I received federation metadata endpoint from customer which I used to configure WsFederationAuthentication in identityserver3.
Everything works fine from developer machine like identity server login redirecting to adfs login page, but after deploying the solution into AWS elastic bean stalk (which is in private subnet) then I receive 504 HTTP status code when I try to login through External(ADFS) login.
I simulated this scenario in postman. I receive 302 response in developer machine but the request never ends (postman result pane shows 'Loading...') in AWS ec2 instance.
I am able to browse federation metadata URL and /adfs/ls endpoint from AWS ec2 instance.
In idnetity server log, I can see below logs,
External login requested for provider: adfs
Triggering challenge for external identity provider
HTTP Response
{
"StatusCode": 401,
"Headers": {
"Content-Type": [
"text/html"
],
"Server": [
"Microsoft-IIS/10.0"
],
"Content-Length": [
"0"
]
},
"Body": ""
}
After this, gateway timeout happens (by AWS load balancer).
As per code in Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationHandler.cs, from ApplyResponseChallengeAsync() method, redirect response should generate with location header having adfs login page URL.
But, this is not happening.
I see below error in HTTPError.Log.
GET
/identity/external?provider=adfs&signin=699036641a8b2b6ddccea61bc8c1f715 --
1 Connection_Abandoned_By_ReqQueue DefaultAppPool
I do not see any event related to above HTTP error in event viewer log.
I searched for the above error but the solutions did not yield any good results for this issue.
I further investigated with process monitor tool, compared the tcp operations between local and aws ec2 instance for the identityserver external login endpoint request then I found that TCP disconnect operation happening immediately after TCP connect in AWS ec2 instance but in local this was not happening instead TCP communication established and tcp communication went well.
Further investigated with wireshark tool then I found the Handshake failure happening in AWS ec2 instance after Client Hello call. Then I compared TLS version and cipher suites used by local machine (from wireshark log), I found the difference like local machine uses TLS 1.2 and cipher suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
and AWS ec2 instance uses TLS 1.0 which is not supproted by ADFS server. Hence the tcp connection could not be established resulting into handshake failure.
I followed this link https://learn.microsoft.com/en-us/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server#enable-strong-cryptography-in-net-framework-45-or-higher to make .net framewrok to use strong crypto.
After this registry update, successfully able to login from external idp (ADFS) via identity server3 login page.
Related
I just created an REST API in API Connect and the endpoint works when I test it in the APIC assemble tab. It requires a client id and client secret. When I send a request through Postman, I currently get a “Could not get any response” message from when I try to add them as header values or OAuth authorization. I’m using the request endpoint that’s displayed when I hit the debug button from the successful response on the Assemble tab. Is this the correct endpoint to use? How do I properly include the client id and client secret in a Postman request?
If you get a "Could not get any response in Postman", that means that Postman can't reach the destination of the request.
There are several reasons for that:
Is it an intranet or internet endpoint?
Are you using a proxy? (check proxy config)
Is the hostname resolvable? (try ip)
If it is an https
endpoint, with a self signed certificate, check if you have SSL
Certificate verification enabled (Settings-> general)
On the other hand, to send the client-id and client-secret headers, just click on Headers tab and add both (see the following picture)
Please check the below things to get access to API Connect published services.
Service needs to be allowed to invoke from postman(System from which you are invoking.)
Please check the web-api MPGW service titled in DataPower default domain created when you configure your API connect with DataPower have you created an access control list in the front-side-handler.
Please disable the SSL configuration in the postman, sometime this may create a problem(since the service exposed from API Connect will be with SSL)
From the error you are getting, I suspect there is no connection or only one-way traffic is enabled which means you are blocking response. If there is an issue with the request parameters you are sending, an error will be different saying, wrong client id or client secret.
Testing API which is on-boarded from API Connect will be straightforward or same we invoke other rest services.
Thx Srikanth
I needed to include the client id and client secret in the headers using the correct name for them, which is specified when creating/editing the api under the 'Security Definitions' category as 'Parameter Name'.
I was also hitting the wrong endpoint. To find the correct endpoint click the hamburger icon in the upper left of api connect website, select dashboard, click on the environment you want such as sandbox or dev, click settings, click gateway, then you'll see the endpoint.
While running two app servers (which has mobilefirst servers hosted 7.1 version) from ibm http server, only one server runs successfully on keeping only one of the Route attribute active in the plugin-cfg.xml of the http server. In the server which is not running, the following error is seen in the messages.log.
