What exactly is the requirement to create a company internal App with Xamarin.Forms UWP? I can compile the *.appxbundle-Package but nobody can install it because of an certificate error. If I try to use our normal code signing certificate from StartSSL to sign the package, I got the following error:
The Manifest Designer could not import the certificate.
The certificate you selected is not valid for signing because it is
either expired or has another issue. For more information, see:
https://go.microsoft.com/fwlink/?LinkID=241478
The same certificate is used by our other desktop application with the signtool, so I guess the certificate is ok. Usage of the signtool for other .NET assemblies such as WPF projects:
"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /f "..\..\..\..\..\Finaltec\Framework\Signing.pfx" /p ... /tr "http://timestamp.globalsign.com/scripts/timestamp.dll" "$(TargetPath)"
Are there any special requirements to sign a UWP app so anyone can install it? The used certificate is a Class 3 StartSSL Code Signing Certificate and it is valid until Junuary 2020. If I try to install the app with the generated test certificate from the Visual Studio, I got the message that the root certificate is not trusted and the installation process will be canceled. Even if I install the certificate manual before I got the same result error.
Code Signing Certificate informations:
Name: CVA Computer - Visualisierung und Animation GmbH
Address: Beckebohnen 2
Zip, City: 31618 Liebenau
State, Country: Niedersachsen, DE
Phone: +49-502398110
Email: info#cva.de
Expiry Date: 2017-04-14
Package.appxmanifest content:
<?xml version="1.0" encoding="utf-8"?>
<Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" IgnorableNamespaces="uap mp">
<Identity Name="f736c883-f105-4d30-a719-4bf328872f5e" Publisher="CN=CVA Computer - Visualisierung und Animation GmbH" Version="1.0.1.0" />
<mp:PhoneIdentity PhoneProductId="f736c883-f105-4d30-a719-4bf328872f5e" PhonePublisherId="00000000-0000-0000-0000-000000000000" />
<Properties>
<DisplayName>CVA.COS_App</DisplayName>
<PublisherDisplayName>CVA Computer - Visualisierung und Animation GmbH</PublisherDisplayName>
<Logo>Assets\StoreLogo.png</Logo>
</Properties>
<Dependencies>
<TargetDeviceFamily Name="Windows.Universal" MinVersion="10.0.0.0" MaxVersionTested="10.0.0.0" />
</Dependencies>
<Resources>
<Resource Language="x-generate" />
</Resources>
<Applications>
<Application Id="App" Executable="$targetnametoken$.exe" EntryPoint="FPCL.WIndows.App">
<uap:VisualElements DisplayName="CVA.COS_App" Square150x150Logo="Assets\Square150x150Logo.png" Square44x44Logo="Assets\Square44x44Logo.png" Description="CVA.COS_App" BackgroundColor="#f4f4f4">
<uap:DefaultTile Wide310x150Logo="Assets\Wide310x150Logo.png">
</uap:DefaultTile>
<uap:SplashScreen Image="Assets\SplashScreen.png" />
<uap:InitialRotationPreference>
<uap:Rotation Preference="portrait" />
<uap:Rotation Preference="landscape" />
<uap:Rotation Preference="portraitFlipped" />
<uap:Rotation Preference="landscapeFlipped" />
</uap:InitialRotationPreference>
</uap:VisualElements>
</Application>
</Applications>
<Capabilities>
<Capability Name="internetClient" />
<Capability Name="privateNetworkClientServer" />
<DeviceCapability Name="webcam" />
</Capabilities>
</Package>
If I try to use our normal code signing certificate from StartSSL to sign the package, I got the following error
If we want to sing a UWP app, the code signing certificate is needed. The certificate you got from StartSSL is used for client authentication, you can check the Enhanced Key Usage field:
Available code signing cert:
The cert from StartSSL:
See also: What is special about a code signing certificate? and Intro to certificates
------Update 11/16/2016------
Please see the Validating Certificates section at https://go.microsoft.com/fwlink/?LinkID=241478
It looks like this certificate violates the sentence I bolded in:
Verifies the value of the Enhanced Key Usage property, which must
contain Code Signing and may also contain Lifetime Signing. Any
other EKUs are prohibited.
Their screenshot (below) shows the enhanced keys Codesignatur and Kernelmodus-Codesignatur.
