Unable to create to obtain OpenId Configuration - azure-active-directory

I am using OpenIdConnect for Authentication with Azure AD. The application is hosted on IIS. I got below exception few days back:
IDX10803: Unable to create to obtain configuration from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
Stack Trace is: at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.d__3.MoveNext()
After 30 to 40 mins the application automatically started working normally. I just want to know the possible reasons for above exception. Is it a network issue or any specific reason. Thanks.

Well, as the error says it was unable to get the config from: https://login.microsoftonline.com/common/.well-known/openid-configuration.
This is most likely a network issue, or a problem with Azure AD.
It could also happen if you used an invalid tenant id, but this is not the case here since you seem to have used "common" which is valid for multi-tenant apps.

Related

403 Forbidden message on File upload Asp.net mvc

I am getting error on test and development server for uploading file with azure blob storage.IT is uploading locally without any problem.We are using Nuget for File handling. On debugging we are getting error on container.CreateIfNotExist()
Could anybody help me solving the error.
Thanks in advance!
Based on your description, I assumed that you are using the azure storage client library WindowsAzure.Storage for uploading files to your blob storage.
On debugging we are getting error on container.CreateIfNotExist()
If you construct the CloudStorageAccount with the AccountName and AccountKey, please make sure your AccountKey is correct, and you could login into azure portal and check with it. If you construct the CloudStorageAccount via the account-level SAS token, please make sure the SAS token is valid and it contains the related permissions. Moreover, you could re-generate your account key or new SAS token to narrow this issue. Also, you could leverage fiddler to capture the network traces when executing the operations to narrow this issue.
Additionally, you need to check your server time. As Authentication for the Azure Storage Services states as follows:
The storage services ensure that a request is no older than 15 minutes by the time it reaches the service. This guards against certain security attacks, including replay attacks. When this check fails, the server returns response code 403 (Forbidden).
Also, you could Enabling Storage Logging and Accessing Log Data to retrieve the detailed error message.
Problem was Microsoft.ApplicationInsights 2.4.0.
Solved by downgrading to 2.3.0.
It is really strange but below links really helped me out to solve the issue
Azure Storage Emulator 403 Forbidden
Azure CloudBlobContainer.CreateIfNotExists() throws Forbidden (403) on Local Development
Thanks!

Getting http error 500 access denied from web api

Background: I am working on a product which is built using AngularJS in the front-end, and Microsoft Web Api in the back-end. The website is hosted on a Windows Server 2012 machine running IIS. We are using Windows authentication to connect to the machine.
The problem: Calling various API methods work flawlessly for me and the majority of users. But for some of the users, they cant perform certain API calls. Most of the endpoints work and return valid data, but a few methods never even gets reached.
This is the error in the iislog: 2016-05-26 12:25:23 xx.xx.xxx.xx POST /api/controller/method - 80 domain\user xx.xx.x.xx Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.1;+WOW64;+Trident/6.0) http://xxxxxx.com/#/Pagename 500 0 0 514
In the console in google chrome it says: Error: Access denied.
I have set the api to log all exceptions to a database, and no error is shown. So my theory is that the api doesnt even get reached when trying to perform these specific http methods.
I have tried searching for answers, but without any luck. Does anyone have any idea?
I finally found a solution to my problem, the exception being thrown was a DbEntityValidationException. It was thrown because some of the users names were too long to be inserted into the database table. It was not catched and properly displayed by my own general exception handling. I had to follow this guide to get the proper exception logged:
https://stackoverflow.com/a/6258174/3592773
Thanks for all the help and I hope this might help someone else in the future.

