none
Working wiht ACS

    Question

  • When running "ASPNET String Reverser" sample in Appfabric SDK gettinhg error in the
    method : GetTokenFromACS()

     

    WebClient client = new WebClient();
    client.BaseAddress =
    string.Format("https://{0}.{1}", serviceNamespace, acsHostName);client.Credentials = CredentialCache.DefaultCredentials;
    NameValueCollection values = new NameValueCollection();
    values.Add(
    "wrap_name", "gettingstarted");
    values.Add(
    "wrap_password", issuerKey);
    values.Add(
    "wrap_scope",

    http://a3mdspetst3:80/ACSGettingStarted);

    );

    );

     

    Line : byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);

    Error as below:
    "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
    InnerException : "The remote certificate is invalid according to the validation procedure."} System.Exception {System.Security.Authentication.AuthenticationException}

    The inital steps that we perfromed :
    Created a project in Appfabric and created a service and management key
    We have used the same namespace and key in the above mentioned scenario.

    Also we need to know the steps to follow to consume an ACS.

    Thanks,
    Aparna
    • Moved by DanielOdievichModerator Tuesday, September 28, 2010 9:07 PM forum migration (From:Windows Azure AppFabric)
    Monday, February 08, 2010 6:06 AM

Answers

  • Hi Aparna,

    Have you added Rules? You can add it by right clicking "Rules" in "gettingstarted" in "Scopes".

    Input Claim:

    Issuer: gettingstarted
    Type: Issuer
    Value: gettingstarted

    Output Claim:

    Type: action
    Value: reverse

    >How to make the application work without using TrustAllCertificatePolicy code

    To do so you need to add cerfiticate of the CA of your certificate to Trusted Root CA store.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by baparna Friday, February 12, 2010 9:24 AM
    Friday, February 12, 2010 8:42 AM

All replies

  • Hi Aparna,

    Are you running Fiddler or other tools that may use man-in-the-middle technique to change the server certificate when you test the project?
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Tuesday, February 09, 2010 6:50 AM
  • Hi Allen,

    We are not using any of those tools.
    Below are the steps we have followed:

    1)we have hosted the project ACSGettingStarted in IIS7.
    2)we have set a certificate named <systemname> i.e a3mdspetst3 for https binding at port 443 in IIS.

    In the scope we have given as :
    values.Add("wrap_scope",http://a3mdspetst3/ACSGettingStarted);
    service namespace and keys accordinlgy as in Appfabric account.
     





    Tuesday, February 09, 2010 9:25 AM
  • Hi,

    Thanks for your update. I'd like to add some comments on how to troubleshoot this kind of issues.
    First, from the description, this exception happens when client communicates with AC. So we don't have to focus on the RP part and the following steps mentioned by you:

    1)we have hosted the project ACSGettingStarted in IIS7.

    2)we have set a certificate named <systemname> i.e a3mdspetst3 for https binding at port 443 in IIS.

    Secondly, the exception is regarding the server side certificate is not considered as valid by client. Generally a simple way to check what server side certificate the client is validating against is to add the following code before sending HTTP request. Please note the following code consider all certificates as valid so it's insecure for production apps. It's only for troubleshoot/test purpose.

            public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
            {
                public TrustAllCertificatePolicy()
                { }

                public bool CheckValidationResult(ServicePoint sp,
                X509Certificate cert, WebRequest req, int problem)
                {
    //Set a breakpoint here
                    return true;
                }
            }
            private static string GetTokenFromACS()
            {
                System.Net.ServicePointManager.CertificatePolicy = new
                    TrustAllCertificatePolicy();

                // request a token from ACS
                WebClient client = new WebClient();
                client.BaseAddress = string.Format("https://{0}.{1}", serviceNamespace, acsHostName);

                NameValueCollection values = new NameValueCollection();
                values.Add("wrap_name", "gettingstarted");
                values.Add("wrap_password", issuerKey);
                values.Add("wrap_scope", "http://localhost/ACSGettingStarted");
                try
                {
                    byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);
                    string response = Encoding.UTF8.GetString(responseBytes); Console.WriteLine("\nreceived token from ACS: {0}\n", response);

                    return response
                        .Split('&')
                        .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                        .Split('=')[1];
                }
                catch (WebException ex) {
                    HttpWebResponse response = (HttpWebResponse)ex.Response;

                   using(StreamReader sr=new StreamReader(response.GetResponseStream()))
                   {
                   var s=sr.ReadToEnd();
                   }
                }


                return string.Empty;
            }

    Please check the certificate and make sure it's stored in trusted certificate store.

    Please let me know whether it works if you do above steps.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, February 10, 2010 2:14 AM
  • Hi,

    Thanks for the inputs given.
    Now we are getting :
    The remote server returned an error: (401) Unauthorized.

