I'm working on website where Sharepoint 2007 is being used as the CMS for a public facing site.
Internal users are authenticated via active directory and can edit content via an internal url. External users view the content via a public url. I've just added forms based authentication to the external facing version of the site in order to provide some special services to authenticated users.
The functionality works as expected on their dev servers but when rolled out to the test server any users authenticated via the forms based authentication are no longer able to access css files (which can be accessed via anonymous users). So all styling is lost. The CSS files are maintained in a document library. If the user is logged out these files become available again. (all via the external url and forms based authentication)
Any idea what might be going on?
Looking in the event logs provides the following information:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 26/10/2010 3:08:20 p.m.
Event time (UTC): 26/10/2010 2:08:20 a.m.
Event ID: f6fbeb6ffe334e48aa150bc7d34aeda8
Event sequence: 159
Event occurrence: 29
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1334941635/ROOT-1-129325324099898564
Trust level: WSS_Minimal
Application Virtual Path: /
Application Path: E:\WebSites\test.company.co.nz\
Machine name: INTERNETTEST
Process information:
Process ID: 7616
Process name: w3wp.exe
Account name: CH\InternetTestAPESite
Exception information:
Exception type: FileNotFoundException
Exception message: The site with the id 5b06fc07-8611-4774-a283-7b9f94318030 could not be found.
Request information:
Request URL: http://internettest.company.co.nz/Style Library/Company/CSS/base.css
Request path: /Style Library/Company/CSS/base.css
User host address: 172.23.4.119
User: gavin.harriss#somecompany.co.nz
Is authenticated: True
Authentication Type: Forms
Thread account name: CH\InternetTestAPESite
Thread information:
Thread ID: 19
Thread account name: CH\InternetTestAPESite
Is impersonating: True
Stack trace: at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone, SPUserToken userToken)
at Microsoft.SharePoint.SPSite..ctor(Guid id)
at Microsoft.SharePoint.Publishing.BlobCache.<>c__DisplayClass3.<EnsureAuthenticatedRights>b__0()
at Microsoft.SharePoint.SPSecurity.CodeToRunElevatedWrapper(Object state)
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.SharePoint.Publishing.BlobCache.EnsureAuthenticatedRights(Guid siteID, Guid scopeID)
at Microsoft.SharePoint.Publishing.BlobCache.RewriteUrl(Object sender, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
It was a blob caching issue. Clearing the cache followed by an iisreset resolved the issue.
Related
I want to implement integration test for my spring security kerberos authentication.
There is KerberosRestTemplate (reference) for this purpose. KerberosRestTemplate has got a default constructor with description "Leave keyTabLocation and userPrincipal empty if you want to use cached ticket".
For research i wrote a trivial class:
public static void main(String[] args) {
KerberosRestTemplate krt = new KerberosRestTemplate();
String result = krt.getForObject("http://testserver.testad.local:8080/", String.class);
System.out.println(result);
}
When i run it, exception has thrown:
Exception in thread "main" org.springframework.web.client.RestClientException: Error running rest call; nested exception is java.lang.IllegalArgumentException: Null name not allowed
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestT
emplate.java:196)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
at edu.mezlogo.Application.main(Application.java:9)
Caused by: java.lang.IllegalArgumentException: Null name not allowed
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown Source)
at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown Source)
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestT
emplate.java:182)
... 3 more
My klist contain correct cached ticket, for my service.
#2> Client: deniz # TESTAD.LOCAL
Server: HTTP/testserver.testad.local # TESTAD.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 2/5/2016 6:17:39 (local)
End Time: 2/5/2016 16:16:32 (local)
Renew Time: 2/12/2016 6:16:32 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
And my browser (firefox) has successful authenticated with kerberos sso.
I use Windows server 2012. And Windows 7 as client.
How to use cached ticket? (And does ktpass can generate client keytab?)
P.s. sorry for my English.
