I am trying to call a webservice from a C# .NET 4.8 application. The web service is secured via a certificate and basic authentication. When I make the call it is failing with a
System.Net Error: 0 : [3564] AcquireCredentialsHandle() failed with
error 0X8009030D.
error which leads to a
The request was aborted: Could not create SSL/TLS secure channel.
error being thrown.
I have looked at several post but have not been able to make any progress.
ServicePointManager.SecurityProtocol = spt;
ServicePointManager.Expect100Continue = true;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
RestClient client = new RestClient(uri);
client.Authenticator = new HttpBasicAuthenticator(username, password);
client.ClientCertificates = new X509CertificateCollection();
client.ClientCertificates.Add(new X509Certificate(certificate, certificatePassword));
client.Proxy = new WebProxy(proxy, port);
client.Proxy.Credentials = CredentialCache.DefaultCredentials;
request = new RestRequest(Method.POST);
request.AddHeader("Message-Key", messageKey);
request.RequestFormat = DataFormat.Json;
request.AddParameter("application/json", json, ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
The certificate is a pfx file and when I make the same call using SoapUI it is successful.
I have configured it to produce a System.Net trace log.
The first error is
System.Net Error: 0 : [3564] Can't retrieve proxy settings for Uri
'https://dev.api.sydney.edu.au/usyd-message-handler-exp-api-v1/v1/messages'.
Error code: 12180.
I assume this is not an issue as when I didn't have the proxy details the call would timeout.
At the bottom of the log I get:
[Thumbprint] 0C1EFA37718255EE6DEF3A8A980CD30939762EA6 . System.Net
Information: 0 : [3564] SecureChannel#14353717 - Found the certificate
in the LocalMachine store. System.Net Information: 0 : [3564]
SecureChannel#14353717::.AcquireClientCredentials, new
SecureCredential() (flags=(ValidateManual, NoDefaultCred,
SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Ssl3Client,
Tls12Client), m_EncryptionPolicy=RequireEncryption) System.Net
Information: 0 : [3564] AcquireCredentialsHandle(package = Microsoft
Unified Security Protocol Provider, intent = Outbound, scc =
System.Net.SecureCredential) System.Net Error: 0 : [3564]
AcquireCredentialsHandle() failed with error 0X8009030D. System.Net
Information: 0 : [3564] AcquireCredentialsHandle(package = Microsoft
Unified Security Protocol Provider, intent = Outbound, scc =
System.Net.SecureCredential) System.Net Error: 0 : [3564]
AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [3564] Entering
Socket#32115247::Dispose() System.Net Error: 0 : [3564] Exception in
HttpWebRequest#24230272:: - The request was aborted: Could not create
SSL/TLS secure channel.. System.Net Error: 0 : [3564] Exception in
HttpWebRequest#24230272::EndGetRequestStream - The request was
aborted: Could not create SSL/TLS secure channel.. System.Net
Information: 0 : [10700] ServicePoint#16495015 - Closed as idle.
For the ServicePointManager.SecurityProtocol setting I have tried every possible combination, if I do not set it or if I at least include Tls12 then I get this issue otherwise I get an underlying connection was closed error.
Can anyone provide any pointers, please?
The "Could not create SSL/TLS secure channel" error message typically indicates that the HTTPS connection could not be established due to a certificate validation issue. To fix this issue, you can add the following code to your application before making the HTTPS request:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Related
I'm trying to call an API on my server windows 2008 R2, but I keep getting this error :
Could not create SSL/TLS secure channel
I'm launching the app as a Windows service, with the LocalSystem account.