    The certificate is stored in trusted certificate store.
    What we have noticed is the Servicepoint address is taken as the proxy server address i.e our company's proxy server address.
    Wednesday, February 10, 2010 5:14 AM
  • Hi,

    Yes it looks indeed there's a man in the middle, i.e. your proxy server. Could you give me more information of

    ServicePoint parameter of CheckValidationResult method? Especially what is the Certificate property of ServicePoint object?

    As to the new issue, could you tell me on which line do you get this exception? Does it happen for communcation between client<->AC or client<->RP? This error means the authorization failed. In general you can get more details if it happens during the communication between client<->AC by using try..catch block:
                try
                {
                    byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);
                    string response = Encoding.UTF8.GetString(responseBytes); Console.WriteLine("\nreceived token from ACS: {0}\n", response);

                    return response
                        .Split('&')
                        .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                        .Split('=')[1];
                }
                catch (WebException ex)
                {
                    HttpWebResponse response = (HttpWebResponse)ex.Response;
                    if(response!=null)
                    {
                    using (Stream stream = response.GetResponseStream())
                    {
                       
                      using (StreamReader sr = new StreamReader(stream))
                            {
    //get response body
                                var s = sr.ReadToEnd();
                            }
                      
                    }
                }
                }

    If it happens for client<->RP the response is sent by RP so you're able to debug RP to troubleshoot this issue if it's under your control.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, February 10, 2010 6:08 AM
  • Hi,

    I am getting the error while communicating Client -> ACS

    The error is at line

    byte
    [] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);
    after the CheckValidationResult is executed. 

    The certification property is


     cert {[Subject]  CN=accesscontrol.windows.net[Issuer]CN=Zscaler, OU=Zscaler Inc., O=www.zscaler.com, L=Santa Clara, S=CA, C=US[Serial Number]62324C1E000500014AF6[Not Before]10/26/2009 9:32:39 PM[Not After]
      10/26/2010 9:32:39 PM[Thumbprint]DE8F0F17C7152512B4F84416B51D441535B3DFD0} System.Security.Cryptography.X509Certificates.X509Certificate {System.Security.Cryptography.X509Certificates.X509Certificate2}

    Some of the service Endpoint property values
    Address -http://interneta3:8085/ (Proxy server address)
    BindIPEndPointDelegate = null
    ClientCertificate = null

    The Exception details are as below:
    ex {"The remote server returned an error: (401) Unauthorized."} System.Exception {System.Net.WebException}
    Status ProtocolError System.Net.WebExceptionStatus


    FYI -- the certificate named Zscaler is in trusted root authorities store. 


    Thanks,
    Aparna

    Wednesday, February 10, 2010 7:15 AM
  • Hi Apara,

    Do you mean Zscaler certificate is added to trusted root CA store? The code in my first reply is not added and you get the 401 error, right? If so let's go forward to resolve the 401 issue. At this point, we don't have to care the certificate because the handshake regarding certificate has been passed. The AC got the request and sent 401 response. Could you please use the try..catch block to get detailed information of the error and paste it here?
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, February 10, 2010 9:17 AM
  • Hi Allen,

    The certificate was stored in trusted root store only after we added the code given by you.
    i.e 
            public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
            {
                public TrustAllCertificatePolicy()
                { }

                public bool CheckValidationResult(ServicePoint sp,
                X509Certificate cert, WebRequest req, int problem)
                {
    //Set a breakpoint here
                    return true;
                }
            }

    and calling it at the very beginning of the method  GetTokenFromACS(). 
             System.Net.ServicePointManager.CertificatePolicy = new
                    TrustAllCertificatePolicy();


    After this we are getting the 401 unauthorized error at

    byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);

    When the program control goes to the above line of code:
    Firstly CheckValidationResult() method is called twice and it gets executed successfully.
    After this it goes to the catch block giving 401 error.

    The detailed error is as below:
    "The remote server returned an error: (401) Unauthorized."}               System.Exception {System.Net.WebException}System.Net.WebException]                {"The remote server returned an error: (401) Unauthorized."}             System.Net.WebException

    base         {"The remote server returned an error: (401) Unauthorized."}             System.InvalidOperationException {System.Net.WebException}

    Response                {System.Net.HttpWebResponse}         System.Net.WebResponse {System.Net.HttpWebResponse}

    [System.Net.HttpWebResponse]          {System.Net.HttpWebResponse}         System.Net.HttpWebResponse

    base         {System.Net.HttpWebResponse}         System.Net.WebResponse {System.Net.HttpWebResponse}

