I am seeing a strange problem where my Silverlight application is failing to load due to an "Load operation failed for query.." and the reason is "Denied Access at System.ServiceModel.DomainServices.Server.DomainService.ValidateMethodPermissions"
If I browse to exactly the same page using IE 9 the request goes through and the silverlight application loads! This is happening on more than one server and their IIS and SQL Server have been configured the same as all other systems we set up.
With custom errors turned off I see the following stacktrace in Fiddler -
Denied Access#Detail#DomainServiceFaultDomainServices i)http://www.w3.org/2001/XMLSchema-instance# ErrorCode��#ErrorMessage�
Denied Access#IsDomainException�#
StackTrace�r at System.ServiceModel.DomainServices.Server.DomainService.ValidateMethodPermissions(DomainOperationEntry domainOperationEntry, Object entity)
at System.ServiceModel.DomainServices.Server.DomainService.ValidateMethodCall(DomainOperationEntry domainOperationEntry, Object[] parameters, List1 validationResults)
at System.ServiceModel.DomainServices.Server.DomainService.Query(QueryDescription queryDescription, IEnumerable1& validationErrors, Int32& totalCount)
at System.ServiceModel.DomainServices.Hosting.QueryProcessor.Process[TEntity](DomainService domainService, DomainOperationEntry queryOperation, Object[] parameters, ServiceQuery serviceQuery, IEnumerable1& validationErrors, Int32& totalCount)
at System.ServiceModel.DomainServices.Hosting.QueryOperationBehavior1.QueryOperationInvoker.InvokeCore(Object instance, Object[] inputs, Object[]& outputs)
The site is in my trusted sites.
When I attach to the silverlight application and debug the authentication process it seems to go through fine and the user is validated. But then when it actually tries to run the queries against the service subsequent to this they fail with access denied!
I'm lost as to why this would be any different in IE 10, any ideas would be appreciated! Thanks.
Not 100% proved this yet, but appears the hotfix suggested in this post - IE10 User-Agent causes ASP.Net to not send back Set-Cookie (IE10 not setting cookies) fixes the issue.
It seems there was a problem with IIS not handling IE10 cookies properly and so the authentication cookie was being set initially then subsequently ignored.
I'm guessing our machine was out of date, windows update-wise, as I presume this fix must have been distributed by now. But have yet to confirm.
Related
Background: I am working on a product which is built using AngularJS in the front-end, and Microsoft Web Api in the back-end. The website is hosted on a Windows Server 2012 machine running IIS. We are using Windows authentication to connect to the machine.
The problem: Calling various API methods work flawlessly for me and the majority of users. But for some of the users, they cant perform certain API calls. Most of the endpoints work and return valid data, but a few methods never even gets reached.
This is the error in the iislog: 2016-05-26 12:25:23 xx.xx.xxx.xx POST /api/controller/method - 80 domain\user xx.xx.x.xx Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.1;+WOW64;+Trident/6.0) http://xxxxxx.com/#/Pagename 500 0 0 514
In the console in google chrome it says: Error: Access denied.
I have set the api to log all exceptions to a database, and no error is shown. So my theory is that the api doesnt even get reached when trying to perform these specific http methods.
I have tried searching for answers, but without any luck. Does anyone have any idea?
I finally found a solution to my problem, the exception being thrown was a DbEntityValidationException. It was thrown because some of the users names were too long to be inserted into the database table. It was not catched and properly displayed by my own general exception handling. I had to follow this guide to get the proper exception logged:
https://stackoverflow.com/a/6258174/3592773
Thanks for all the help and I hope this might help someone else in the future.
I have a SL navigation application, that currently runs on a shared hosting package with a 3rd party ISP. I can login, and register using the ASP.NET membership and role providers.
I have now setup a dedicated server, on which only my app will run. It does not yet have a domain name that points to it... I access it via an IP address.
I've copied the entire site (including the ClientBin and all the XAP's) to the new server, but the Authentication and Registration services don't work... they just return NotFound.
When I check Fiddler on the working site, this service is called :
www.myaddress.com/ClientBin/MyApp-Web-AuthenticationService.svc/binary/Login
which of course succeeds. However, on the other site, the fiddler trace looks the same (because I just copied the site) :
123.123.123.123/ClientBin/MyApp-Web-AuthenticationService.svc/binary/Login
but, the call fails with NotFound. Fiddler reports it as HTTP/1.1 500 Internal Server Error. When I open
http://localhost/ClientBin/MyApp-Web-AuthenticationService.svc/binary/Login
on the server, I get the HTTP/1.1 500, as well as this description :
Handler "svc-Integrated" has a bad module "ManagedPipelineHandler" in its module list
Which leads me to believe that there is something wrong with my IIS config, as the exact same code is working on another system.
What is a "bad module"? How do I fix it?
Normally this type of error is that ASP.Net is not activated or that a handler for svc is not registered or registered correctly.
In your case is looks a bit different. It could be that you have .net framework 4.0 code that you are trying to run in a .net framework 2.0 application pool.
IIS 500 errors often show up with more information in the Windows Event log - if you can somehow get access to that?
Also I've noticed that often the server will actually send debugging output back to the client that everything seems to ignore. Have you checked the entire raw response that is coming back from the server to see if there are any clues there?
I've set up my Silverlight WP7 app to use a WebBrowser Control to allow users to log into facebook and grant permissions for further actions. After the user has granted permissions, they are redirected to a web page letting them know permissions have been granted.