I tried many things from some Question from Stack Overflow to get it started but none of these works:
With AppContext Switch
Without AppContext Switch
With only SSL Protocol 1.2 on Security protocol
Without SecurityProcotol changed
With ExpectContinue = 100
//Config
const string DontEnableSystemDefaultTlsVersions = #"Switch.System.Net.DontEnableSystemDefaultTlsVersions";
const string DontEnableSchUseStrongCryptoName = #"Switch.System.Net.DontEnableSchUseStrongCrypto";
const string DisableUsingServicePointManagerSecurityProtocols = #"Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols";
const string DontEnableSystemDefaultTlsVersionsServiceModel = #"Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions";
AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, false);
AppContext.SetSwitch(DontEnableSystemDefaultTlsVersions, true);
AppContext.SetSwitch(DisableUsingServicePointManagerSecurityProtocols, false);
AppContext.SetSwitch(DontEnableSystemDefaultTlsVersionsServiceModel, true);
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
//API config and Call
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(message.Url);
request.Credentials = CredentialCache.DefaultCredentials;
request.Method = message.Method;
System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding();
Byte[] byteArray = encoding.GetBytes(message.Content);
request.ContentLength = byteArray.Length;
request.ContentType = message.ContentType;
request.UserAgent = message.UserAgent;
request.Accept = message.Accept;
using (Stream dataStream = request.GetRequestStream())
{
dataStream.Write(byteArray, 0, byteArray.Length);
}
The API need TLS 1.2+ to be called.
I have tested Internet Explorer to see if we can call TLS 1.2, and it seems that it can call, I used this https://browserleaks.com/ssl :
BrowserLeak
I tried to call the API from Postman online (with Chrome) and the Postman app on the server, both are calling the API without an issue.
Same with SoapUI, it works.
It works on my computer (Windows 10), it doesn't work on the server, with the same C# Code.
I tried to change the framework, 4.0, 4.5, 4.6, 4.8, doesn't seem to change something.
I have the SSL Handshake, but it doesn't help very much, it said that there was a Handshake failure (02 28):
System.Net.Sockets Verbose: 0 : [51080] Exiting Socket#40535505::Send() -> Int32#174
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.5541547Z
System.Net.Sockets Verbose: 0 : [51080] Entering Socket#40535505::Receive()
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.5541547Z
System.Net.Sockets Verbose: 0 : [51080] Data from Socket#40535505::Receive
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.6151608Z
System.Net.Sockets Verbose: 0 : [51080] 00000000 : 15 03 03 00 02 : .....
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.6151608Z
System.Net.Sockets Verbose: 0 : [51080] Exiting Socket#40535505::Receive() -> Int32#5
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.6151608Z
System.Net.Sockets Verbose: 0 : [51080] Entering Socket#40535505::Receive()
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.6161609Z
System.Net.Sockets Verbose: 0 : [51080] Data from Socket#40535505::Receive
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.6161609Z
System.Net.Sockets Verbose: 0 : [51080] 00000005 : 02 28 : .(
ProcessId=46588
ThreadId=6
DateTime=2021-11-24T09:05:57.6161609Z
The Cipher suite seems to be good, I have the first 3 Cipher suite that are required by the API on the beginning of the suite.
The API need the ISRG Root X1 Certificate, which is in the Trusted Root Certification Authorities store.
I used the tool from windows to modify the registry
https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392
Which enabled the TLS 1.2, it wasn't activated in browserleaks before I launch the tool.
Also SSL 2.0 and SSL3.0 are disabled and TLS1.0, TLS1.1 and TLS1.2 are activated:
Secure channel registry
I can't seem to find a solution to get it worked.
How can I try to find a clue to the issue?
We found the issue, the cipher suite required for the API isn't compatible with the windows server 2008 R2, we verified the cipher suite with
https://www.ssllabs.com/ssltest/ with the url of the api
then compared it with the cipher suites on the server located here :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
and none of them were matching.
I'm trying to create a list all of the file names found in a folder on an FTP server. The full directory is saved in a settings database table along with the login credentials. It is connecting to the FTP area fine, and I can upload/download files to and from it.
This is my code to get the files from the folder.
lstFiles = new List<string>();
string remoteFTPPath = ftpLocation;
var request = (FtpWebRequest)WebRequest.Create(remoteFTPPath);
request.Method = WebRequestMethods.Ftp.ListDirectoryDetails;
request.Credentials = new NetworkCredential(ftpUsername, ftpPassword);
request.Proxy = null;
FtpWebResponse response = (FtpWebResponse)request.GetResponse();
Stream responseStream = response.GetResponseStream();
StreamReader reader = new StreamReader(responseStream);
List<string> directories = new List<string>();
string line = reader.ReadLine();
while (!string.IsNullOrEmpty(line))
{
directories.Add(line);
line = reader.ReadLine();
}
reader.Close();
The issue that I'm having is that currently the folder I'm trying to search is empty, yet it's finding 2 files.
Why is this?