    CharacterSet            "ISO-8859-1"          string

    ContentEncoding    ""             string

    ContentLength        101          long

    ContentType          "text/plain"              string

    Cookies   {System.Net.CookieCollection}            System.Net.CookieCollection

    Headers   {x-ms-request-id: 3e025ef3-e74d-41da-b7a7-c720c1849a06

    Content-Length: 101

    Content-Type: text/plain

    Date: Wed, 10 Feb 2010 09:58:38 GMT

    Server: Microsoft-HTTPAPI/2.0

    }             

    System.Net.WebHeaderCollection

    base         {x-ms-request-id: 3e025ef3-e74d-41da-b7a7-c720c1849a06Content-Length: 101Content-Type: text/plainDate: Wed, 0 Feb 2010 09:58:38 GMTServer: Microsoft-HTTPAPI/2.0}

    System.Collections.Specialized.NameValueCollection {System.Net.WebHeaderCollection}

    AllKeys  {string[5]}              string[]

     [0]          "x-ms-request-id"    string

     [1]          "Content-Length"   string

     [2]          "Content-Type"     string

     [3]          "Date"     string

     [4]          "Server"   string
    Count      5              int 

    Keys       {System.Collections.Specialized.NameObjectCollectionBase.KeysCollection}                System.Collections.Specialized.NameObjectCollectionBase.KeysCollection

    Count      5              int

    IsMutuallyAuthenticated       false         bool

    LastModified          {2/10/2010 3:30:10 PM}        System.DateTime

    Method   "POST"   string

    ProtocolVersion      {1.1}       System.Version

    ResponseUri           {https://mindtree-spelabs-sb.accesscontrol.windows.net/WRAPv0.9/}               System.Uri

    Server      "Microsoft-HTTPAPI/2.0"    string

    StatusCode              Unauthorized          System.Net.HttpStatusCode

    StatusDescription   "Unauthorized"       string

    {System.Net.HttpWebResponse}       

    System.MarshalByRefObject {System.Net.HttpWebResponse}

    ContentLength        101          long

    ContentType          "text/plain"              string

    Headers   {x-ms-request-id: 3e025ef3-e74d-41da-b7a7-c720c1849a06

    Content-Length: 101

    Content-Type: text/plain

    Date: Wed, 10 Feb 2010 09:58:38 GMT

    Server: Microsoft-HTTPAPI/2.0

    }             

    System.Net.WebHeaderCollection

    IsFromCache           false         bool

    IsMutuallyAuthenticated       false         bool

    ResponseUri           {https://mindtree-spelabs-sb.accesscontrol.windows.net/WRAPv0.9/}               System.Uri

    Non-Public members                             

    Status      ProtocolError          System.Net.WebExceptionStatus

    Non-Public members                             

    Data        {System.Collections.ListDictionaryInternal}        System.Collections.IDictionary {System.Collections.ListDictionaryInternal}

    HelpLink null          string

    InnerException        null          System.Exception

    Static members                       

    Message  "The remote server returned an error: (401) Unauthorized." stringSource            "System" string

    StackTrace            "   at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)\r\n   at System.Net.WebClient.UploadValues(String address, String method, NameValueCollection data)\r\n   at Microsoft.AccessControl.SDK.GettingStarted.Client.Program.GetTokenFromACS() in D:\\Program Files\\Windows Azure platform AppFabric SDK\\V1.0\\Samples\\AccessControl\\GettingStarted\\ASPNETStringReverser\\CS35\\Client\\Program.cs:line 84"            string

    TargetSite                {Byte[] UploadValues(System.Uri, System.String, System.Collections.Specialized.NameValueCollection)}                System.Reflection.MethodBase {System.Reflection.RuntimeMethodInfo}

    [System.Reflection.RuntimeMethodInfo]              {Byte[] UploadValues(System.Uri, System.String, System.Collections.Specialized.NameValueCollection)}       System.Reflection.RuntimeMethodInfo

    base         {Byte[] UploadValues(System.Uri, System.String, System.Collections.Specialized.NameValueCollection)}     System.Reflection.MemberInfo {System.Reflection.RuntimeMethodInfo}


    Thanks,
    Aparna

     

    Wednesday, February 10, 2010 10:16 AM
  • Hi Allen,

    Could you plz let us know how to resolve this issue.Since its a work stopper for us.

    Thanks,
    Aparna
    Thursday, February 11, 2010 8:20 AM
  • Hi Aparna,

    Sorry for late reply. I'm out of office yesterday. Could you please use try..catch block to check the response? The "s" below should give you more information regarding why the authorization fails. Please paste the information here for further investigating. In addition, either adding certificate to trusted CA store or use the TrustAllCertificatePolicy should solve the first error you encounter. In production environment please remove the TrustAllCertificatePolicy  code and only rely on the certificate in trusted CA store.

                try
                {
                    byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);
                    string response = Encoding.UTF8.GetString(responseBytes); Console.WriteLine("\nreceived token from ACS: {0}\n", response);

                    return response
                        .Split('&')
                        .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                        .Split('=')[1];
                }
                catch (WebException ex)
                {
                    HttpWebResponse response = (HttpWebResponse)ex.Response;
                    if(response!=null)
                    {
                    using (Stream stream = response.GetResponseStream())
                    {
                       
                      using (StreamReader sr = new StreamReader(stream))
                            {
    //get response body
                                var s = sr.ReadToEnd();
                            }
                      
                    }
                }
                }


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Friday, February 12, 2010 1:37 AM
  • Hi Allen,

    Thanks for the reply.