You are checking the Windows credentials cache - while Java is maintaining it's separate. In order to view the Java's credentials cache you should execute the klist command from your JRE/bin folder
Some weird and unexplained error logged in InRelease aka (Release Management) server event log after upgrading Release Management Update 1 to update 3.
Below error started getting logged only after upgrading to Update 3.
Even though we started the Inrelease Server and all agents but no luck.
Any immediate help would be much helpful.
Timestamp: 12/15/2014 10:22:18 AM
Message: 'LambdaValue>' is not of type 'ServerActivity'. When loading this instance you must ensure that the activity with name 'LambdaValue>' implements 'ServerActivity'.: \r\n\r\n at
System.Activities.ActivityInstance.System.Activities.Runtime.ActivityInstanceMap.IActivityReference.Load(Activity activity, ActivityInstanceMap instanceMap)
at System.Activities.Runtime.ActivityInstanceMap.InstanceList.Load(Activity activity, ActivityInstanceMap instanceMap)
at System.Activities.Runtime.ActivityInstanceMap.LoadActivityTree(Activity rootActivity, ActivityInstance rootInstance, List1 secondaryRootInstances, ActivityExecutor executor)
at System.Activities.Runtime.ActivityExecutor.OnDeserialized(Activity workflow, WorkflowInstance workflowInstance)
at System.Activities.Hosting.WorkflowInstance.InitializeCore(IDictionary2 workflowArgumentValues, IList1 workflowExecutionProperties)
at System.Activities.Hosting.WorkflowInstance.Initialize(Object deserializedRuntimeState, DynamicUpdateMap updateMap)
at System.Activities.WorkflowApplication.LoadCore(DynamicUpdateMap updateMap, TimeoutHelper timeoutHelper, Boolean loadAny, IDictionary2 values)
at System.Activities.WorkflowApplication.Load(Guid instanceId, TimeSpan timeout)
at System.Activities.WorkflowApplication.Load(Guid instanceId)
at Microsoft.TeamFoundation.Release.ServiceProcessor.Processor.WorkflowInstance.WorkflowInstanceCacheSingleton.<.cctor>b__1(WorkflowApplication app, Guid id)
at
Microsoft.TeamFoundation.Release.ServiceProcessor.Processor.WorkflowInstance.WorkflowInstanceCache.CreateApplicationInCache(CreateParameters createParameters, Guid id)
at Microsoft.TeamFoundation.Release.ServiceProcessor.Processor.WorkflowInstance.WorkflowInstanceCache.GetInstance(CreateParameters createParameters, Guid id)
at Microsoft.TeamFoundation.Release.ServiceProcessor.Processor.WorkflowInstance.CachedWorkflowInstanceLoader.GetInstance(DeploymentLog log, CreateParameters createParams)
at Microsoft.TeamFoundation.Release.ServiceProcessor.Processor.DeploymentControllerServiceProcessor.ContinueDeploymentWithFinalComponentState(DeploymentLog log)
at Microsoft.TeamFoundation.Release.ServiceProcessor.Processor.DeploymentControllerServiceProcessor.ContinueDeployment(String log)
Category: General
Priority: -1
EventId: 0
Severity: Error
Title:
Machine: **********
Application Domain: /LM/W3SVC/1/ROOT-1-130630102320068767
Process Id: 6628
Process Name: C:\Windows\SysWOW64\inetsrv\w3wp.exe
Win32 Thread Id: 1344
Thread Name:
Extended Properties:
=============== Update (Solution) ==================
Issue/Error resolved after upgrading RM to Release Management 2015.
I am scratching my head over a peculiar problem that seems to work on IE and Chrome.