CWWKS4001E: The security token cannot be validated. This can be for the following reasons
1. The security token was generated on another server using different keys.
2. The token configuration or the security keys of the token service which created the token has been changed.
3. The token service which created the token is no longer available.
Kindly guide in resolving the error above.
Thanks.
Sounds like your two servers have not exchanged/shared LTPA keys and IHS and the WAS Plugin are a red herring.
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_ltpa.html
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_sso.html
Note: For SSO to work across Liberty servers, full profile servers, or both, set the following resources:
The servers must use the same LTPA keys and share the same user registry.
Sounds like communication issue between two servers. Are the inbound ports opened on another server to communicate with HTTP server? if they are opened use telnet and test whether both servers (HTTP and app server) are communicating with each other.
On HTTP Server, open command prompt and enter below command.
telnet <app server ip> <app server port>
If this is not successful then you need to open ports on app server.
I have a web .NET service. I can connect this web service from web browsers.
If I write service address first web browser ask username and password than service is connected.
If I connect this web service with delphi. There is error message:
Error message is "401 Unauthorized"
I am using:
RESTResponse1
RESTRequest1
RESTClient1 and HTTPBasicAuthenticator 1.
HTTPBasicAuthenticator1 has username and password and RestClient add Authenticator.
But I can not connect web service
How can I connect it?
To find out the reason for the missing (or wrong) authentication you can use the developer / debug mode in most web browsers. You could also use Wireshark or a HTTP proxy.
Check the response headers of the server. They include information about all supported authentication modes (see RFC 2616)
I would like to make my Bluemix application(Liberty) to access remote REST API which is provided in SSL. I need to use the gateway's "TLS Mutual Auth option". But now for a purpose to figure out whether I must use "HTTPS option" or not when a remote REST API is provided in SSL, I tested two case, HTTPS and TLS Server Auth. HTTPS case resulted in success and TLS Server Auth resulted in failure.
Is HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ? Can't we protect the gateway with TLS Mutual Auth if this is collect ?
1. HTTPS option: success
This case resulted in success.
2. TLS Server Auth option: failure
This case resulted in failure.
I just chaged the gateway's option from "HTTPS" to "TLS Server Auth", so the cause is not a mis-configuration.
[Bluemix Liberty application's log]2015-07-01T04:17:58.64+0900 [RTR] OUT sampleapp.mybluemix.net[30/06/2015:19:17:49 +0000] "GET /XXX HTTP/1.1" 200
2015-07-01T04:17:58.66+0900 [App/0] OUT res:404 Not Found: Requested route ('cloudhost:cloudport') does not exist.
[SG Client's log]
[2015-06-30 02:37:38.144] [INFO] Connection #32 is being established to remote REST API's host:443
[2015-06-30 02:37:38.227] [INFO] Connection #32 established to remote REST API's host:443
[2015-06-30 02:37:52.535] [INFO] Connection #32 to remote REST API's host:443 was closed
In response to this part of your post:
Is the HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ?
Yes, HTTPS is required if connecting to a https remote rest api. Additionally, if you're connecting to a backend HTTPS server, you will need to enable client-side TLS.
The link below provides more info regarding securing a gateway in the Bluemix UI:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_022.html#sg_009
In response to this part of your post:
Can't we protect the gateway with TLS Mutual Auth?
Yes, you can use TLS:Mutual Auth, but you would also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.
To use the certificates generated by selecting TLS:Mutual Auth, you will also need to configure your application-side TLS connection, and potentially your client-side TLS connection. Enabling TLS security between the client and your REST API is separate to application-side TLS. Application-side TLS secures access between your sample app and the secure gateway client defined. You can use client-side TLS connectivity independent of application-side TLS, vice versa, or together to provide complete security from your sample app to your REST API.
For more information regarding accessing the secure gateway, please see the link below:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html
created a webserver(http port 80, https:443) and proxy server(http 8080,https:8081)
am seeing issue when I access proxy over https like
https://xyz:8081/
wireshark shows client(fireforx or chrome) is sending certificate data in HTTP packet , I see certificate text .
Any idea what could be wrong ? browser says no data received
If TLS session is already established(https webserver) would another TLS sessions is created if I try to access https proxy ?
I created SSL socket like
ctx_init
put the socket on select and did accept/sslaccept once I get
and then did SSL_Read
NB: Rest all access like http/https to webserver or http to proxy server works fine.
Updates: Issue was client was sending fragmented HTTP request
So for a GET request it was sent by client like this
Packet 1 was GE
Packet 2 was rest T ....\r\n\r\n
So in code I have to collect until until full HTTP packet is received