For the past several days I've been working tirelessly to setup a test environment for development with WIF & ADFS 2.0. One of the problems that I am up against is my home environment only has one IP address and I wasn't about to stick ADFS on my main server. Therefore, I've created a dedicated virtual machine for FS (idp.yyy.local).
For the sake of not having direct links back to my site, 'yyy' refers to 'dgdev'. (image below)
The strange thing is, it's partially working. Here is an image detailing my infrastructure.
What's odd is that I can browse 'idp.yyy.net' in both normal HTTP and HTTPS just fine. I can also view the WS-Federation Metadata perfectly. Now, I'm quite new to ADFS, but I expect that when going to http://idp.yyy.net/adfs/services/trust it would redirect me to a Windows SSL login. Instead all I'm receiving is:
Service Unavailable
HTTP Error 503. The service is unavailable.
I am using the same SSL certificate on the FS Proxy and FS. Its subject is my main domain name yyy.net. It has several Subject Alternative Names so that I can host multiple IIS web sites with SSL with my single IP:Port.
CN = yyy.net
DNS Name=www.yyy.net
DNS Name=idp.yyy.net
DNS Name=idp.yyy.local
...
IP Address=192.168.1.2
IP Address=192.168.1.3
IP Address=192.168.1.4
...
Does anyone have any idea of why I'm seeing 503 Service Unavailable errors. Nothing is showing up in Event Viewer as an error. (except annoying things with AppFabric, but that's another issue I've yet to touch)
Thanks in advance! Actually many many thanks. I've exhausted every avenue and idea I could come up with, why this might be "broken"?
If anyone has an idea how I can debug this issue I'd certainly except that as a solution. I've tried IIS Failed Request Logging but nothing is being generated. Where/What is hosting the ADFS Services?
Things I've already looked at:
All AppPools are running.
The old ADFS 1.0 web service (asmx) is accessible just fine.
I can access issuer endpoints directly ... or at least 'windowstransport'
Well turns out everything has been working all along!
I spent a couple hours ensuring the certificate was created properly. Then after still seeing 503 & 403 errors, I realized that my proxy server AppPool for the \Default Web Site was running under "ApplicationPoolIdentity" - which is really the user:
IIS AppPool\DefaultAppPool.
I never gave that user read privileges to the ADFS certificate private key. Hence the reason I saw a 403 Forbidden instead of 503. After switching the AppPool over to Network Service ... voila!, 503 Service Unavailable.
So now I was sure my proxy server and ADFS server were talking just fine. Now why was I still seeing 503 Service Unavailable?!?
I told myself to create a test application anyway. In visual studio, I setup a new MVC 3 Web App. Added my existing STS-Reference. Setup a dummy claim and updated the application's FederationMetadata. Added the new Relying Party to ADFS.
Opened my browser to the web app and instant success!
> GET) https://mywebapp/
> Response-Redirect) Location header kicks me to my IdP (ADFS)
https://idp.yyy.net/adfs/ls/?wa=wsignin1.0&wtrealm.........
> I sign-in with proper credentials
> POST) https://mywebapp/login << AWESOME!
Related
I am using VS 2013. IIS 8.0 Express and Azure .NET SDK v2.2
With a simple WebAPI template project I am able to repro this. When I locally debug the project in the azure compute emulator, it starts up the web page in https://127.0.0.1. However, in the request, the URI comes up with port 444.
Is there any known fix / workaround for this bug?
I could find similar issues for others at following pages but their workarounds don't work for me. Nothing in Request object or Request.RequestContext.HttpContext.Request object has the right URL. For e.g. if I try to open https://127.0.0.1:444/, I get "page not found" error.
Wrong port number in mvc 4 windows Azure Request.Url
Request.Url has wrong port information
Thanks!
After reading through this, I think this might be by design. The request is associated with DIP rather than VIP since it is just been forwarded from the Load balancer.
However, this would still mean that I need to keep 443 unused for my service to function normally. My service redirect users to live login page and it has to provide the VIP domainname port as redirect url in order to get the request.
During local debugging, requests to url:port provided in Request.Url doesn't work. Overall this azure local debugging setup still looks like a mess.
Let me know if there is any other workaround/fix.
My JSF website(http://discountbox.in) is returning 404 Not Found error since night most of the times. But my friends are able to see my website. When I access via my mobile I am able to access the site.
What can be the cause for this, of this. I have deployed the application in tomcat and not using apache at all. It was working for year, only since a day I am having this issue.
This could be caused by the DNS registered on your own router.
Your client (PC) in the same network as your server and aforementionned router needs to access your website via local IP (something like 192.168.X.X).
Hi I have a website that I will be developing in the future.
Upon looking at the current website I noticed something weird that I have never seen before and also Google'd and found nothing.