We have a custom passive STS which serves a RP. All is well till i authenticate via my custom authentication service and then STS returns token which i can see in my temp folder. The POST operation which then sends the SAML 1.0 token hangs and silently dies instead of getting back the FedAuth cookie which would normally redirect me the RP
Note : RP and IP are hosted on web server that is behind a reverse proxy server (Nginx). Reverse proxy is hosted over SSL and all traffic to and fro proxy server and webserver is non SSL
The following get logged on the webserver
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 12/11/2013 5:16:33 PM
Event time (UTC): 12/11/2013 5:16:33 PM
Event ID: eef80ad2bffe425780dd46e5f28c0306
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Exception information:
Exception type: XmlException
Exception message: **Unexpected end of file. Following elements are not closed: RequestedUnattachedReference, RequestSecurityTokenResponse,** RequestSecurityTokenResponseCollection. Line 1, position 5852.
at System.Xml.XmlExceptionHelper.ThrowXmlException(XmlDictionaryReader reader, String res, String arg1, String arg2, String arg3)
at System.Xml.XmlExceptionHelper.ThrowUnexpectedEndOfFile(XmlDictionaryReader reader)
at System.Xml.XmlBufferReader.GetByteHard()
at System.Xml.XmlBufferReader.GetByte()
at System.Xml.XmlUTF8TextReader.ReadStartElement()
at System.Xml.XmlUTF8TextReader.Read()
at System.Xml.XmlBaseReader.ReadEndElement()
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTRXml(XmlReader reader, RequestSecurityTokenResponse rstr, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13ResponseSerializer.ReadXmlElement(XmlReader reader, RequestSecurityTokenResponse rstr, WSTrustSerializationContext context)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.CreateResponse(XmlReader reader, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13ResponseSerializer.ReadXml(XmlReader reader, WSTrustSerializationContext context)
at Microsoft.IdentityModel.Protocols.WSFederation.WSFederationSerializer.CreateResponse(WSFederationMessage message, WSTrustSerializationContext context)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetXmlTokenFromMessage(SignInResponseMessage message, WSFederationSerializer federationSerializer)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetXmlTokenFromMessage(SignInResponseMessage message)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetXmlTokenFromMessage(SignInResponseMessage message, WSFederationSerializer federationSerializer)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(SignInResponseMessage message)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I dont understand why just for FF i get this problem. Is there a limitation on the size of the content that is sent in the header for FF?
Another question is : I have installed two different certificates one at proxy server (SSL)and one at webserver(STS) to signing the token. Can i use the same certificate? Should i?
According to the top voted answer on the question Can HTTP headers be too big for a browser, Firefox does have the lowest individual header-size (or at least did back in FF3.6). The accepted answer may help you though as you've mentioned you're behind a proxy.
I am currently using TFS 2013 (local installation) to try to build from an internal GitHub Enterprise installation using LDAP Authentication.
The problem I am getting is that it cannot access the source code, how can I configure TFS Build to use a specific authentication?
From the TFS Build Log
Exception Message: An error was raised by libgit2. Category = Net (Error).
VS30063: You are not authorized to access https://user:password#githubrepository.corp.company.net. (type LibGit2SharpException)
Exception Data Dictionary:
libgit2.code = -1
libgit2.category = 11
Exception Stack Trace:
Server stack trace:
at LibGit2Sharp.Core.Ensure.HandleError(Int32 result)
at LibGit2Sharp.Core.Proxy.git_clone(String url, String workdir, GitCloneOptions opts)
at LibGit2Sharp.Repository.Clone(String sourceUrl, String workdirPath, Boolean bare, Boolean checkout, TransferProgressHandler onTransferProgress, CheckoutProgressHandler onCheckoutProgress, Credentials credentials)
at Microsoft.TeamFoundation.Build.Activities.Git.GitPull.GitClone.GetRepository(String repositoryUrl, String workingFolder)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
at System.Func3.EndInvoke(IAsyncResult result)
at Microsoft.TeamFoundation.Build.Activities.Git.GitPull.GitRepositoryBase.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity1.System.Activities.IAsyncCodeActivity.FinishExecution(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity.CompleteAsyncCodeActivityData.CompleteAsyncCodeActivityWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
Follow up
I have tried the URL params for authentication (example)
https://username:password#domain.com/user/project.git
More Follow up
Completely uninstalled and update to the 2013 RC, error message has been updated as well, as it is different.
