I have an API built with Web API 2 (VB.Net), running on IIS 7.5 that relies on Windows Authentication and is queried by an AngularJS app. Everything has worked fine for a year or so but we now have a user that we've changed their username a couple of days ago as they have recently got married.
All normal Windows login processes work with the new username however the credentials that the API tries to use always refers to the old username.
AngularJS:
$http.get($rootScope.urlAPI + 'access/', {
cache: false,
withCredentials: true
}).success
...
Web API 2:
<HttpGet>
<Route("api/access")>
<ResponseType(GetType(UserAccessDTO))>
<NoCachePolicy>
<Authorize> _
Function GetStaffAccessForApp() As UserAccessDTO
Dim objUser As System.Security.Principal.WindowsPrincipal = RequestContext.Principal
Dim strUsername As String = objUser.Identity.Name
' strUsername is somehow returning their old username
...
strUsername is somehow returning their old username
Directly querying the API from the browser returns the same JSON result with the old username so I don't believe the issue is specifically with the AngularJS app but somewhere between the browser and the API...
This issue occurs from both IE11 and Google Chrome and I've tried clearing the browser cache, deleted cookies and also tried restarting the API's web-site service in IIS to reload the API.
We only have 2 domain controllers and it's been a couple of days so they are definitely synced and I've scrolled through the attributes of her account but can find no reference to her old username there so I'm at a loss as to where this is coming from :(
For anyone else with similar issue, it seems to have resolved only after a reboot of the servers. We conducted regular monthly maintenance which involves progressive restart of all servers. Somewhere between rebooting domain controllers, database server and API server it has resolved the issue for the user this morning.
A bit disappointing we couldn't nail down exactly where it was... but probably cached somewhere.
Related
It seems keeping all the browsers happy is a challenging task, what with all the security they are adding and the complexities of certificates.
I have a SPA (Vuejs) which is using oidc-client.js to implement OIDC, communicating with an Identity Server (Identity Server 4).
First thing to note is that everything works if I run both client and server on localhost.
It is when I deploy the Identity Server to a Staging Server inside our network that things go awry.
So, the hostname of the Idp now differs to that of the SPA (which would be normal in production).
After much work, I've got everything working except IE11 (yep IE).
I had to do several things to get me there such as:
solve the samesite cookie issue of Chrome
create self-signed certificates and install the root certificate in the Trusted Certificates
add Babel config code and Core.js at the client, to enable IE to not throw errors when promises come into play
So, it's been a long road, yet still, I have to deal with this (see animation):
I just can't quite figure out why IE is doing that.
It is not possible to use the dev tools to see any info.
The logs at the server do not contain any information that seems relevant.
Has anyone else seen these "Browser symptoms" in IE.
Happy to provide more information (code, logs etc.) if people think that will help. Just didn't want to dump all that in the initial question, as many people don't like that.
Here are a couple of Fiddler screenshots. The first is from Chrome:
The second on is for IE11.
For some reason, the Silent Refresh is being invoked over and over again with IE11.
I think I can see what is happening, but not sure how to fix it.
There appears to be 2 calls to the Authorize endpoint which fail, conspicuously missing the .AspNetCore.Antiforgery cookie. This results in 2 invocations of silent-refresh.html.
Then, for some reason there is some king of GET request to the base url of the Idp and immediately following on the heels of that request is a request to the Authorize endpoint which does have the .AspNetCore.Antiforgery cookie.
The ship is set straight until the next call to the Authorize endpoint which is the beginning of the next cycle.
However, with Chrome, after the user is logged in, the next call to the Authorize endpoint does contain the cookie.
So, I guess it is the missing cookie which is the issue.
Perhaps this has something to do with the code which I used from this post to solve the Chrome samesite cookie issue?
Cheers
I have a Blazor WA Application that is using Identity Server 4 Service for authenticating users. Everything works fine locally. The issue comes when I try and publish to Azure. Since the IDS is published at one address and Blazor at another, i get the X-Frame error when calling from "https://blazor..."
"Refused to display 'https://identity...' in a frame because it set 'X-Frame-Options' to 'sameorigin'."
I've added
builder.Services.AddAntiforgery(options =>
{
options.SuppressXFrameOptionsHeader = true;
});
to the Blazor startup and to the Identity start up (just for giggles) but the error remains.
Any ideas?
