Sustainsys.Saml2.Exceptions.InvalidSignatureException - sustainsys-saml2

In my callback GetExternalLoginAsync, the return value is always null. So I added ILogger into the SP Options and was able to see the Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signing algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 is weaker than the minimum accepted http://www.w3.org/2000/09/xmldsig#rsa-sha1. If you want to allow this signing algorithm, use the minIncomingSigningAlgorithm configuration attribute. being thrown.
I followed the suggestion to add the minIncomingSigningAlgorithm="SHA256" however now i'm getting a yellow screen error.
The problem is happening on a Windows 2008 R2 server. It worked fine on all of our other servers so I'm assuming it has something to do with the OS.
I have recently installed .NET 4.6.1 into this box.
var loginInfo = await HttpContext.GetOwinContext().Authentication.GetExternalLoginInfoAsync(); //always null

The windows server seems to be incompatible with SHA-256.
Tried SHA-16 on the certificate and it worked.
I am by no means suggesting to use SHA-16 given that this is a very insecure cryptographic method and should not be used, but I'm just highlighting what worked with our very old operating system.

Related

How to disable wss4j timestamp cache

I need to update a javaEE application (still in java 1.7) that provides a SOAP web service. And I'd like to disable the TIMESTAMP_CACHE that wss4j (v2.0.2) uses to control reply attacks. It creates too many files and the OS reaches the maximum open files allowed, repeatedly. The files start to appear, one for each request that has been made and are named in the following way:
wss4j%002etimestamp%002ecache-e%0058ga%0058l%0058%004b%0057g%004ah%0050w==.data
The documentation states that the TIMESTAMP_CACHE can be changed (or so I understand):
ConfigurationConstants.ENABLE_TIMESTAMP_CACHE ("enableTimestampCache"): Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature). The default value is "true".
I've found many examples to change some of these ConfigurationConstants when a client application creates the Call object. See an example to change the PASSWORD_TYPE constant:
Service service = new Service();
Call call = (Call) service.createCall();
...
call.setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_TEXT);
call.setProperty(WSHandlerConstants.USER,"werner");
However, my application is not on the client side but on the server side and I haven't found so far the way to change the ENABLE_TIMESTAMP_CACHE constant.
Any idea?
I couldn't find a way to disable the timestamp cache. However, the wss4j behaviour described above happened to be a bug that not only resulted in lots of open files but in lots of open threads. It has already been fixed in version 2.0.9. Upgrading to the "newer" version did the trick.
You can find here the discussion in full that drove to the bug discovery and here the fix in wss4j's jira

Smart Card Validation Pin Error 0x80100001

I'm using gemalto usb token and SafeNet software to digitally sign my documents in Adobe Acrobat Pro. While everything worked fine and nothing has changed, I'm getting this error after entering my (correct) pin number. The message says: 'Error occurred during PIN validation'. According to authentication return values, it is related to:
SCARD_F_INTERNAL_ERROR: An internal consistency check failed.
Besides that, 'Validating Signatures' option in Adobe is disabled.
Thank you!
For somebody else encountering a similar problem: The error code is by PCSC, and so not necessarily card-related.
If other applications are also unable to verify the PIN, issue might be caused by reader driver, or as in the case above by any software required for accessing the card [here: SafeNet]. Re-installing those is worth a ttry.
Same problem here.
On a new PC couldn't use this token.
I checked how windows recognized the device on a different one where worked fine. Seems like the culprit is a newer driver from microsoft.
All I had to do was to replace it. Visit here and click:
"Gemalto IDPrime - SmartCard - 10/20/2017 12:00:00 AM - 8.5.0.7 Windows 10 Creators Update and Later Servicing Drivers"
Download the cab file.
Extract it.
Next you have to "update" the driver with the old one.