Related
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
I am trying to include SSO with office 365 for one of our web applications.
the problem is that as soon as SSO is working all my postbacks are getting ignored.
what I did was the following,
I installed those Nuget Packages
- Microsoft.Owin
- Microsoft.Owin.Host.SystemWeb
- Microsoft.Owin.Security
- Microsoft.Owin.Security.Cookies
- Microsoft.Owin.Security.OpenIdConnect
- Owin
I created an app in my AAD
then I've added some settings to my web.config
<add key="ida:PostRedirectUri" value="http://localhost:4439" />
<add key="ida:ClientId" value="XXXXXXX" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:Tenant" value="XXXX.onmicrosoft.com" />
<add key="ida:PostLogoutRedirectUri" value="http://localhost:4439" />
and I added Startup.vb to my solution with the following content
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
app.UseCookieAuthentication(New CookieAuthenticationOptions())
app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions() With {
.ClientId = clientId,
.Authority = authority
})
app.UseStageMarker(PipelineStage.Authenticate)
and after this the SSO works however al postbacks on buttons fail
if I click a button the page just gets reloaded.
also the IsPostBack parameter is alwayst false.
What I found was that when I remove the "app.UseOpenIdConnectAuthentication" part, postbacks are working again, but SSO is not.
how can I make sure my postbacks are working and I can also use UseOpenIdConnectAuthentication ?
thank you.
I found the issue,
in my web.config I had
<modules runAllManagedModulesForAllRequests="true">
in system.web
removing the key "runAllManagedModulesForAllRequests" solved the problem
<modules>
I have an Identity Provider that I wish to preform SSO against using SAML 2.0
I'm using https://github.com/KentorIT/authservices
The IdP configuration is :
Entity Id: https://xxx.yyy.com/auth
Assertion Consumer Service URL: http://zzz:1111/AuthServices/Acs
I have created a self-signed certificate and added it to the local project.
The local configuartion:
<kentor.authServices entityId="https://xxx.yyy.com/Files/Metadata/IdP/Saml"
returnUrl="http://localhost:8585/">
<identityProviders>
<add entityId="https://xxx.yyy.com/"
signOnUrl="https://xxx.yyy.com/Saml/Login.aspx"
allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/SelfSignedCertificate-2016-01-10-22-37.cer" />
</add>
</identityProviders>
<federations>
<add metadataLocation="http://localhost:52071/Federation" allowUnsolicitedAuthnResponse="true" />
</federations>
</kentor.authServices>
I will appreciate any kind of help as i'm stuck with this.
Thanks
Gilad
The first entityId, in the kentor.authServices root element should be the identifier you use for your site. Typically http://zzz:1111/AuthServices, which is the ACS url minus the last part.
The signingCertificate within the identityProviders/add element should not be your own certificate, but the certificate that the Idp uses to sign messages.
The federations element should be completely removed. It points to the local development environment, that it looks like you've copied the config from.
I'm attempting to create a logon token using the BOE BI Platform RESTful SDK v4.1 (using RESTClient).
A GET request to http://server:6405/biprws/logon/long/ returns:
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string" />
<attr name="password" type="string" />
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secEnterprise</attr>
</attrs>
A POST to http://server:6405/biprws/logon/long/ with a single header of Content-Type: application/xml and a payload of
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string">myAccount</attr>
<attr name="password" type="string">myPassword</attr>
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secWinAD</attr>
</attrs>
returns:
<error>
<error_code>FWM 00006</error_code>
<message>Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName#DNS_DomainName, and then try again. (FWM 00006)</message>
</error>
I've also tried attr name="userName" type="string">myAccount#mycompany.org</attr>, but with the same results.
A POST to http://server:6405/biprws/logon/adsso returns:
<error>
<error_code>RWS 00057</error_code>
<message>Method not allowed (RWS 00057)</message>
</error>
The credentials work with BI Launchpad and the CMC.
What am I missing?
First, a disclaimer -- I've only done REST WinAD with SSO, not manual logon. So I can't be absolutely sure that my suggestions below will fix your problem.
The call to /biprws/logon/adsso requires a GET not a POST, but that will likely not work until you have SSO working.