TYIA
The short answer is to set the CORS settings in Azure to allow all (*) or the specific URL in question "https://blazor...".
I had done that at one point but for some reason it didn't work. After consulting with an Azure tech we tried it again and it worked.
¯_(ツ)_/¯
I have an AngularJS 1.5 application which is working with a Laravel 5.2 API and I'm trying to send emails at different points in the application. So I'm able to send data to Laravel and it gets recorded in the tables I specify but when it gets to sending a confirmation email it gives me this error with an HTTP status code of 500: MethodNotAllowedHttpException
Odd thing is, it works perfectly fine in local development on my laptop. But the same functions on the AWS EC2 instance and it fails when it gets to sending any email. I'm using SendGrid to manage sending emails but I don't think I need to change any settings for that.
For Example:
$emailUser = array();
$emailUser['email'] = $request->email;
$emailUser['first_name'] = $request->first_name;
$emailUser['last_name'] = $request->last_name;
$emailUser['randomStr'] = str_random(36);
$emailUser['remove_dtm'] = Carbon::now()->addWeeks(2);
//Add a password reset set to 2 weeks out for the user to register
DB::table('password_resets')->insert([
'email' => $emailUser['email'],
'token' => $emailUser['randomStr'],
'remove_dtm' => $emailUser['remove_dtm']
]);
Mail::send('email.registered_user', $emailUser, function($message) use ($emailUser)
{ $message->to($emailUser['email'], $emailUser['first_name'] . ' ' . $emailUser['last_name']);
$message->from('WSCUSTOMERPO#waterstoneco.com', 'Waterstone Faucets');
$message->replyTo('WSCUSTOMERPO#waterstoneco.com', 'Waterstone Faucets');
$message->subject("Welcome to the Waterstone Faucets Portal!");
});
When I try to reset a user's password it will create the record in the password_reset table but not send the email on the live site. Again the same function works fine on my laptop. I checked that I'm posting on the Angular side and Laravel API is expecting a post HTTP call when running this function.
What am I missing here?
Thank you greatly for your help!
There are a few things to check here,
1: Are you sure you have your .env file set up to use the correct SMTP server settings to use SendGrid. If you forgot to set this up in your .env you will be using the internal mail function. Instead of using SendGrid, I would suggest keeping it inside of Amazon for more reliability. Switching over to Amazon SES may be a great option for you.
2: If you are using the internal mail system, there is a really good article about mail from Amazon EC2 instances here: http://shlomoswidler.com/2009/07/sending-email-from-ec2.html
Just a reminder for number 1 for others that may have come here looking for help. To set your mail service in Laravel to use an smtp service, open your config/mail.php file and set the driver to use your provider (if provided by laravel). This can be done by edit the file directly or setting the environment variable MAIL_DRIVER in your .env file.
I have created a single page app using AngularJS and ASP.NET MVC 3. When deploying a new version of the application, it's possible for users to be already logged in as the application is being updated. If these users don't either refresh their browser or log out and back in again to get the new JavaScript files, they will encounter lots of errors and could potentially create invalid data.
Question: in a single page app, is there an elegant way to either prompt users to either refresh their browser or log out and back in again?
I suppose this would be possible through Web Sockets / SignalR, but are there other options?
One generic way I could see is to have your angular app send a client-version # with any http request, and your .NET side watch for that number and when it's out of date ( a newer version has been deployed ) send an error response which you would capture in your angular app. You could then just trigger a refresh or prompt the user to refresh and get the latest version.
I am using passive federated authentication with Silverlight, WIF and ADFS.
I followed the Training Toolkit example http://msdn.microsoft.com/en-us/identitytrainingcourse_silverligthandidentity2010_topic2
Everything works fine. Claims come back, the user is authenticated, etc. It is working absolutely fine with RIA services.
The problem comes after using the application for 1 hour. The token seems to become invalid and all subsequent calls from the Silverlight client to the domain service fail.
I have checked the ADFS settings, they are all defaults.
Get-ADFSRelyingPartyTrusts shows that TokenLifetime = 0
Get-ADFSProperties shows that SsoLifetime = 480 (which I assume is 8 hours).
I am using the assemblies included with the training kit: SL.IdentityModel & SL.IdentityModel.Server.
Online I have seen people making references to setting freshness values however this doesn't seem to apply as everything is auto setup by the SL.IdentityModel.Server services.