I have also tried setting up the build controller to run as an authenticated LDAP user in the github enterprise installation.
Libgit2 does support the url credentials, however TFS build activities for GitPull overrides the default behavior with a Microsoft.TeamFoundation.Build.Activities.Git.TfsSmartSubtransport class for the http and https protocol.
This class unfortunately ignores credentials in the URL and instead tries to retrieve credentials from the registry.
I was able to successfully get a TFS build server to pull source code from a gitlab server using TFS build with the default GitTemplate.12.xaml workflow.
Setup the TFS build's repository URL without any credentials in the URL.
Encrypted your credential's password with the following bit of code. This needs to get run on the build server as the encryption process is specific to the local machine it's executed on.
var password = "your_password";
var bytes = Encoding.Unicode.GetBytes(password);
var bytes2 = ProtectedData.Protect(bytes, null, DataProtectionScope.LocalMachine);
var base64 = Convert.ToBase64String(bytes2);
Add the following registry settings to your build server.
NOTE: The URL in the registry must exactly match the absolute URL of your repository or TFS won't find the credentials.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TeamFoundationServer\12.0\HostedServiceAccounts\Build\http://githubrepository.corp.company.net]
"Microsoft_TFS_UserName"="<username goes here>"
"Microsoft_TFS_Password"="<bas64 encrypted password goes here>"
"Microsoft_TFS_CredentialsType"="Windows"
The only other alternatives to this approach that I could think of is to modify the default workflow and replace the GitPull activity with something else.
I'm not suggesting that this is the best method, but it worked for me.
That's odd. It looks like the HTTP transport should honor url-encoded credentials.
In any case, it might be better and safer to set up the remote to get the credentials from elsewhere. The clone code is a good example of how to do this: here's how to set up the callback, and here's an example of how to generate the credential object.
I'm following this blog post to create an azure storage table:
http://blogs.msdn.com/jnak/archive/2008/10/28/walkthrough-simple-table-storage.aspx
It works fine on an asp.net webform web_role.
I've re-created the same project using asp.net mvc as the web role, and it's always failing on application start. this line:
StorageAccountInfo account = StorageAccountInfo.GetDefaultTableStorageAccountFromConfiguration();
seem to always fail getting the account shared key.
If I move the line from global asax application start to default.aspx, it works perfectly fine.
Is there any difference in initializing a storage table in azure asp.net mvc compared to webform?
Why can't I get the azure appsettings on application start?
This is the error call stack from event viewer
Exception information:
Exception type: HttpException
Exception message: No account key specified!
Request information:
Request URL: http://127.0.0.1:5100/do.__rd_runtime_init__?shutdownEvent=1B671B93FD-4153-4834-9D5D-595EFC6C19EE1D
Request path: /do.__rd_runtime_init__
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: *****
Thread information:
Thread ID: 6
Thread account name: *****
Is impersonating: False
Stack trace: at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetPipelineApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Check out the "remarks" at http://msdn.microsoft.com/en-us/library/microsoft.servicehosting.serviceruntime.rolemanager.aspx:
The Windows Azure fabric runs IIS 7.0
in integrated mode. In integrated
mode, the Application_Start event does
not support access to the request
context or to the members of the
RoleManager class provided by the
Windows Azure SDK runtime API. If you
are writing an ASP.NET application
that accesses the request context or
calls methods of the RoleManager class
from the Application_Start event, you
should modify it to initialize in the
Application_BeginRequest event
instead.
For an example that shows how to use
the Application_BeginRequest event,
see the PersonalWebSite Sample that
ships with the Windows Azure SDK.
If you use:
StorageAccountInfo account = StorageAccountInfo.GetDefaultTableStorageAccountFromConfiguration();
Usually the account information is given in the Web.conf file.
<add key="TableStorageEndpoint" value="http://127.0.0.1:10002/devstoreaccount1" />
<add key="AccountName" value="devstoreaccount1" />
<add key="AccountSharedKey" value="YOUR ACCOUNT KEY PROVIDED BY AZURE"/>