Invalid login, please try again after upgrade from 3.5.10 to 3.6.8

I have created an identical copy of our production instance to my local environment running XAMPP and I am trying to do the following:
After upgrading Moodle from 3.5.10 to 3.6.8 and restoring all plugins etc. I am unable to login. Before upgrading to 3.6.8, I had already performed the following upgrades,
3.4.1 -> 3.4.9
3.4.9 -> 3.5.10
and everything worked fine during those 2 upgrades. I followed exactly the recommended upgrading method as described in moodle's docs.
After successfully upgrading to 3.6.8, I successfully passed the step about the server requirements for the correct php mysql and db versions, I then successfully passed the next step as well for upgrading the database and made sure that all the plugins are fine and had no errors (just some warnings about a few plugins that can be updated to newer version) and after that step finished too, I then got back to the /admin/index.php screen asking me to login. That seemed weird to me because during the previous updates, it never asked me to login after completing the upgrading, but I said, ok. i'll just login. So after trying to login i am constantly getting the message "Invalid login, please try again"
I have tried almost anything here and by anything I mean the following.
First of all, I checked my hashed password in the local database and it is exactly the same with my hashed password in production database.
I then read an article that from moodle 3.1 the logintoken was introduced and since we use the mb2nl theme, I supposed that I just have to add the new input hidden field for this logintoken to the login form but the field was already there and again that was not the issue.
I am at a point where I cannot think of what else might be wrong and I am stuck.
A few more information about our whole setup, we have a Joomla website and our moodle users are actually coming from Joomla, Therefore we use a plugin named Joomdle which connects these 2 CMSs. Our users register to our Joomla website and the Joomdle plugin sends the credentials to moodle and the user is being created to the moodle CMS as well and an entry is being created in the moodle's "user" table. The difference is that moodle generates a different hashed password from the hashed password that joomla does. Anyway, there were no problems at all with logins or anything else since I tried logging in with multiple user accounts in moodle and all worked fine, before upgrading to version 3.6.8.
This is not a Joomdle issue since I already checked this by completely removing Joomdle and this is not the cause. This is probably coming from moodle core but since moodle has NO error reporting or logging at all, I really cannot understand what this is.
To exclude one more matter linked in this question, I already checked and made sure that moodle's password salt is the same both in production and local environments.
I am not sure what is going on here and this is why I desperately need some help from experts.
Solution:
I was able to solve this problem but forgot to come back here and give the solution.
The problem was that, as I said above, we are using the mb2nl theme and the theme's login form did not include the hidden input field to create the logintoken.
On my question above I write somewhere in the middle "I supposed that I just have to add the new input hidden field for this logintoken to the login form but the field was already there and again that was not the issue". I was looking at the wrong place. The login form that I was looking at, was the Moodle's itself login form and not the theme's login form.
I then found the login form in the theme's files and the logintoken hidden input field was indeed missing from there. I added it and then I was able to login normally.
Happened to me today. Executing the cron.php cli script trigered again the upgrade process and solved my problem.

Sentry Raven inside Firefox Addon SDK

I am making a Firefox Extension and I want to log the errors/messages/exceptions produced by the extension code using Sentry.
I tried the JavsScript Raven client but I guess its not really made to live inside the "Content" context.
The error I get is: message = "debug" is read-only, but my actual question is, how do I go about integrating Sentry in a Firefox Addon?
PS: No, this wont go into general distribution, my api keys are safe.
What I did was just to omit calling .install() and just use the error/message reporting.
There will be no automatic catching and source code but it works for my purposes.

HTTP Error 404.19 - Not Found in IIS 8.5

I have a website, which runs perfectly in IIS 7.5. but the same site with same configuration is not working properly in IIS 8.5. i am passing an system string variable in URL and it shows me
HTTP Error 404.19 - Not Found error.
So i am not able to catch the exact issue. All things are same for both IIS except IIS version only. So i need your thoughts for the problem. So that I can also look into this. Unfortunately I am new in .net, so need basic answer(s). Thanks.
If I pass "&system=value1"in URL for IIS8.5 then it stops working, even this also didn't generate any log for this. So please help me for this.
I just Came to know that if i use "sys" word in Query String then its giving error. How to avoid this issue now?
This can be found in IIS under Request Filtering. Usually, you will see this under the Deny String section of a rule, possibly one meant to thwart SQL Injection attacks.