The value in remoteFTPPath is ftp://ftp.myArea.co.uk/myServer.co.uk/System-Files/
This is the folder when I open it in FileZilla - it's definitely an empty folder.
How do I just view all of the files in System-Files and get these into a list?
FileZilla log:
Status: Logged in
Status: Retrieving directory listing of "/myArea.co.uk"...
Status: Directory listing of "/myArea.co.uk" successful
Status: Retrieving directory listing of "/myArea.co.uk/System-Files"...
Status: Directory listing of "/myArea.co.uk/System-Files" successful
And when testing the same code on a C# application, the Network.log file outputs as below.
System.Net Information: 0 : [6132] FtpWebRequest#60068066::.ctor(ftp://ftp.myServer.co.uk/myArea.co.uk/System-Files/)
System.Net Information: 0 : [6132] Current OS installation type is 'Client'.
System.Net Information: 0 : [6132] FtpWebRequest#60068066::GetResponse(Method=LIST.)
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Created connection from xxx.xxx.x.xx:YYYY to xxx.xxx.xxx.x:YY.
System.Net Information: 0 : [6132] Associating FtpWebRequest#60068066 with FtpControlStream#34640832
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [220-Matrix FTP server ready.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 Please note: files for your website must be stored under the htdocs directory.]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [USER myUser]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [331 User myUser OK. Password required]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [PASS ********]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [230 OK. Current directory is /]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [OPTS utf8 on]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [500 Unknown command]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [PWD]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [257 "/" is your current location]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [CWD /myArea.co.uk/System-Files]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [250 OK. Current directory is /myArea.co.uk/System-Files]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [TYPE I]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [200 TYPE is now 8-bit binary]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [PASV]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [227 Entering Passive Mode (213,171,193,5,117,157)]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Sending command [LIST]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [150 Accepted data connection]
System.Net Information: 0 : [6132] FtpControlStream#34640832 - Received response [226-ASCII
226-Options: -a -l
226 2 matches total]
System.Net Information: 0 : [6132] FtpWebRequest#60068066::(Releasing FTP connection#34640832.)
System.Net Information: 0 : [14644] ServicePoint#33675143 - Closed as idle.
Many FTP servers return . and .. entries in a directory listing, similarly to *nix ls -a or Windows dir commands. Those are references to the directory itself and the parent directory, respectively.
You will get those for any directory, even an empty one (sometimes [e.g. on Windows servers] with an exception of the root folder).
If you do not want those, you need to filter them out in your code. What FileZilla does too for sure.
We have developed a WPF Application with C# and are using RestSharp to communicate with a simple Web Service like this:
Client = new RestClient(serviceUri.AbsoluteUri);
Client.Authenticator = new NtlmAuthenticator(SvcUserName, SvcPassword.GetString());
It all worked great until we received calls that on some machines (most work) the app can't connect to the service.
A direct call to the service method with fiddler worked. Then we extracted a small .net console app and tried the service call with RestSharp and directly with a HttpWebRequest and it failed again with 401.
Now we enabled System.Net tracing and noticed something. After the first 401, which is normal,the faulty machine produces this log:
System.Net Information: 0 : [4480] Connection#3741682 - Received headers
{
Connection: Keep-Alive
Content-Length: 1293
Content-Type: text/html
Date: Mon, 10 Aug 2015 12:37:49 GMT
Server: Microsoft-IIS/8.0
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
}.
System.Net Information: 0 : [4480] ConnectStream#39451090::ConnectStream(Buffered 1293 bytes.)
System.Net Information: 0 : [4480] Associating HttpWebRequest#2383799 with ConnectStream#39451090
System.Net Information: 0 : [4480] Associating HttpWebRequest#2383799 with HttpWebResponse#19515494
System.Net Information: 0 : [4480] Enumerating security packages:
System.Net Information: 0 : [4480] Negotiate
System.Net Information: 0 : [4480] NegoExtender
System.Net Information: 0 : [4480] Kerberos
System.Net Information: 0 : [4480] NTLM
System.Net Information: 0 : [4480] Schannel
System.Net Information: 0 : [4480] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [4480] WDigest
System.Net Information: 0 : [4480] TSSSP
System.Net Information: 0 : [4480] pku2u
System.Net Information: 0 : [4480] CREDSSP
System.Net Information: 0 : [4480] AcquireCredentialsHandle(package =
NTLM, intent = Outbound, authdata =
(string.empty)\corp\svc_account)
System.Net Information: 0 : [4480]
InitializeSecurityContext(credential =
System.Net.SafeFreeCredential_SECURITY, context = (null), targetName =
HTTP/mysvc.mycorp.com, inFlags = Delegate, MutualAuth,
Connection) System.Net Information: 0 : [4480]
InitializeSecurityContext(In-Buffers count=1, Out-Buffer length=40,
returned code=ContinueNeeded).