There are a few settings that are required for WACS to use WinAD, with or without SSO. The file is here:
SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\pjs\services\RestWebService\biprws\WEB-INF\web.xml
You will see a section commented out, starting with:
<!-- Kerberos filter section starts
Uncomment this section. Then set the following parameters:
idm.realm
idm.princ
idm.keytab
idm.kdc
idm.allowUnsecured
The values for these parameters should equal what was set in your system for BI launch pad. This is in:
SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
The format of the file is different (global.properties is a simple properties file, but web.xml is xml). So you can't just copy/paste the section, but you can copy the individual values. For example, in global.properties, you might see:
idm.keytab=C:/WINDOWS/bosso.keytab
This would be done in web.xml as:
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
<description>
The file containing the keytab that Kerberos will use for
user-to-service authentication. If unspecified, SSO will default
to using an in-memory keytab with a password specified in the
com.wedgetail.idm.sso.password environment variable.
</description>
</init-param>
Couple of references:
http://myinsightbi.blogspot.com/
https://techwriter79.wikispaces.com/file/view/sbo41sp5_bip_rest_ws_en.pdf
Installer installs windows service.
I provide form to user to select one of accounts to start the service:
Local service
Local System
Network System
User account
When I select User and enter Domain\Administrator account + pwd during the installation, service cannot be started.
When I select Local Service it started ok. After this I can change manually account to the same Domain\Administrator account and it started ok.
Why such different behavior?
How I can start service during the installation under any users' account?
Take a look at the Util Extensions User element. You can set the CreateUser attribute to no, the Name attribute to the [PROPERTY] that you are using in your UI for UserName Input and the LogonAsService attribute to yes. This will instruct WiX to grant your user the LogOnAsService right without having to write a custom action to call ntrights.exe.
Here's a sample as requested:
<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
<Product Id="*" Name="Setup" Language="1033" Version="1.0.0.0" Manufacturer="test" UpgradeCode="5c6b0f52-d024-4f1b-bfae-2dbb96b3ef15">
<Package InstallerVersion="200" Compressed="yes" InstallScope="perMachine" />
<MajorUpgrade DowngradeErrorMessage="A newer version of [ProductName] is already installed." />
<MediaTemplate EmbedCab="yes" />
<UIRef Id="WixUI_Minimal" />
<Feature Id="ProductFeature" Title="Setup" Level="1">
<ComponentRef Id="serviceComponent" />
</Feature>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLFOLDER" Name="Setup">
<Component Id="serviceComponent" Guid="380bbddd-daa7-0744-517b-37da768f5570">
<File Id="serviceFile" Source="$(var.WindowsService.TargetPath)" KeyPath="yes" />
<ServiceInstall Id="serviceInstall" Name="WindowsService" DisplayName="WindowsService" Start="auto" Type="ownProcess" ErrorControl="ignore" Account=".\serviceaccount" Password="p2Ekutrekac34ph2" />
<ServiceControl Id="serviceControl" Name="WindowsService" Start="install" Stop="both" Remove="both" Wait="no" />
<util:User Id="user" CreateUser ="yes" Name ="serviceaccount" Password="p2Ekutrekac34ph2" LogonAsService="yes" UpdateIfExists="yes" RemoveOnUninstall="yes" PasswordNeverExpires="yes" FailIfExists="no" Domain="[ComputerName]" CanNotChangePassword="yes" Disabled="no" PasswordExpired="no"/>
</Component>
</Directory>
</Directory>
</Directory>
</Product>
</Wix>
You need to make sure that the selected user account has the right to log on as a service. It doesn't matter if you are an Administrator, you cannot install services for an user without giving him the log on right.
If setting this policy works, you also need to do it dynamically during install. A solution is to use ntrights.exe as a custom action. This custom action can use your custom properties which contains the user account information.
In case anyone wonders why the code from #Christopher Painter his answer didn't work. I had similar code that didn't work with error 1923.
Error 1923. Service '' () could not be installed. Verify that you have sufficient privileges to install system services.
MSI (s) (10:08) [15:55:00:161]: Product: '' (64 bit) -- Error 1923. Service '' () could not be installed. Verify that you have sufficient privileges to install system services.
Until I found that services.msc dialog needs to be closed during installation.
No idea why, but it works.
During development services.msc was open all the time, so I never noticed.