IIS conflict with Sql Server Reporting Services - asp.net-mvc

When running in Visual Studio, my mvc3 app does not ask for any authentication. However, when I deployed to test server (Windows Server 2008 and IIS 7) I keep getting a prompt asking for UserName and Password. I supply the admin credentials for the server yet there is a failure. The strange thing is that the page is served but I keep getting the prompt. All the ajax calls however fail with a 401 Unauthorized error.
I tried different types of authentication but the results are the same. Even with anonymous authentication only I get a prompt for user name and password.
I tried changing the pipeline from Managed to Classic but then MVC would not work and I get 404 error. This is my first mvc app and I did not expect such issues in deployment.
Any clues how to get this to work?
==Edit begin===
This is what I suspect might be causing the issue. On the server the site is bound to test.xyz.com. Also, there is Sql Server Reporting Services Installed. My application is tries to query the url test.xyz.com/Reports but I think this is bound to SSRS. When I stop the SSRS service I get a service unavailable 503 error. Otherwise I get a authentication window.
I am trying to find out how can I remove the particular SSRS binding so that test.xyz.com/Reports points to my Reports Controller
==Edit end====

You can also use Reporting Services Configuration Manager to specify the port and url that Reporting Services uses on the server.
By default SQL Server Reporting Services uses the following urls:
http://<server name>/ReportServer // web service url
http://<server name>/reports // reports manager url
http://msdn.microsoft.com/en-us/library/ms159261(v=sql.105).aspx

Things to check:
Does your web application accessing any resources? If so, does the IIs worker process account have permission to those?
Have you set the Web Site Authentication to Enable anonymous access?
Do you by any chance doing impersonation (either in web.config of programmatically? If so, does the end user account have the proper permissions to any eventual back end resources?

I changed my controller from Reports to MyReports and this resolved the conflict.

Related

Incorrect port in Request.URL with Azure Compute emulator

I am using VS 2013. IIS 8.0 Express and Azure .NET SDK v2.2
With a simple WebAPI template project I am able to repro this. When I locally debug the project in the azure compute emulator, it starts up the web page in https://127.0.0.1. However, in the request, the URI comes up with port 444.
Is there any known fix / workaround for this bug?
I could find similar issues for others at following pages but their workarounds don't work for me. Nothing in Request object or Request.RequestContext.HttpContext.Request object has the right URL. For e.g. if I try to open https://127.0.0.1:444/, I get "page not found" error.
Wrong port number in mvc 4 windows Azure Request.Url
Request.Url has wrong port information
Thanks!
After reading through this, I think this might be by design. The request is associated with DIP rather than VIP since it is just been forwarded from the Load balancer.
However, this would still mean that I need to keep 443 unused for my service to function normally. My service redirect users to live login page and it has to provide the VIP domainname port as redirect url in order to get the request.
During local debugging, requests to url:port provided in Request.Url doesn't work. Overall this azure local debugging setup still looks like a mess.
Let me know if there is any other workaround/fix.

My website is returning 404 not found error

My JSF website(http://discountbox.in) is returning 404 Not Found error since night most of the times. But my friends are able to see my website. When I access via my mobile I am able to access the site.
What can be the cause for this, of this. I have deployed the application in tomcat and not using apache at all. It was working for year, only since a day I am having this issue.
This could be caused by the DNS registered on your own router.
Your client (PC) in the same network as your server and aforementionned router needs to access your website via local IP (something like 192.168.X.X).

Problems with MVC4 & External Login with Google

I've an ASP .NET MVC4 application that uses SimpleMembership and allows users to sign in with their google accounts.
In order to do that I configured the application's AuthConfig class by uncommenting the OAuthWebSecurity.RegisterGoogleClient(); line to add google as an external login method. I didn't really change much inside the external login methods that already come with the ASP .NET MVC4 Internet Application template.
Problem:
Everything works fine when I run it locally (IIS express) or when I deploy it to a 'test' server (IIS 6.1, accessible on the intranet only). When I click my "sign in with google" button, I'm sent to google's authentication page, whose url looks something like this:
https://accounts.google.com/ServiceLogin?service=lso&passive=12096...(long url)
Alas, when I deploy it to the 'production' server (internet facing) and try to access it via internet, Google authentication stops working: when I click my "sign in with google" I'm being sent to an url that looks like this:
http://MY_APPLICATION_NAME.MY_DOMAIN.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid...(long url)
This url is wrong not only because it has my domain in it (I believe it should be accounts.google.com?), but also because the rest of it is completely different from the url I get when the authentication works.
What I know and have tried:
If I use fiddler, I can see that the application is behaving differently when I'm accessing the application via internet or intranet.
If I access it from within the network, I see I'm making a request to http://MY_APPLICATION_NAME.MY_DOMAIN.com/account/ExternalLogin?returnUrl= and then "Tunnel to www.google.com:443, Tunnel to accounts.google.com:443". This works ok.
If I access it from the internet I see I'm making a request to http://MY_APPLICATION_NAME.MY_DOMAIN.com/account/ExternalLogin?returnUrl= and then another one to http://MY_APPLICATION_NAME.MY_DOMAIN.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid...(long url). This obviously gives a 404.
I might be wrong but I assume that this url is generated by the OAuthWebSecurity.RequestAuthentication(provider, returnUrl). What puzzles me is that it looks like it is requesting the authenticaton to my server instead of accounts.google.com.
My research so far has only brought to me posts/questions/etc. showing how easy it is to use SimpleMembership for external authentication and I can see everyone does it pretty much the same way.
Conclusion:
I believe this probably has something to do with something I must configure on web.config or IIS. I do know that the requests to my application arrive at my DNS server which does a url rewrite and forwards the request to my web server, although I don't know if this is related to the problem.
Does anyone have any idea of what might be wrong or ever had a similar issue? Any help would be appreciated.
EDIT:
I've looked into OpenAuthSecurityManager.cs's source code and although I can't debug it I see the problem might be related to an incorrect HttpContext inside the RequestAuthentication method, due to my reverse proxy settings on IIS?
I ended up with a request to change the IT infrastructure.
OpenAuthSecurityManager.cs was probably getting a wrong HttpContext instance because of the way the requests were being handled by the previous infrastructure (requests arrived at our DNS server and were forwarded to the web service, on a different server inside our network, with UrlRerwrite rules).
It's working now.