A working machine produces this output:
System.Net Information: 0 : [3432] Connection#57733168 - Empfangene Statusleiste: Version = 1.1, StatusCode = 401, StatusDescription = Unauthorized.
System.Net Information: 0 : [3432] Connection#57733168 - Header
{
Content-Type: text/html
Server: Microsoft-IIS/8.0
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
Date: Mon, 10 Aug 2015 15:15:11 GMT
Content-Length: 1293
} wurden empfangen.
System.Net Information: 0 : [3432] ConnectStream#35016340::ConnectStream(Es wurden 1293 Bytes gepuffert.)
System.Net Information: 0 : [3432] Associating HttpWebRequest#64062224 with ConnectStream#35016340
System.Net Information: 0 : [3432] Associating HttpWebRequest#64062224 with HttpWebResponse#64254500
System.Net Information: 0 : [3432] Sicherheitspakete werden enumeriert:
System.Net Information: 0 : [3432] Negotiate
System.Net Information: 0 : [3432] NegoExtender
System.Net Information: 0 : [3432] Kerberos
System.Net Information: 0 : [3432] NTLM
System.Net Information: 0 : [3432] Schannel
System.Net Information: 0 : [3432] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [3432] WDigest
System.Net Information: 0 : [3432] TSSSP
System.Net Information: 0 : [3432] pku2u
System.Net Information: 0 : [3432] CREDSSP
System.Net Information: 0 : [3432] AcquireCredentialsHandle(package =
Negotiate, intent = Outbound, authdata =
System.Net.SafeSspiAuthDataHandle) System.Net Information: 0 : [3432]
InitializeSecurityContext(credential =
System.Net.SafeFreeCredential_SECURITY, context = (null), targetName =
HTTP/mysvc.mycorp.com, inFlags = Delegate, MutualAuth, Connection)
System.Net Information: 0 : [3432] InitializeSecurityContext(Anzahl
von In-Buffers = 1, Länge von Out-Buffer = 40, zurückgegebener Code =
ContinueNeeded).
I wonder if some configuration on the faulty machine would cause this. At the moment I am not sure where to look next.
Update:
Here is the Code of our simple test tool:
RestClient Client = new RestClient("https://mysvc.mycorp.com/service.svc");
Client.Authenticator = new NtlmAuthenticator("corp\\svc_account", "mypassword");
var request = new RestRequest("api/Method", Method.POST);
request.RequestFormat = DataFormat.Json;
request.AddBody(new { Device_Key = "somestring" });
request.Timeout = 200000;
RestResponse response = (RestResponse)Client.Execute(request);
Update 2:
We have now confirmed that this Problem only occurs on newly installed win 7 machines that have an updated corporate Image. Almost Looks like some update in the last 2 months is screwing with us.
This is crazy: Turns out, as soon as I installed .net 4.5 on the Windows 7 machine, the WebRequest worked! We believe that the culprit was a missing patch of the .NET 4.0 Framework that is deployed to all client machines.
So, patch your machines :)
I have a web app using HttpWebRequest to send some data to a third party service. It is failing when I run it through the web code but when I send pretty much the exact same data using Fiddler's composer it works.
I say "pretty much" because the data contains a password digest and nonce and timestamp that change for every message. I have put a break point and taken the data the web app was about to send and pasted it into Fiddler and it works.
I have set up my code to run through Fiddler's proxy too, which is great - I can see the "raw" data being sent - it still fails, but it's enabled me to check that the headers are all exactly the same and mess with them a bit (didn't find anything useful).
WebProxy myproxy = new WebProxy("127.0.0.1:8889", false);
req.Proxy = myproxy;
I've disabled Fiddler's "automatically authenticate" and "follow redirects" options (have left on "fix content-length header"), just in case one of those was causing Fiddler to act smart.