The chain is as follows:
App -> opens WebBrowser control at web service #1 -> web service redirects to FB -> Permissions granted -> FB redirects to web service #2 which returns a view.
Web services are both within an externally hosted MVC project.
This all works fine, UNLESS the user is not logged into facebook - instead of taking them to the facebook login page as you would expect, I just get an HTTP 500 internal server error and web service #2 is not hit. If the user is logged in, then everything proceeds as it should.
I'll also mention this ONLY happens on the WP7 device and does not occur in any browser, including IE9, on my laptop.
EDIT: For clarity's sake, Web browsers on my laptop were tested by setting a breakpoint before my WebBrowser control was called in Visual Studio, I grabbed the Uri I had built there, and pasted it into Chrome, IE9 etc.
I'm not even sure what direction to look in! Also, I'm sure you guys may need more details to aid you with this question - please let me know what else it is you might need and i'll do my best to provide it.
This code causes the problem.
// Constants.URL_FACEBOOK_LOGIN contains the parameter "display=touch|wap"
_popUpBrowser.Navigate(new Uri(Constants.URL_FACEBOOK_LOGIN));
This code fixes the problem.
// Constants.URL_FACEBOOK_LOGIN contains the parameter "display=touch|wap"
string userAgent = "User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7";
_popUpBrowser.Navigate(new Uri(Constants.URL_FACEBOOK_LOGIN), null, userAgent);
Why?
Because Facebook currently has an issue with the Windows Phone 7 User-Agent value and the display parameter values of "touch" and "wap" when they are present in the same request. So simply sending in an alternate User-Agent header when using a WebBrowser control solves the problem for now.
I hope this helps other Windows Phone 7 developers that encounter the nasty 500 error when interfacing Facebook Graph API.
I've figured out the issue and have come to an undesirable solution - however, any solution is better than a HTTP 500 error.
The issue was with the Facebook dialog parameter "display". As my app is intended for the WP7, I have passed "display=touch" to Facebook when I check for permissions - however this WILL NOT WORK! I don't know why, but that was the cause of my error. When I took this parameter out I stopped receiving the error - however the full desktop style is used, which is undesirable.
It seems display=touch and display=wap both give me the HTTP 500 error. 'popup' and 'page' both work. I have not tested 'Iframe'. So for now I will stick to 'popup'.
I need to stress-test a silverlight application which uses Windows authentication mode. To achieve this task I am using the StressStimulus Fiddler addin.
What I am doing is to log in and doing some stuff like search etc. I captured the HTTP messages transferred in Fiddler and replayed them using the above mentioned tool.
However, when I replay the packages I always get a 401.1 Server responses.
I tried to use different Authorization approaches (NTLM and Negotiate) but I always get the same response message.
Fiddler seems to be properly configured. In the Fiddler options menun "Reuse client connection" is checked as well as "Reuse connection to server". I even raised the KeepAliveTimeout in the registry without any success.
Does anybody have an idea whats going wrong?
You can't replay authentications such as NTLM and Negotiate. One the most important features of any challange/response authentication is that it must not be replayable. Without this feature an attacker can monitor a successful authentication and then replay the same sequence to gain access to things they aren't entitled.
for days now, I try to get the following scenario running:
I have a Silverlight 4 Application that calls a WCF-Service via HTTPS. The WCF-Service is located on one of our servers, the Silverlight 4 app is also served from this server. After several hours of trial and error (well actually more error than try) I get it running when starting it from my VS2010 development environment on my local machine (see also SecurityError when calling a HTTPS-WCF Service from Silverlight 4).
But ...
The call to the https-WCF ONLY works when I start the SL-App from my VS2010 AND when fiddler is running and after I tell fiddler to ignore the Certificate Error (I use a self-signed certificate). When fiddler is not running, I get a security error. That applies, when my browser is the IE. When I copy the localhost address from the IE and paste it in my opera, it works without fiddler.
When I deploy the Silverlight app to the server and call it from the server, the WCF-call doesn't work, whether fiddler is running or not. I just get the standard Message, that an exception has occurred. This happens in both Opera and IE. Fiddler doesn't ask me to ignore the Certificate Error like it does in the VS2010 scenario, so maybe there is somewhere the key to my problem. Unfortunately, I have not much experiences with this stuff, so I have no idea, where to look or what to do.
I already found something about the fiddler issue here on stackoverflow ( Silverlight Requests, Failures & Fiddler), but it doesn't help me solving my problem.
I hope that some of you can shed some light in this issue, before all my hair is turned to gray.
Thanks in advance,
Frank
Edith has just installed the Certificate as a trusted Certificate in IE - but I still get the error, when calling the WCF when starting the deployed silverlight app from the server. At least I can call the Service when I start the SL app from VS2010 in the IE now (even when that doesn't help me, when some one else has to work with the app.
Several thoughts:
What is the exact error message you're seeing? Any inner exceptions?
Could this be a cross-domain issue? (Are the Silverlight XAP and the WCF service hosted from exactly the same domain, including its HTTP vs HTTPS characteristic, port number, distinction between "localhost" and an actual machine name, etc? What is the exact address as it appears in ServiceReference.ClientConfig or in code, and does its domain name exactly match the XAP's domain name?)
Do you see any call attempting to go through in Fiddler at all when it fails? (If not, I would strongly suspect a cross-domain issue)
If you manually browse to the https://....../YourService.svc from IE/Opera (instead of invoking the service through code in Silverlight), can you successfully see the service information page, with no certificate warnings/errors?
Does your SSL certificate has the same name as your service host? If not, that causes an error which can lead to the described behavior