ADFS 2.0 - Proxy / Server 503 Service Unavailable

For the past several days I've been working tirelessly to setup a test environment for development with WIF & ADFS 2.0. One of the problems that I am up against is my home environment only has one IP address and I wasn't about to stick ADFS on my main server. Therefore, I've created a dedicated virtual machine for FS (idp.yyy.local).
For the sake of not having direct links back to my site, 'yyy' refers to 'dgdev'. (image below)
The strange thing is, it's partially working. Here is an image detailing my infrastructure.
What's odd is that I can browse 'idp.yyy.net' in both normal HTTP and HTTPS just fine. I can also view the WS-Federation Metadata perfectly. Now, I'm quite new to ADFS, but I expect that when going to http://idp.yyy.net/adfs/services/trust it would redirect me to a Windows SSL login. Instead all I'm receiving is:
Service Unavailable
HTTP Error 503. The service is unavailable.
I am using the same SSL certificate on the FS Proxy and FS. Its subject is my main domain name yyy.net. It has several Subject Alternative Names so that I can host multiple IIS web sites with SSL with my single IP:Port.
CN = yyy.net
DNS Name=www.yyy.net
DNS Name=idp.yyy.net
DNS Name=idp.yyy.local
...
IP Address=192.168.1.2
IP Address=192.168.1.3
IP Address=192.168.1.4
...
Does anyone have any idea of why I'm seeing 503 Service Unavailable errors. Nothing is showing up in Event Viewer as an error. (except annoying things with AppFabric, but that's another issue I've yet to touch)
Thanks in advance! Actually many many thanks. I've exhausted every avenue and idea I could come up with, why this might be "broken"?
If anyone has an idea how I can debug this issue I'd certainly except that as a solution. I've tried IIS Failed Request Logging but nothing is being generated. Where/What is hosting the ADFS Services?
Things I've already looked at:
All AppPools are running.
The old ADFS 1.0 web service (asmx) is accessible just fine.
I can access issuer endpoints directly ... or at least 'windowstransport'
Well turns out everything has been working all along!
I spent a couple hours ensuring the certificate was created properly. Then after still seeing 503 & 403 errors, I realized that my proxy server AppPool for the \Default Web Site was running under "ApplicationPoolIdentity" - which is really the user:
IIS AppPool\DefaultAppPool.
I never gave that user read privileges to the ADFS certificate private key. Hence the reason I saw a 403 Forbidden instead of 503. After switching the AppPool over to Network Service ... voila!, 503 Service Unavailable.
So now I was sure my proxy server and ADFS server were talking just fine. Now why was I still seeing 503 Service Unavailable?!?
I told myself to create a test application anyway. In visual studio, I setup a new MVC 3 Web App. Added my existing STS-Reference. Setup a dummy claim and updated the application's FederationMetadata. Added the new Relying Party to ADFS.
Opened my browser to the web app and instant success!
> GET) https://mywebapp/
> Response-Redirect) Location header kicks me to my IdP (ADFS)
https://idp.yyy.net/adfs/ls/?wa=wsignin1.0&wtrealm.........
> I sign-in with proper credentials
> POST) https://mywebapp/login << AWESOME!

System.DirectoryServices.AccountManagement not working on the server

I am using System.DirectoryServices.AccountManagement to find the logged-in user's AD entry. It is working great in the VS2008 WebDev server on developers machines.
But when we installed the code on the development server (windows server 2008), we get an access error.
Both the developer's machine and the development server are members of the same domain.
We have Impersonation turned on, so we are connecting to AD with the same user credentials.
What are we missing here? Why is it working on the developer's machine, but not the development server?
The actual exception that we were receiving was "An operations error occurred".
After some research, I found the following link: http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/c314650a-ff5e-49e6-8f53-9a7cca17e806
In it one user describes the solution to the problem:
I have seen this error and it is related to the fact that when using NTLM authentication and impersonation set to true in web.config, IIS cannot use the authenticated token against another server since it is a "secondary token".
The solution to my issue was to wrap my Active Directory code with:
using( HostingEnvironment.Impersonate() )
{
//Active Directory search goes here.
}
This makes the call to AD with the identity of the application pool, and it did the trick in my case.
I was just looking around to fix the error System.DirectoryServices.DirectoryServicesCOMException
after using UserPrincipal.FindByIdentity
and the answer from mlsteeves was what i needed, impersonating the hostenvironnement on the production server!
So good call this was about delegation on server and your solution was perfect thanks alot!

Resources