This post is to a https URL so I did have to add the following lines to ignore Fiddler's certificate problems when decrypting the HTTPS traffic
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
Does anyone know of any options on HttpWebRequest that I should enable or disable to make it act as Fiddler does? As the actual content seems to be same, maybe there's a difference in the security/authentication options?
Changing Fiddler's "decrypt HTTPS" setting doesn't seem to affect anything, except mean I can't view the data.
Would using something other than HttpWebRequest be an option? What other libraries are there that don't just use HttpWebRequest under the hood? I don't need async but does HttpClient use a newer library that handles things better?
I've seen other posts about connections and making HttpWebRequest more performant, but at the moment I'm just POSTing a single message.
If it helps here's what the headers look like:
POST https://www.server.com/enterprise/soap?ServiceName=PassportService&auth=1 HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: http://www.server.com/ws/passport/2008/04/PassportService#publishDocumentWithParameters
Host: vha.server.com
Content-Length: 4601
Expect: 100-continue
Connection: Keep-Alive
the body of the message is just SOAP xml
Here is some data from implementing .NET Network Tracing
System.Net Information: 0 : [8864] ConnectStream#7307007 - Sending headers
{
Content-Type: text/xml; charset=utf-8
SOAPAction: http://www.server.com/ws/passport/2008/04/PassportService#publishDocumentWithParameters
Host: vha.server.com
Content-Length: 4393
Expect: 100-continue
Connection: Keep-Alive
}.
System.Net Information: 0 : [8864] SecureChannel#63848051::.ctor(hostname=vha.server.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [8864] Enumerating security packages:
System.Net Information: 0 : [8864] Negotiate
System.Net Information: 0 : [8864] NegoExtender
System.Net Information: 0 : [8864] Kerberos
System.Net Information: 0 : [8864] NTLM
System.Net Information: 0 : [8864] Schannel
System.Net Information: 0 : [8864] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [8864] WDigest
System.Net Information: 0 : [8864] TSSSP
System.Net Information: 0 : [8864] pku2u
System.Net Information: 0 : [8864] CREDSSP
System.Net Information: 0 : [8864] SecureChannel#63848051 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [8864] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [8864] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = vha.server.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [8864] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=112, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [8864] Socket#55285825::Send()
... then there is some certificate back and forth ...
System.Net Information: 0 : [8864] SecureChannel#63848051 - Remote certificate was verified as valid by the user.
System.Net Information: 0 : [8864] ProcessAuthentication(Protocol=Tls, Cipher=Rc4 128 bit strength, Hash=Md5 128 bit strength, Key Exchange=RsaKeyX 2048 bit strength).
System.Net.Sockets Verbose: 0 : [8864] Socket#55285825::Send()
... then some more stuff ...
System.Net Verbose: 0 : [8864] Exiting HttpWebRequest#49916336::GetRequestStream() -> ConnectStream#7307007
System.Net Verbose: 0 : [8864] ConnectStream#7307007::Write()
System.Net Verbose: 0 : [8864] Data from ConnectStream#7307007::Write
System.Net Verbose: 0 : [8864] 00000000 : 3C 73 6F 61 70 65 6E 76-3A 45 6E 76 65 6C 6F 70 : <soapenv:Envelop
... more SOAP data follows (and what looks like encrypted version ...
... encrypted reply comes back, then it's decrypted ...
System.Net Information: 0 : [8864] Connection#4562529 - Received status line: Version=1.1, StatusCode=401, StatusDescription=Unauthorized.
System.Net Information: 0 : [8864] Connection#4562529 - Received headers
{
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 666
Content-Type: text/xml;charset=UTF-8
Date: Thu, 07 Aug 2014 06:21:40 GMT
Server: XXXX Web Server 8
}.
System.Net Information: 0 : [8864] ConnectStream#27021036::ConnectStream(Buffered 666 bytes.)
System.Net Information: 0 : [8864] Associating HttpWebRequest#49916336 with ConnectStream#27021036
System.Net Information: 0 : [8864] Associating HttpWebRequest#49916336 with HttpWebResponse#16709290
... with some XML with some error info (that the 3rd party doesn't seem to be able to use to pinpoint the issue ...
The short answer is that there is no difference.
Thanks to help from #EricLaw I was able to rule out any other variables he could think of.
