I'm facing a funny issue here.
I got a C# Webforms application running on IIS6. When the user clicks on a certain link, my app makes a REST call to a webservice hosted in the cloud. This call, made by the app running on IIS, fails. We get a WebException, with the message "no response from server".
However, if I try to connect to the same web service, from the same machine, with the same credentials, using SoapUI, the call succeeds. So I guess this means that I can rule out firewall issues, credential issues, and availability of the service.
The code has been tested on numerous other machines (dev, test, staging...), and it worked successfully, so the code itself should not be an issue. I think it's an environmental issue (a setting on web.config or machine.config which prevents outgoing requests).
Any idea as to what that could be?
Thanks!
The reason our REST calls were failing was that we were missing an SSL certificate.
We were trying to make the REST call using HTTPS. The REST service provider's SSL certificate was signed by a well-known CA. However, our server apparently had a hardened build, and the CA's certificate was missing from the certificate repository. Hence, the provider's SSL certificate was considered unsafe.
Sadly, the .Net framework exception had no useful information about this.
We installed the CA's certificate and the issue was fixed.
Related
For the past couple of years we've been developing a client/server application and it's been working well with us hosting the server and applications. I've recently started work on getting our mobile app to connect and have run into a snag.
The mobile app can login and obtain a token but when it presents that token for an API call Owin is failing to create a valid Principal.
The same API call from our desktop app (running on the same physical machine as the server) has an HttpRequestMessage "MS_OwinContext" property with the Authentication.User field populated. The same call from the mobile does not.
Yet both of them seem to be sending the same API request (different bearer token of course). Alternative can anyone tell me where I might at least start looking or how I could get information from OWIN as to what it's doing? It's also worth pointing out that the mobile app (Xamarin) shares most of its code with the desktop application.
Right now I'm staring at a black box and all I know is that 'it doesn't work'.
Okay the problem was that the server was setting Authority in the bearer options to be localhost. Audience is derived from this so when connecting using the host name validation fails.
The answer appears to therefore not use localhost as part of the authority.
I am using chrome.sockets.tcp API to create a secure connection. No errors are being encountered when connecting using a trusted certificate.
However, I'm facing error -202 (CERT_AUTHORITY_INVALID) (among other possible [certificate errors][2]) when trying to connect to a server with a self-signed/untrusted certificate.
Is it possible to warn the user about the invalid certificate and provide the option to continue with the connection? (similar to the way Chrome handles such situations)
Seeing nothing on the topic in the docs (and SocketsTcpSecureFunction::AsyncWorkStart(), the source code of chrome.sockets.tcp.secure, only verifies the certificate but doesn't try to handle the errors, it would only report them back) I'd conclude there's no way to interactively handle this predicament.
Maybe you can import the certificate on the client machine but it won't help other users of the site unless they're willing to do the same.
I've followed the guide:
Getting Started with Authentication with Mobile Services .NET for Windows Store
I'm able to run the service locally as long as I don't need to authenticate the user. I can also authenticate the user if I publish the service to Azure. But I want to be able to test and authenticate the user locally. How can this be done?
I'm using Live ID and I have the correct ClientID and ClientSecret set in the Web.config. When I attempt to call LoginAsync from the client the call fails with The request could not be completed. (Method Not Allowed)
** Update 2014-03-20 **
Based on the comments of Carlos and Henrik, I've updated my local service to look exactly like my server instance. I followed Scot Hanselmans excellent guide and now I have my service running locally on port 80 and port 443 with a completely valid SSL certificate. It's even running on the exact same https://xxxx.azure-mabile.net hostname.
With these changes, there is now no configuration difference whatsoever between running the app against my local machine or running it against Azure. I can go to https://xxxx.azure-mabile.net in the browser, get redirected to Live login, sign in, and get redirected back to the service successfully. In the browser it all works. However it still doesn't work in the app.
I attached the debugger, set CLR errors to "break when thrown" and I managed to trap the exception in the service. Here's what I see in the immediate window:
The Response property is not helpful. It does not provide any additional information about the problem.
