I am trying to send and receive messages from a local workgroup machine (Windows 7), call it the 'client', to Service Bus 1.0 set up on a workgroup server (hosted on AWS EC2). After many trials and research I'm unable to send messages from the client machine to the server. I've followed a number of articles that appear to indicate that it is possible to do, but I cannot resolve the authentication issue I'm seeing.
Connecting to Windows Server Service Bus on AWS
Microsoft Service Bus on a Windows Workgroup
I note the Microsoft system requirements appears to indicate that it is "not supported" and "not possible". My question is can this be done, and has anyone had success? Any help would be greatly appreciated.
msdn.microsoft.com/en-us/library/windowsazure/jj193011(v=azure.10).aspx
My attempts include using either the WindowsTokenProvider and OAuthTokenProvider. I get the same result:
System.UnauthorizedAccessException: The token provider was unable to provide a security token while accessing 'https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace/$STS/Windows/'. Token provider returned message: ''. ---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace/$STS/Windows/'. Token provider returned message: ''. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
The Service Bus namespace is set up with AddressingScheme "Path" for a workgroup install. And the client side connection string includes the IP to reach the server, and I've set a RemoteCertificateValidationCallback before creating the queues.
Endpoint=sb://xx.xx.xx.xx/ServiceBusDefaultNamespace;StsEndpoint=https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace;RuntimePort=9354;ManagementPort=9355;WindowsUsername=SBUser;WindowsDomain=[NotUsed];WindowsPassword=[Password]
Code to attach to the remote queue and send a message is as follows:
ServiceBusConnectionStringBuilder connBuilder = new ServiceBusConnectionStringBuilder(ConfigurationManager.AppSettings["Microsoft.ServiceBus.ConnectionString"]); // Gets the connection string above
TokenProvider tokenProvider = WindowsTokenProvider.CreateWindowsTokenProvider(connBuilder.StsEndpoints, new NetworkCredential(connBuilder.WindowsCredentialUsername, connBuilder.WindowsCredentialPassword));
MessagingFactorySettings messagingFactorySettings = new MessagingFactorySettings();
messagingFactorySettings.TokenProvider = tokenProvider;
MessagingFactory messagingFactory = MessagingFactory.Create(connBuilder.GetAbsoluteRuntimeEndpoints(), messagingFactorySettings);
requestQueue = messagingFactory.CreateQueueClient("RequestQueue");
...
requestQueue.Send(sendMessage); // Fails here
The server account is SBUser with a password and I have left the domain/host specified blank on the token provider. I note that the Event Viewer on the server shows the authentication being attempted is the client's user account not the one from the token provider. Why is this? I'm obviously missing something in order to authenticate on the server.
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [ClientLogin]
Account Domain: [ClientMahcine]
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Appreciate any help. Thanks.
Try with the OAuthTokenProvider and make sure that connBuilder is passing the right values.
TokenProvider tokenProvider = TokenProvider.CreateOAuthTokenProvider (connBuilder.StsEndpoints, new NetworkCredential(connBuilder.WindowsCredentialUsername, connBuilder.WindowsCredentialPassword));
Once you try this, please, reply with the exception you get in your client. Also, in the server, search for a event in the Service Bus section that would give more details about the exception.
With that information we should continue to the next step.
Did you get to the bottom of this?
I have managed to get around the exact same issue by setting the Fully Qualified domain name of the server that the certificate is bound to in the client machine hosts file.
So where you have entered the IP address in the connection string, you should instead enter 'AMAZONA-PQxxxxx'. And in your hosts file, have the 'AMAZONA-PQxxxxx' resolve to the IP address.
we had the same issues. Server W2k12R2, standalone, Workgroup; Client Windows 7, same Workgroup.
It's necessary to have the same user accounts on both systems. Looks like this is some kind of "authentication proxy stuff" running.
Take a look at the compatibility matrix mentioned above:
http://msdn.microsoft.com/en-us/library/windowsazure/jj193011(v=azure.10).aspx
Thank you,
Holger
Related
I am having a recurring issue with shinyproxy (currently 2.5.0 - based on Springboot) hosted within a kubernetes cluster (currenty a single node). I'm using Auth0 with SAML. Traffic goes through a Nginx ingress controller that does TLS termination and has a fairly basic configuration. What I don't understand is that I will get the following error, but only once in a while. If I try to login, I will get the error, but then after that, if I go back to the login page and try to log in again, everything works fine.
o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;FAILURE;[Auth0 URN];;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a12g399012cidi7i2i3ha3ha4h6e6jc
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:175)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:219)
...
This made me think of a cookies problem, however adjusting the shinyproxy server/proxy configuration for cookies did not change anything. Shinyproxy configuration has:
server:
secure-cookies: true
proxy:
same-site-cookie: None
In the browser when I try to log in I get the following error message:
Error
Status code: 200
Message: Error validating SAML message
Stack Trace:
org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
...
Anyone has an idea of what I am missing? I would really appreciate it! Thank you!
We are not able to call the ChallengeQuestionManagementAdminService from Angular code. Getting an error stating Invalid remote address
Included the user credential in Authorization. Able to consume the service using SOAP UI but not from Angular.
Admin service : ChallengeQuestionManagementAdminService
Error:
[2019-03-26 03:33:54,314] WARN {org.wso2.carbon.core.services.authentication.AuthenticationUtil} - Could not find IP address for domain name : 10.44.1.25:51954
[2019-03-26 03:33:54,315] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected.
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 10.44.1.25:51954
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:180)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:105)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:66)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
[1] is the nearly corresponding code. You can check the logic. What is the version of Identity Server you are using ? If you are familiar with remote debugging, you can debug the code to find root cause [2].