Getting 403 not authorized when indexing documents on Retrieve and Rank

I am suddenly getting a 403 error when I try to POST an update to the Retrieve and Rank service. This code is under development but it has been working up until yesterday. The failure occurs only when doing a POST to /v1/solr_clusters/{solr_cluster_id}/solr/{collection_name}/update, and it fails the same way whether I do it via my program, the Swagger API documentation, or cURL. All other operations to this service that I've tried work fine when using the same credentials that I'm using with this POST. The error message I'm getting back is
Error: WRRCSH004: Service [1d111267-76b7-417a-98bd-4e9a58072ef9] is not authorized for cluster [sc262b05e8_dcf5_40b4_b662_ae85058ff07f]!. I don't know where the identifier (1d111267-76b7-417a-98bd-4e9a58072ef9) is coming from; that's not the userid I'm sending in.
Looking into your issue it appears your Bluemix organization has multiple service instances. The 403 issue you were seeing is because you're trying to access a Solr cluster using credentials from one of your instances against a cluster in the other instance. The 1d111267-76b7-417a-98bd-4e9a58072ef9 represents one of these service instances—but the issue is that the cluster you're trying to access is not part of that instance. A good way to test this is to ensure you're using the same credentials that generate the 403 but simply try to list the Solr clusters you have created by doing a GET against https://gateway.watsonplatform.net/retrieve-and-rank/api/v1/solr_clusters/.
As for the 500 issue, I wasn't able to see anything on our end. If you're still experiencing that I would suggest posting another question and we can look into things again.
Thanks,
-Scott

google connect error

I am trying to login using google account connection..
but it show me an error
Forbidden
You don't have permission to access /market/modules/connect/easyauth.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at dkakeen.com Port 80
I contacted the developer and he said :
Your hosting probably blocks certain strings in urls, this is why you
get the Forbidden error. You will probably see more information about
the error in the error log in your hosting account. You could also ask
your hosting support if they have such security measures to block
parts of urls, and if they can disable them for you. This is the full
url that the script is trying to access and it cannot:
http://dkakeen.com/market/modules/connect/easyauth.php?auth=google&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2012-10-10T12%3A44%3A29ZJuJ_ahE5fLQx5Q&openid.return_to=http%3A%2F%2Fdkakeen.com%2Fmarket%2Fmodules%2Fconnect%2Feasyauth.php%3Fauth%3Dgoogle&openid.assoc_handle=AMlYA9Vntq_WQ9WEb85GI5Z32JS4E47Z6sRbimCf503Eht-w7zDq_wTZ&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.namePerson_first%2Cext1.value.namePerson_first%2Cext1.type.contact_email%2Cext1.value.contact_email%2Cext1.type.namePerson_last%2Cext1.value.namePerson_last&openid.sig=qVXb27ds2obrWeehvGRgUaZYCKM%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawn507OyS3bO50BXsj02tgccdznijvVpyHY&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawn507OyS3bO50BXsj02tgccdznij
vVpyHY&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.namePerson_first=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.namePerson_first=Classifieds&openid.ext1.type.contact_email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.contact_email=classifiedsaddict%40gmail.com&openid.ext1.type.namePerson_last=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.namePerson_last=Addict&openid.ns.ext2=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.ext2.mode=popup
How I fix it?

Exception while accessing Active Directory and creating user [duplicate]

I need to read the Active Directory, search users and create user functionality.
I am able to use DirectoryEntry in C# and Domain is only physical server.
In my production environment, I have two physical domain servers with same domain name. When I try to search the AD user or create, I am getting the following exception.
Exception : "0000202B: RefErr: DSID-031007EF, data 0, 1 access points" [extended Error 8235]
Note that I have Domain Admin privileges on the domain but I'm still having the same issue.
0000202B: could mean wrong DN/searchbase like incorrect DC value etc.
Your problem looks like a DNS problem. I know writting that, I've got statisticaly 80% chance being right. Check the domain name resolution from your client. Check your DNS and verify that your two domain controlers are well registered.
The error you are getting is referall related:
ERROR_DS_REFERRAL
8235 (0x202B)
A referral was returned from the server.
You can find the error codes linked at this MSDN Article.

Resources