Event code: 4005 - machinekey

something weird is happening! is a couple of days that my users are experincing a "logging out" isses, the error message is:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Here the data:
the website is running on 3 server behind a load balancer
yes, machine key is the same all across thw websites, because the configuration is shared and all servers are pointing to the same folder on a NAS, this is the key:
<machineKey decryption="AES" decryptionKey=" ... snipped for security reasons ... "
validation="SHA1" validationKey=" ... snipped for security reasons ..." />
I created the keys using an console app as suggested here: http://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_webfarmdeploymentconsiderations
the form auth config is
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" timeout="525960" />
</authentication>
the time on the servers is in sync
... Any other suggestions?
Cheers

Make sure that this patch is installed on every server in the farm.
(It changes ticket handling; installing it on some of the servers will cause issues)

Related

.NET 6.0 MVC App returns 404 in IIS on Windows 10

I've just refreshed an app written in .net 2.1 to .net 6.0. I worked through the errors and the site appears to compile cleanly. After I published to the server had many errors. Working through them, and standing up a full IIS install on my own machine, I now have it down to a 404 error.
When running the exe straight from the console it runs without errors.
Z:\ReportGroups>FleetLogix.ReportGroups.exe
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
No XML encryptor configured. Key {snip} may be persisted to storage in unencrypted form.
c:\inetpub\wwwroot\ReportGroups>FleetLogix.ReportGroups.exe
Hosting environment: Production
Content root path: c:\inetpub\wwwroot\ReportGroups
Now listening on: http://localhost:5000
Now listening on: https://localhost:5001
Application started. Press Ctrl+C to shut down.
Application is shutting down...
Web.config is
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\FleetLogix.ReportGroups.dll" forwardWindowsAuthToken="false" startupTimeLimit="3600" requestTimeout="23:00:00" stdoutLogEnabled="false" hostingModel="inprocess" stdoutLogFile=".\logs\stdout" />
</system.webServer>
</location>
</configuration>
Looking through Event Viewer, there's nothing of note. System nothing for IIS, IIS-Configuration and IIS-Admin are empty.
Edit 2021-11-22
It took a morning, but I have Request Tracing installed. For those on windows 10, just go to Add Features > IIS > Health > Tracing. Don't believe the server 2012 pages. Below is a screenshot:
The actual xml and xslt were quite verbose.
I have reinstalled the Hosting package as administrator, just in case. The version installed was dotnet-hosting-6.0.0-win.exe. That didn't fix it. IIS was stopped/started at server level as well.
At the moment it looks like the handlerv2 is missing?
If any other logs or config are required please let me know
"At the moment it looks like the handlerv2 is missing?" is incorrect.
The correct interpretation of the FRT log is that ASP.NET Core module (handler configured in your web.config) runs fine, and decides that no routing rule yields a result for the incoming URL http://localhost/ReportGroups. Thus, it returns 404 as designed.
It is your responsibility to review IIS configuration (site/app) as well as your source code on routing to see what should be the right URL to use to access the target pages. And unless you share those parts, discussion on this question cannot move forward.

Jenkins - No valid crumb was included in request

Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?
You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)

Configuration Error Azure Key Vault as a Visual Studio Connected Service ConfigurationBuilder