[1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.core.services/src/main/java/org/wso2/carbon/core/services/authentication/AuthenticationUtil.java#L167
[2] https://medium.com/#gayanmadusanka_80721/how-to-debug-component-in-wso2-identity-server-ce15a366e9bf
Post the request you are sending from Angular through postman and check if its successful. if yes, make sure you are sending all the required headers from Angular, else you might be missing some headers in place or your request schema might miss some params.
Headers to be included
headers.set( 'Accept', '*/*');
headers.set( 'Content-Type', 'text/xml;charset=UTF-8');
headers.set( 'Authorization', `Basic ${authToken}`); <!--should send base64encode(username:password) specific to account. -->
headers.set( 'SOAPAction', 'urn:setUserChallengeAnswers');
When I try to access my AWS console using my account name in the URL, I get this error (in Firefox):
Your connection is not secure
The owner of mycompanyname.tech.signin.aws.amazon.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.
Why is this happening and what can I do about it?
Short answer: the problem is that there is a period in the company name/alias (mycompanyname.tech). I modified this to remove the period and the error no longer occurred.
Longer answer: I guess the way the wildcard security certificate works is that it only applies to names with 1 subdomain level (before signin.aws.amazon.com), and with the period, it broke it up into 2 ['mycompanyname', 'tech'].
How do I get a registration code or otherwise solve this problem?
While writing this question, I realized the crux of this problem is the bottom-most part of this question: I'm not getting the popup I'm supposed to get and when I enter the URL in a browser it says invalid registration code.
I'm attempting to develop an Alexa Voice Service application. Website/companion service only. I have gone through the Reference Implementation Guide twice and have double checked that all of the setup has been done correctly.
This is the server error I get: invalid registration code. I never did anything with a registration code and can't seem to find anything about a registration code (relevant to Alexa) anywhere after googling quite a bit.
Listening on port 3000
error: { [InvalidRegistrationCode: The provided registration code was invalid.]
name: 'InvalidRegistrationCode',
message: 'The provided registration code was invalid.',
status: 401 }
Error: Can't set headers after they are sent.
Here's the client output:
vlcj: (DefaultMediaPlayer.java:183)
addMediaPlayerEventListener(listener=com.amazon.alexa.avs.AVSAudioPlayer$1#4b3a4950)
There was a problem connecting to the Companion Service. Trying again in 2 seconds. Please make sure it is up and running.
[DEBUG] joining on thread Thread[Timer-0,5,com.amazon.alexa.avs.AVSApp]
There was a problem connecting to the Companion Service.
Trying again in 2 seconds. Please make sure it is up and running.
The AVS launcher opens too, and when I record something and send it I get:
com.amazon.alexa.avs.AVSException: 403 Invalid Access Token
The instructions mention (at the very bottom of the reference guide) that I need to:
Please register your device by visiting the following website on any system and following the instructions: https://localhost:3000/provision/************** That URL is supposed to pop something up once the companion service but that hasn't happened.
Any thoughts on how can I fix this?
I was following a good document Project: Raspberry Pi + Alexa Voice Service at https://github.com/amzn/alexa-avs-raspberry-pi . It describes all steps very well.
Please take a look at the following steps:
3 - Getting started with Alexa Voice Service
3.1 Register for a free Amazon Developer Account
3.4 Register your product and create a security profile.
6 - Enable Security Profile
This thread on the Amazon developer forums seems related: http://forums.developer.amazon.com/forums/thread.jspa?threadID=11327&tstart=0
Quoted response:
There are a number of potential issues causing that error.
You might be sending an invalid scope. Are you sending "alexa:all" as
the scope? Or, your security profile might not be correctly linked. Is
it selected in the dropdown on the developer portal?
Are you getting an access token from the companion service, or is the
text box blank? If you're not getting an access token, check that your
device serial number matches between the companion service and the
java client. If you're getting an access token, the problem is more
likely with your security profile.
You should also look at these threads to see if they're helpful...
(links removed due to reputation requirement)
If that doesn't help, you'll probably have more luck asking the AVS team directly on their forum site.
I've been using WSO2 API Manager 1.9.1 for the past month on a static IP and we liked it enough to put it on Azure behind a full qualified domain name. As we are still only using for internal purposes, we shut the VM down during off hours to save money. Our Azure setup does not guarantee the same IP address each time the VM restarts. The FQDN allows us to always reach https://api.mydomain.com regardless of what happens with the VM IP.
I updated the appropriate config files to the FQDN and everything seems to be working well. However! The one issue I have and cannot seem to resolve is calling APIs from the API consoloe. No matter what I do, I get a response as below
Response Body
no content
Response Code
0
Response Headers
{
"error": "no response from server"
}
Mysteriously, I can successfully make the same calls from command line or SOAPUI. So it's something unique about the API Console. I can't seem to find anything useful in the logs or googling. I do see a recurring error but it's not very clear or even complete (seems to cut off).
[2015-11-17 21:33:21,768] ERROR - AsyncDataPublisher Reconnection failed for
Happy to provide further inputs / info. Any suggestions on root cause or where to look is appreciated. Thanks in advance for your help!
Edit#1 - adding screenshots from chrome
The API Console may not be giving you response due to following issues
If you are using https, you have to type the gateway url in browser and accept it before invoke the API from the API Console (This case there is no signed certificate in the gateway)
CORS issue which may due to your domain is not in access allow origins response of Options call
If you create a API which having https backend. You have to import endpoint SSL certificate to client-trustore.jks