If you go to: http://www.smartrainer.com.au you get the normal site
But, if you go to: https://www.smartrainer.com.au you get redirected to another website and are also given an SSL warning beforehand (in Chrome)
The site is hosted on a UNIX / PHP server and the .htaccess file currently has nothing that would suggest that it's redirecting to this other website.
Any help or insight would be appreciated with this, because I've never heard of this or seen this before.. The client also has no idea why it would be directing to that company that we've never heard of
Thanks!
It sounds like you're using a shared hosting server.
In plain HTTP, the server can know which host the client is requesting using the Host header in the request (this is based on the URL). Apache Httpd supports this with what it calls Name-based virtual hosts.
The HTTPS configuration is separate from the HTTP configuration in Apache Httpd (and presumably a number of other servers). Having virtual hosts (typically on a shared host) for the HTTP configuration doesn't mean that the same configuration is replicated for HTTPS.
HTTPS presents another problem: choosing which certificate to send before being able to see the Host header. Indeed, the server needs to send the client a certificate with the correct name during the SSL/TLS handshake, which happens before any HTTP traffic is sent (so before the Host header can be read). To overcome this problem, some hosts will set up a certificate valid for multiple host names (typically multiple Subject Alternative Names, or sometimes wilcards), others will use Server Name Indication (which isn't supported by all clients).
To get your server to host your site for HTTPS, you'd need:
To make sure the certificate it serves is valid for your host name (otherwise, there will be a warning message).
That the virtual hosts (or equivalent) it serves are configured for your host too.
In your case it seems that (a) your server is serving a single certificate that is not valid for your host and (b) your host isn't configured for HTTPS anyway, since you're falling back to what's probably the default host.
You may solve this issue by redirecting HTTPS URL to HTTP URL from your .htaccess. This error might because of shared hosting. If you cannot solve this issue from your .htaccess than you may also contact your hosting provider on this issue.
When running in Visual Studio, my mvc3 app does not ask for any authentication. However, when I deployed to test server (Windows Server 2008 and IIS 7) I keep getting a prompt asking for UserName and Password. I supply the admin credentials for the server yet there is a failure. The strange thing is that the page is served but I keep getting the prompt. All the ajax calls however fail with a 401 Unauthorized error.
I tried different types of authentication but the results are the same. Even with anonymous authentication only I get a prompt for user name and password.
I tried changing the pipeline from Managed to Classic but then MVC would not work and I get 404 error. This is my first mvc app and I did not expect such issues in deployment.
Any clues how to get this to work?
==Edit begin===
This is what I suspect might be causing the issue. On the server the site is bound to test.xyz.com. Also, there is Sql Server Reporting Services Installed. My application is tries to query the url test.xyz.com/Reports but I think this is bound to SSRS. When I stop the SSRS service I get a service unavailable 503 error. Otherwise I get a authentication window.
I am trying to find out how can I remove the particular SSRS binding so that test.xyz.com/Reports points to my Reports Controller
==Edit end====
You can also use Reporting Services Configuration Manager to specify the port and url that Reporting Services uses on the server.
By default SQL Server Reporting Services uses the following urls:
http://<server name>/ReportServer // web service url
http://<server name>/reports // reports manager url
http://msdn.microsoft.com/en-us/library/ms159261(v=sql.105).aspx
Things to check:
Does your web application accessing any resources? If so, does the IIs worker process account have permission to those?
Have you set the Web Site Authentication to Enable anonymous access?
Do you by any chance doing impersonation (either in web.config of programmatically? If so, does the end user account have the proper permissions to any eventual back end resources?
I changed my controller from Reports to MyReports and this resolved the conflict.
I am using System.DirectoryServices.AccountManagement to find the logged-in user's AD entry. It is working great in the VS2008 WebDev server on developers machines.
But when we installed the code on the development server (windows server 2008), we get an access error.
Both the developer's machine and the development server are members of the same domain.
We have Impersonation turned on, so we are connecting to AD with the same user credentials.
What are we missing here? Why is it working on the developer's machine, but not the development server?
The actual exception that we were receiving was "An operations error occurred".
After some research, I found the following link: http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/c314650a-ff5e-49e6-8f53-9a7cca17e806
In it one user describes the solution to the problem:
I have seen this error and it is related to the fact that when using NTLM authentication and impersonation set to true in web.config, IIS cannot use the authenticated token against another server since it is a "secondary token".
The solution to my issue was to wrap my Active Directory code with:
using( HostingEnvironment.Impersonate() )
{
//Active Directory search goes here.
}
This makes the call to AD with the identity of the application pool, and it did the trick in my case.
I was just looking around to fix the error System.DirectoryServices.DirectoryServicesCOMException
after using UserPrincipal.FindByIdentity
and the answer from mlsteeves was what i needed, impersonating the hostenvironnement on the production server!
So good call this was about delegation on server and your solution was perfect thanks alot!