    The webexception is:
    "Error:Code:401:SubCode:T2001:Detail:The issuer does not exist, or the secret or signature is invalid."

    In "stringreverser" sample issuer is ACS itself, if i am not wrong.
    With this string reverser sample we have a setup.cmd which configures the issuer,token policy e.t.c.

    But when we execute it we get the below error:
    Failed to connect or to authenticate, check host, service, and mgmtkey
    So its obvious from the error that issuer doesnot exist.

    But we are not able to run setup.cmd to configure the issuer.

    Is it a problem with the service or the mgmt key.Is there any way to verify it ?

    Regards,
    Aparna

    Friday, February 12, 2010 3:52 AM
  • Hi Aparna,

    OK now we've found the cause. It's due to you failed to configure ACS to add issuer, rules, etc. so server returns 401 because it cannot find the issuer your request specified. From the description it looks like the service namespace or the management key you specified is incorrect. You can get the correct service namespace and management key from web portal (refer to the following screenshot):

    http://cid-2fa13ebc6cc8e80f.skydrive.live.com/self.aspx/Public/ACS.png

    You can also use "Samples\AccessControl\ExploringFeatures\Management\AcmBrowser\ManagementBrowser\bin\Debug\AcmBrowser.exe" to manually add all stuffs via UI.

    BTW, Issuer name is "gettingstarted", please follow the instructions in Readme file.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Friday, February 12, 2010 4:13 AM
  • Hi Allen,

    We are giving the same namespace and management key as it is in our App fabric portal account.
    But we are still getting this issue.

    The account is showing the status as Active.
    How do we verify wether the service and key is correct.Ours is not a CTP account also. 




    Thanks,
    Aparna
    Friday, February 12, 2010 4:58 AM
  • Hi Aparna,

    The service namespace and key shown on portal should be correct ones. Are you able to manually run AcmBrowser.exe to connect to AC?
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Friday, February 12, 2010 5:38 AM

  • Hi Allen,

    We are not able to connect to AC from AcmBrowser.exe also.

    From acmbrowser when i create an issuer and try to "save to cloud" the errors are as below:

     {"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."} System.Net.WebException
      InternalStatus RequestFatal System.Net.WebExceptionInternalStatus
      m_Status TrustFailure System.Net.WebExceptionStatus
      response null

    The webrequest uri is  RequestUri {https://mindtree-spelabs1-mgmt.accesscontrol.windows.net/WRAPv0.9}


    Regards,
    Aparna

    Friday, February 12, 2010 5:55 AM
  • Hi Allen,


    We are able to configure Issuer,TokenPolicy,Scope for the ACS using acmbrowser.exe by adding the
    TrustAllCertificatePolicy  code before webrequest.

    But weare not able to Mapclaims in acmbrower.exe.

    After this
    we tried executing "stringreverser".We get the error as:
    "Error:Code:400:SubCode:T1016:Detail:An output claim token cannot be issued because the issuer and claims in the request do not map to any output claims for this scope." Since we have not mapped any claims.

    Could you plz let us know :
    How to map claims from acmbrowser.exe or anyother means.
    How to make the application work without using TrustAllCertificatePolicy code

    Thanks,
    Aparna
    Friday, February 12, 2010 7:06 AM
  • Hi Aparna,

    Have you added Rules? You can add it by right clicking "Rules" in "gettingstarted" in "Scopes".

    Input Claim:

    Issuer: gettingstarted
    Type: Issuer
    Value: gettingstarted

    Output Claim:

    Type: action
    Value: reverse

    >How to make the application work without using TrustAllCertificatePolicy code

    To do so you need to add cerfiticate of the CA of your certificate to Trusted Root CA store.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by baparna Friday, February 12, 2010 9:24 AM
    Friday, February 12, 2010 8:42 AM
  • Hi Allen,

    Thanks a lot for the solution given for our issue.
    We are able to get token from ACS now.

    There is some issue while communicatiing with RP .Th error is -  ex {"The remote server returned an error: (405) Method Not Allowed."} System.Net.WebException.I will try to resolve it.
    I will get back to you if any issues or doubts with ACS in future.

    Regards,
    Aparna
    Friday, February 12, 2010 9:50 AM