid...(long url)
This url is wrong not only because it has my domain in it (I believe it should be accounts.google.com?), but also because the rest of it is completely different from the url I get when the authentication works.
What I know and have tried:
If I use fiddler, I can see that the application is behaving differently when I'm accessing the application via internet or intranet.
If I access it from within the network, I see I'm making a request to http://MY_APPLICATION_NAME.MY_DOMAIN.com/account/ExternalLogin?returnUrl= and then "Tunnel to www.google.com:443, Tunnel to accounts.google.com:443". This works ok.
If I access it from the internet I see I'm making a request to http://MY_APPLICATION_NAME.MY_DOMAIN.com/account/ExternalLogin?returnUrl= and then another one to http://MY_APPLICATION_NAME.MY_DOMAIN.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid...(long url). This obviously gives a 404.
I might be wrong but I assume that this url is generated by the OAuthWebSecurity.RequestAuthentication(provider, returnUrl). What puzzles me is that it looks like it is requesting the authenticaton to my server instead of accounts.google.com.
My research so far has only brought to me posts/questions/etc. showing how easy it is to use SimpleMembership for external authentication and I can see everyone does it pretty much the same way.
Conclusion:
I believe this probably has something to do with something I must configure on web.config or IIS. I do know that the requests to my application arrive at my DNS server which does a url rewrite and forwards the request to my web server, although I don't know if this is related to the problem.
Does anyone have any idea of what might be wrong or ever had a similar issue? Any help would be appreciated.
EDIT:
I've looked into OpenAuthSecurityManager.cs's source code and although I can't debug it I see the problem might be related to an incorrect HttpContext inside the RequestAuthentication method, due to my reverse proxy settings on IIS?
I ended up with a request to change the IT infrastructure.
OpenAuthSecurityManager.cs was probably getting a wrong HttpContext instance because of the way the requests were being handled by the previous infrastructure (requests arrived at our DNS server and were forwarded to the web service, on a different server inside our network, with UrlRerwrite rules).
It's working now.
Related
I have a Rails application hosted on Heroku and I am preparing to deploy another application that will use the same session cookie. Let's assume that main application is hosted at app.mycompany.com and the new application will be hosted at reports.mycompany.com. I've setup session cookies in both apps with cookie domain .mycompany.com and everything works ok. I've modified /etc/hosts to test those settings on my local machine.
Since everything worked fine on my local machine I wanted to test it on our staging environment, which is hosted at mycompany-staging.herokuapp.com. For this app I've set cookie domain to .herokuapp.com. And now it does not work. It is not possible to login. From inspector it looks like correct Set-Cookie header is sent from the server, but the browser never send this cookie back on request.
The same thing happens on my local machine when pointing mycompany-staging.herokuapp.com to 127.0.0.1. This happens only when I use herokuapp.com. Everything else works fine or at least couple of different domains work fine, including herokuapp2.com.
I am really confused. It looks like there is some cache issue, but I don't know where exactly. I am testing this mostly on Chrome with incognito mode, but I also tried Safari with the same problem.
Can anyone point me in the right direction? Or maybe I am missing something obvious.
This is because herokuapp.com is included in the Mozilla Foundation’s Public Suffix List. Cookie with domain *.herokuapp.com cannot be set any more. Refer to doc in devcenter.heroku.com:
herokuapp.com is included in the Mozilla Foundation’s Public Suffix List. This list is used in recent versions of several browsers, such as Firefox, Chrome and Opera, to limit how broadly a cookie may be scoped. In other words, in browsers that support the functionality, applications in the herokuapp.com domain are prevented from setting cookies for *.herokuapp.com. Note that *.herokuapp.com cookies can currently be set in Internet Explorer, but this behavior should not be relied upon and may change in the future.
I am using VS 2013. IIS 8.0 Express and Azure .NET SDK v2.2
With a simple WebAPI template project I am able to repro this. When I locally debug the project in the azure compute emulator, it starts up the web page in https://127.0.0.1. However, in the request, the URI comes up with port 444.
Is there any known fix / workaround for this bug?
I could find similar issues for others at following pages but their workarounds don't work for me. Nothing in Request object or Request.RequestContext.HttpContext.Request object has the right URL. For e.g. if I try to open https://127.0.0.1:444/, I get "page not found" error.
Wrong port number in mvc 4 windows Azure Request.Url
Request.Url has wrong port information
Thanks!