The only thing that stands out to me is that the app is trying to do a POST to /login/microsoftaccount while the browser would normally be doing a GET at this address (then getting redirected).
** Update #2 2014-03-20 **
After following Henriks guide for remote debugging I was able to load symbols and get a tiny bit more information:
"An existing connection was forcibly closed by the remote host"
The error code is 10054 (WSAECONNRESET) Connection reset by peer.
It appears the Live Authentication server may be forcibly terminating the connection, but only when I'm authenticating with the app. Again, authentication within the browser is fine. This, combined with the fact that /login/microsoftaccount is a POST from the app seems to suggest there is a problem with the authentication token I'm getting back from LiveClient.LoginAsync. I'll do some more digging...
At the moment, it is set up so that you don't need authentication when running locally and access the service from localhost. In this case, anonymous access is let through (this is of course disabled while running in the cloud).
We don't really have a way for your to authenticate locally as redirect URIs won't work (they can't point to localhost as there is not way that Facebook, say, can resolve "localhost").
One option is that we somehow can mock the authentication locally and give you a token without connecting with the various identity providers. I am not sure exactly what that would look like but it is something we can consider.
Henrik
Did you perhaps set Mobile client app: Yes in your Live Connect project? I think that setting is meant to be used with the Live Connect SDK (client) flow, not the browser-based (server) flow. The client flow isn't supported yet with a .NET backend.
You also want to make sure you are using LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount) on the client to trigger the server flow.
In IIS7 I have a FTP site and Website for deployment. Everything works fine, the only thing I do not like is that theoretically every user can tamper with the application files on FTP because read/write access is configured for anonymous.
I fixed this by enabling and configuring "Basic Authentication" instead of "Anonymous Authentication" and now I have to provide my domain password during deployment.
Great! So what's the problem?
The problem is that the password is transferred unencrypted.
Question(s): How can I make sure that the password is encrypted (can I use sftp instead of ftp?)
Any thoughts about certificates? I already tried with a self signed certificate but didn't managed to get things running.
Are there other way to deploy software more secure? I tried over https but I don't have the Frontpage Extension which is necessary for this.
I'm currently writing a iphone app which will consume WCF services over a secure connection (SSL/https). I have managed to consume this service while testing locally via http.
Now we want to make sure the service is secure, so we've set up a UAT server with a properly signed certificate to run our tests.
We are using a custom binding, coupled with security mode TransportWithMessageCredentials which requires a username/password in the ClientCredentials property.
Generated the proxy using SISvcUtil.exe
When I try to call this secure service from the iPhone, I get a rather lovely generic error of:
Exception in async operation: System.Net.WebException: There was an error on processing web request: Status code 500(internal server error)
(Here is a pastebin of full exception ).
I've tried implicitly accepting the certificate using:
ServicePointManager.ServerCertificateValidationCallBack = (sender, cert, chain, ssl) => true;
but this just returns the same 500 error.
The same code works great on a windows machine but not on the iphone. Has anyone else come across this problem and/or know of a solution to it?
This could be a bug in monotouch, it may not have full implementation of generated proxy using SISvcUtil.exe, did you try generating a mac app and test it on mac?
Does monotouch have any documented example with support on WCF proxy? If they dont have then probably it may not work, monotouch does not provide a .NET runtime, instead it actually compiles everything to native ios binary. So if WCF proxy is not correctly transformed, it will not work.
So it would seem that at the time of writing, Monotouch doesn't support WCF very well (it currently has a barebones implementation).
Due to this, and the need for decent security around our webservice, we've decided to go down a different route; validating the user via username+password over a secure, encrypted SSL connection everytime the web service is called. We use Silverlight 3.0 SiSUtil.exe to generate the bindings for the webservice rather than include it as a web reference in the project.
Generally when getting Internal Server errors I've found the cause to be a problem with the HTTP headers being sent in the request. I don't really use WCF on MonoTouch so I'm not sure about the implementation.