The problem was the timestamp in the password digest. My machine time was slightly off and theirs was too (but the other way). So the result was that it worked when I pasted the data into Fiddler because I was delaying it a bit (but not too much). There's a 37 second window for these requests, and when it ran from the code it looked like it was a time from the future to their server.
When there's only one variable, that's probably the problem!
Thanks for your patience and help Eric.
Using the DNOA library, I created a Provider which authenticates a request and sends back the user information (like email, first name, etc). To test this, I created a Relying Party. This system works well on my localhost. When I put the Provider in my server, it worked fine but suddenly, I keep getting failed response.
Looking at the response URL, I CAN see the email, first name being sent back from the Provider, but the RP is not recognizing it and goes into the 'Failed' case. The exact same code on my localhost works fine.
Here is a sample respose -
http://localhost:50952/Default.aspx?dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%2Fuser123&openid.claimed_id=http%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%2Fuser123&openid.identity=http%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%2Fuser123&openid.sig=1bCd7KJjvtBqEObuQccO9fIx9FMBDiz2zkl8FrIbguw%3D&openid.signed=claimed_id%2Cidentity%2Cassoc_handle%2Cop_endpoint%2Creturn_to%2Cresponse_nonce%2Cns.alias3%2Calias3.mode%2Calias3.type.alias1%2Calias3.value.alias1%2Calias3.type.alias2%2Calias3.value.alias2%2Calias3.type.alias3%2Calias3.value.alias3%2Calias3.type.alias4%2Calias3.value.alias4%2Calias3.type.alias5%2Calias3.value.alias5%2Calias3.type.alias6%2Calias3.value.alias6%2Calias3.type.alias7%2Calias3.value.alias7&openid.assoc_handle=Bw5H%21IAAAAHoxEw3Q_7vF6XVheBEr7uMn03oSJXmatbjAbWReLG7tQQAAAAGuW5aLeRJZRqnrlrT6CdzWGVtOEgD-4CuYOVcJZLopnig3xaAjzoJaVePTEhPigbL4dtWQqJzmSo7bgivW8815&openid.op_endpoint=http%3A%2F%2Fopenid.xyz.com%2Fserver.aspx&openid.return_to=http%3A%2F%2Flocalhost%3A50952%2FDefault.aspx%3Fdnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.xyz.com%252Fuser.aspx%252Fuser123&openid.response_nonce=2013-07-27T23%3A46%3A49ZFINSwMcn&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.alias3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.alias3.mode=fetch_response&openid.alias3.type.alias1=UserName&openid.alias3.value.aluser123&openid.alias3.type.alias2=FirstName&openid.alias3.value.alias2=N&openid.alias3.type.alias3=LastName&openid.alias3.value.alias3=Smith&openid.alias3.type.alias4=RemoteLogin&openid.alias3.value.alias4=1&openid.alias3.type.alias5=StaffType&openid.alias3.value.alias5=&openid.alias3.type.alias6=DEANumber&openid.alias3.value.alias6=&openid.alias3.type.alias7=StateNumber&openid.alias3.value.alias7=
You can see that the fields with personal information is present! why does the RP still show 'failed'?
EDIT: So the RP gets a proper response when Provider is from LocalHost but fails when Provider is on the server. Here the value of the immediate window of the RP with the Localhost provider:
WebDev.WebServer40.exe Information: 0 : HTTP GET http://localhost:58242/user.aspx/user123
WebDev.WebServer40.exe Information: 0 : An XRDS response was received from GET at user-supplied identifier.
WebDev.WebServer40.exe Information: 0 : Total services discovered in XRDS: 2
WebDev.WebServer40.exe Information: 0 : [{
ClaimedIdentifier: http://localhost:58242/user.aspx/user123
ProviderLocalIdentifier: http://localhost:58242/user.aspx/user123
ProviderEndpoint: http://localhost:58242/server.aspx
OpenID version: 2.0
Service Type URIs:
http://specs.openid.net/auth/2.0/signon
http://openid.net/extensions/sreg/1.1
}, {
ClaimedIdentifier: http://localhost:58242/user.aspx/user123
ProviderLocalIdentifier: http://localhost:58242/user.aspx/user123
ProviderEndpoint: http://localhost:58242/server.aspx
OpenID version: 1.0
Service Type URIs:
http://openid.net/signon/1.0
http://openid.net/extensions/sreg/1.1
},]
WebDev.WebServer40.exe Information: 0 : Skipping HTML discovery because XRDS contained service endpoints.