After reading through this, I think this might be by design. The request is associated with DIP rather than VIP since it is just been forwarded from the Load balancer.
However, this would still mean that I need to keep 443 unused for my service to function normally. My service redirect users to live login page and it has to provide the VIP domainname port as redirect url in order to get the request.
During local debugging, requests to url:port provided in Request.Url doesn't work. Overall this azure local debugging setup still looks like a mess.
Let me know if there is any other workaround/fix.
Possibly a very silly question... I just don't know.
Assuming I have published a web application to Azure or AppHarbor, URL for the web app would be something like
http://widgets.appharbor.com
Assuming I own the following domain name:
http://www.widgets.com
How do I get www.widgets.com to display the application hosted at http://widgets.appharbor.com without using an iframe?
Furthermore, I don't want links within my application to be displayed as widgets.appharbor.com/stuff, they need to be displayed as widgets.com/stuff.
If you use a Cloud Service or a Website in Shared Website Mode you can use a CNAME to point www.widgets.com to widgets.azurewebsites.net. I don't know how this works with appharbor, I assume they also support CNAMEs.
Update: Looks like AppHarbor also supports CNAMEs http://support.appharbor.com/discussions/problems/1079-custom-domain-names
When running in Visual Studio, my mvc3 app does not ask for any authentication. However, when I deployed to test server (Windows Server 2008 and IIS 7) I keep getting a prompt asking for UserName and Password. I supply the admin credentials for the server yet there is a failure. The strange thing is that the page is served but I keep getting the prompt. All the ajax calls however fail with a 401 Unauthorized error.
I tried different types of authentication but the results are the same. Even with anonymous authentication only I get a prompt for user name and password.
I tried changing the pipeline from Managed to Classic but then MVC would not work and I get 404 error. This is my first mvc app and I did not expect such issues in deployment.
Any clues how to get this to work?
==Edit begin===
This is what I suspect might be causing the issue. On the server the site is bound to test.xyz.com. Also, there is Sql Server Reporting Services Installed. My application is tries to query the url test.xyz.com/Reports but I think this is bound to SSRS. When I stop the SSRS service I get a service unavailable 503 error. Otherwise I get a authentication window.
I am trying to find out how can I remove the particular SSRS binding so that test.xyz.com/Reports points to my Reports Controller
==Edit end====
You can also use Reporting Services Configuration Manager to specify the port and url that Reporting Services uses on the server.
By default SQL Server Reporting Services uses the following urls:
http://<server name>/ReportServer // web service url
http://<server name>/reports // reports manager url
http://msdn.microsoft.com/en-us/library/ms159261(v=sql.105).aspx
Things to check:
Does your web application accessing any resources? If so, does the IIs worker process account have permission to those?
Have you set the Web Site Authentication to Enable anonymous access?
Do you by any chance doing impersonation (either in web.config of programmatically? If so, does the end user account have the proper permissions to any eventual back end resources?
I changed my controller from Reports to MyReports and this resolved the conflict.
I'm having a problem with a MVC (1.0) app that I can't figure out at all. There's two versions of the site (live and UAT) hosted on the same server. For each version of the site, the same code is shared by multiple organisations who each have their own database (MSSQL2005) and a separate web site in IIS (7.5) (pointed to the same code).
The UAT site has an update to the code and the database that is waiting to be deployed to the live site.
One of the customers ("customer A") is getting an error "104: Connection reset by peer" when they try to log in to the UAT site. They can see the login page but when they submit their login details the connection seems to be timing out (the requests seem to take ~130s to complete).
Customer A can log in fine to the live site. The other customers don't have a problem logging into the UAT site or the live site. If I try to log in as customer A, using their login details, it all works fine from within our network, and also from outside our network.
Customer A seems to be using squid as a proxy.
I can't think what the problem could be, and I've run out of ideas of things to test. The fact that I can log in as the customer fine and other customers don't have any issues seems to eliminate the code and database as problems.
What other things could I do to try and isolate the problem?
By dumping out the request data I was able to work out that something (I'm guessing the proxy) was removing the form values from the request. This obviously meant the app didn't work properly.
However, it seems whatever was removing the form data was leaving content-length unchanged, which would explain why the client was timing out waiting for more data and the server thought it was finished.
By using https instead of http (which we were going to do anyway), the request tampering seem to have stopped.