I am trying to wire up Azure Key Vault in my ASP.NET (.Net Framework) MVC Web App using Visual Studio 2017 Community 15.7.5 Connected Service targeting .Net 4.7.2.
It adds a configBuilder with the name AzureKeyVault with an attribute called vaultName that throws a "The 'vaultName' attribute is not allowed." warning.
When I run the application I get an error that the configBuilders attribute on the appsetting tag is not good like so:
I am using the following package versions which are all current:
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
There is an update to Microsoft.Azure.Services.AppAuthentication but it is a preview and it caused dependency issues with other packages.
tldr; - you probably don't have the appropriate permissions to access the key vault.
In currently released versions of the .Net framework, detailed errors about config builders are not always easily discoverable in the ASP.NET yellow screen. We have changes in vNext to address this issue, but it is currently a problem for 4.7.1/2. For the time being, if you create a simple console app to read appSettings with the same config builder configuration, you should see more exception information in the stack that gets spit out.
Based on the yellow screen you posted though I would guess (and its really just an educated guess based on past reports and nothing specific in your case) you are running into an authentication issue in the Microsoft.Azure.Services.AppAuthentication library. When running in Visual Studio, that library can use your personal credentials to access the key vault. If deployed in Azure, they use a different magic technology to authenticate the application to the key vault. If you want to eliminate the "magic" and take more control over this, you can specify more detailed connection information with the 'connectionString' attribute. There is more information as well as a link to connection string details on our GitHub page (MicrosoftConfigurationBuilders).
As for the "The 'vaultName' attribute is not allowed." warning... it's just a warning. The .xsd that VS uses to validate configuration was not correctly updated to allow random attributes on configBuilder definitions. We hope to address this in a future VS release around the time that the next framework ships.
Steve Molloy was correct in that the Configuration Error was a red herring. I created a console app and the error messages were much better but they still required some investigation. Here's my Console App Code and packages:
static void Main(string[] args)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider
(azureAdInstance:"https://InsertAADSubscriptionName.onmicrosoft.com/");
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(
"https://InsertKeyVaultName.vault.azure.net", "InsertSecretYouWantBack").GetAwaiter().GetResult();
}
<packages>
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime" version="2.3.13" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime.Azure" version="3.3.15" targetFramework="net472" />
<package id="Newtonsoft.Json" version="11.0.2" targetFramework="net472" />
</packages>
I put a breakpoint on the last bracket and kept looking for my secret value in the variable secret. I kept getting the following error indicating that Azure AD wasn't able to authenticate my local environment and return an access token.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried the following 4 methods to get an access token,
but none of them worked.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Managed Service Identity.
Unable to connect to the Managed Service Identity (MSI) endpoint.
Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Visual Studio.
Access token could not be acquired.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Azure CLI. Access token could
not be acquired. ERROR: Please run 'az login' to setup account.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Active Directory Integrated
Authentication. Access token could not be acquired. get_user_name_failed:
Failed to get user nameInner Exception : No mapping between account names
and security IDs was done
The problem was that since I was running the app locally I needed to be logged in to Azure CLI locally. To do this: first install Azure CLI on your machine, then go to a CMD or a PowerShell prompt and type az login and follow the instructions returned.
This did the trick; the console app was able to get an access token.
I tried it on my web app in the original question above and it worked as expected.

Graphics missing when deploying to azure

I just deployed my first MVC5 application to azure, and got everything to work, except that it is not showing graphics. On my development machine this works.
My graphics are in a folder ~/Content/Graphics, and this is the part of the _Layout.cshtml that references one,
<img src="#Url.Content("~/content/graphics/EluciusSoft_Logo.svg")" style="height:50px">
I know that the files are on the server, though, since I checked it with WebMatrix. Why are they not displaying?
EDIT: The browser console error message is the following:
Failed to load resource: the server responded with a status of 404
(Not Found)
Here is a screenshot of the site directory using WebMatrix.
If the webserver hasn't been configured with the MIME type for SVG, then it will return a 404 error when you try and access it. You can define the MIME type in your application's web.config:
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
</staticContent>
</system.webServer>
</configuration>

Openbravo ant build fails

I am trying to setup openbravo on eclipse environment with the above URL.
Development stack setup is done successfully. (ANT, Java, Postgresql)
At the openbravo source directory when i apply the command
ant install.source
Build failure due to errors -
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/build.xml:480: The following error occurred while executing this line:
480 <ant dir="${base.src}" target="compile.complete.development" inheritAll="true" inheritRefs="true" />
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/src/build.xml:874: The following error occurred while executing this line:
874 <jvmarg line="${env.CATALINA_OPTS}" />
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/src/build.xml:880: Directory
880 <jvmarg value="-Djava.io.tmpdir=${env.CATALINA_BASE}/temp" />
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not successful for an unknown reason
Any help would be appreciated. Thanks.
Sounds like a permission problem.
See the related section 'Permission issues' in openbravo wiki
EDIT
for the remaining issues, i believe the properties base.src, CATALINA_OPTS and CATALINA_BASE are not set properly. Check this via :
<echo>
$${base.src} => ${base.src}
$${env.CATALINA_OPTS} => ${env.CATALINA_OPTS}
$${env.CATALINA_BASE} => ${env.CATALINA_BASE}
</echo>
or simply output all available properties use :
<echoproperties/>
also consider, before using ${env.whatever} you need to use :
<property environment="env"/>
before !
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not successful for an unknown reason
Give the permission to webapps folder
sudo chmod -R 777 /var/lib/tomcat6/webapps/
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not
successful for an unknown reason
it seem permission problem. It is important to always us the correct user account to start / stop tomcat!
Conceptually there are two user accounts involved in working with Openbravo:
command-line user used to work with files & compile Openbravo
user account used by Apache Tomcat service
There are several overlapping areas in which one of the accounts needs to access and modify files from the other account in both directions.
To avoid any problems Openbravo strongly recommends to run Apache Tomcat services with the same user account which is used on command line. As that way the above topic will be perfectly solved easily.
source: http://wiki.openbravo.com/wiki/Installation/Custom/Apache_Tomcat

Resources