locked
Acess Denied Error Invoking the App from the IIS web Server RRS feed

  • Question

  • Hi,

    We have created a Provider Hosted app and we are able to invoke the same from the IIS Express.

    The AppManifest.xml file contains the appweburl as ~remoteappweburl/Pages/Default.aspx.

    I have Published the appweb in IIS and i have changed the Url of the appweb like

    http://localhost:PortNo:/AppInvoking/Virtualdirectory/Pages/Default.aspx.

    When i click on the App Title i am getting System.Cyptography Acess denied issue for the X509 Certificate.

    This issue is popping up from the TokenHelper.TrustAllCertificates method.

    I have provided permissions to the RSA Machine Keys folders as provided in many blogs.

    But still i am not able to invoke the appweb from IISWebServer.

    Please let me know your thoughts.

    I have observerd few things while troubleshooting the issue.

    We tried remote debugging of high trust app that hosted on IIS server(not express) .

    we have identified below things.

    During debug process we found null value for app id/client id  in token helper class though we give

    the app id value in web.config .

    We went to virtual directory folder on IIS  after publishing of  .Net web and verified the web.config file

    and came to know that Client Id and Client Secret values are found "empty" there .

    Basically after publishing the .Net  project  on IIS from VS 2012 the above two values are getting

    disappeared  in web.config of virtual directory though we have specified in our solution web.config(Whether its the expected behavoir) while publishing the appweb . I

    hope this is the reason why high trust app is failing to talk to SharePoint server from IIS Server .

    Once I manually entered the client id value on web.config in virtual directory now its failing with

    Access denied error in line 521 of TokenHelper Class file.

    private static X509Certificate2 ClientCertificate = (string.IsNullOrEmpty(ClientSigningCertificatePath) || string.IsNullOrEmpty(ClientSigningCertificatePassword)) ? null : new X509Certificate2(ClientSigningCertificatePath, ClientSigningCertificatePassword);

    But when i use Quick Watch i am able to see all the attributes available in the TokenHelper Class including CertificatePath and Password.

    I am not sure why its failing.Please let me know if anybody faced this issue earlier.

    Exception information:

    Exception type: TypeInitializationException

    Exception message: The type initializer for 'MyStore.TokenHelper' threw an exception.

    at MyStore.TokenHelper.TrustAllCertificates()

    at MyStore._Default.Page_Load(Object sender, EventArgs e) in c:\Users\Administrator\Documents\Visual Studio 2012\Projects\MyStore\MyStore\Default.aspx.cs:line 15

    at System.Web.UI.Control.LoadRecursive()

    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Access is denied.

    at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

    at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)

    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)

    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)

    at MyStore.TokenHelper..cctor() in c:\Users\Administrator\Documents\Visual Studio 2012\Projects\MyStore\MyStore\TokenHelper.cs:line 521


    Thanks, Vijay Arul Lourdu



    Tuesday, December 18, 2012 1:45 AM

Answers

  • My approach:

    When you deploy from IIS you can copy the certificate into a folder that the application pool user has read permission, I copy the pfx file to the root of visual studio proyect for the compilation and publish the webapplication.

    The error is because your App can't read the pfx, don't forget update the webconfig key="ClientSigningCertificatePath" value=XXXXXXXXX

    On the other hand from IIS express has full read permission and do not fail.

    Wednesday, March 6, 2013 8:46 PM

All replies

  • Hello Vijay,

    Are you still experiencing problems on this area? Thank you


    Program Manager, Office Developer Platform.

    Wednesday, February 13, 2013 9:42 PM
  • This doesn't solve you original problem, but, when you publish to the IIS Server it will use either web.debug.config or web.release.config (or others if you have different configs setup). By default these get setup as blank

    <add key="ClientId" value="" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
        <add key="ClientSecret" value="" xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />

    This means you can setup different ClientId and ClientSecret for each environment.


    Monday, February 25, 2013 10:19 AM
  • Have you done the following?

    Run this powershell script to register the certificate

    $publicCertPath = "\\MyServerShare\Certificates\MyCertificate.cer"
    $issuerId = [System.Guid]::NewGuid().ToString()
    Write-Host 'Issuer ID:  ' $issuerId
    $spurl ="http://mysiteurl"
    $spweb = Get-SPWeb $spurl
    $realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
    $certificate = Get-PfxCertificate $publicCertPath
    New-SPTrustedRootAuthority -Name "My Certificate Name" -Certificate $certificate
    $fullIssuerIdentifier = $issuerId + '@' + $realm
    New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker

    Add certificate details to your web.config

    <add key="ClientSigningCertificatePath" value="\\MyServerShare\certificates\MyCertificate.pfx" /> <add key="ClientSigningCertificatePassword" value="MyPassword" />

    <add key="IssuerId" value="MyGuidFromPowershellScriptAbove" />

    When debugging allowed OAuth over HTTP

    $serviceConfig = Get-SPSecurityTokenServiceConfig
    $serviceConfig.AllowOAuthOverHttp = $true
    $serviceConfig.Update()


    Monday, February 25, 2013 10:34 AM
  • My approach:

    When you deploy from IIS you can copy the certificate into a folder that the application pool user has read permission, I copy the pfx file to the root of visual studio proyect for the compilation and publish the webapplication.

    The error is because your App can't read the pfx, don't forget update the webconfig key="ClientSigningCertificatePath" value=XXXXXXXXX

    On the other hand from IIS express has full read permission and do not fail.

    Wednesday, March 6, 2013 8:46 PM
  • Hi Vijay,

    I'm facing the same issue, could you please help me how to overcome this?

    I did the thing which you marked as answer but no luck.

    Thanks in advance.

    Thanks,

    -Sendil M

    Tuesday, December 3, 2013 6:21 AM
  • Sendil,

    please check the below 2 links and it will give give the proper guide to deploy yyour app.

    http://msdn.microsoft.com/en-us/library/office/fp179901.aspx

    http://msdn.microsoft.com/en-us/library/office/jj860570.aspx

    let us know if you need any help..


    Whenever you see a reply and if you think is helpful, click "Alternate TextVote As Helpful"! And whenever you see a reply being an answer to the question of the thread, click "Alternate TextMark As Answer

    Friday, January 24, 2014 5:56 AM
  • If you are using Application Pool DefaultAppPool with identity as ApplicationPoolIdentity then the folder which contain certificate should have permission for IIS APPPOOL\DefaultAppPool user.

    Ankur Agrawal


    Saturday, May 17, 2014 11:41 AM