WebDev.WebServer40.exe Information: 0 : Received identity assertion for http://localhost:58242/user.aspx/user123 via http://localhost:58242/server.aspx.
And here is the RP immediate window with the Provider on the server:
WebDev.WebServer40.exe Information: 0 : HTTP GET https://openid.xyz.com/user.aspx/user123
WebDev.WebServer40.exe Information: 0 : An XRDS response was received from GET at user-supplied identifier.
WebDev.WebServer40.exe Information: 0 : Total services discovered in XRDS: 2
WebDev.WebServer40.exe Information: 0 : [{
ClaimedIdentifier: https://openid.xyz.com/user.aspx/user123
ProviderLocalIdentifier: https://openid.xyz.com/user.aspx/user123
ProviderEndpoint: https://openid.xyz.com/server.aspx
OpenID version: 2.0
Service Type URIs:
http://specs.openid.net/auth/2.0/signon
http://openid.net/extensions/sreg/1.1
}, {
ClaimedIdentifier: https://openid.xyz.com/user.aspx/user123
ProviderLocalIdentifier: https://openid.xyz.com/user.aspx/user123
ProviderEndpoint: https://openid.xyz.com/server.aspx
OpenID version: 1.0
Service Type URIs:
http://openid.net/signon/1.0
http://openid.net/extensions/sreg/1.1
},]
WebDev.WebServer40.exe Information: 0 : Skipping HTML discovery because XRDS contained service endpoints.
WebDev.WebServer40.exe Information: 0 : Performing discovery on user-supplied identifier: https://openid.xyz.com/user.aspx/user123
WebDev.WebServer40.exe Information: 0 : Creating authentication request for user supplied Identifier: https://openid.xyz.com/user.aspx/user123
WebDev.WebServer40.exe Information: 0 : Preparing to send CheckIdRequest (2.0) message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElementRelyingParty applied to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySigningBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Sending message: CheckIdRequest
WebDev.WebServer40.exe Information: 0 : Redirecting to https://openid.xyz.com/server.aspx?openid.claimed_id=https%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%user123&openid.identity=https%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%user123&openid.assoc_handle=woRX%21IAAAAI8Cn8mo2fHDzAFTyfYMZo7lsBbLcv5iKzliqwfmhxyjQQAAAAFNfXjeTdiwJif_mcgZSqkQOe1wQ79P1GaU1FZw1A4LonBK0rO2OjBpgr8uqCZ4VYYv2C9AJICbSDGN-z19OoqI&openid.return_to=http%3A%2F%2Flocalhost%3A50952%2FDefault.aspx%3Fdnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fopenid.xyz.com%252Fuser.aspx%user123&openid.realm=http%3A%2F%2Flocalhost%3A50952%2F&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.alias3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.alias3.if_available=alias1%2Calias2%2Calias3%2Calias4%2Calias5%2Calias6%2Calias7&openid.alias3.mode=fetch_request&openid.alias3.type.alias1=UserName&openid.alias3.count.alias1=1&openid.alias3.type.alias2=FirstName&openid.alias3.count.alias2=1&openid.al
ias3.type.alias3=LastName&openid.alias3.count.alias3=1&openid.alias3.type.alias4=RemoteLogin&openid.alias3.count.alias4=1&openid.alias3.type.alias5=DEANumber&openid.alias3.count.alias5=1&openid.alias3.type.alias6=StateNumber&openid.alias3.count.alias6=1&openid.alias3.type.alias7=StaffType&openid.alias3.count.alias7=1
A first chance exception of type 'System.Threading.ThreadAbortException' occurred in mscorlib.dll
An exception of type 'System.Threading.ThreadAbortException' occurred in mscorlib.dll but was not handled in user code
WebDev.WebServer40.exe Information: 0 : Incoming HTTP request: GET http://localhost:50952/Default.aspx?dnoa.userSuppliedIdentifier=https%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%user123&openid.claimed_id=https%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%user123&openid.identity=https%3A%2F%2Fopenid.xyz.com%2Fuser.aspx%user123&openid.sig=narSsDwDWz69GrdFNuz%2F57Gy%2BOO4%2BFDdNTIWM5BpJBE%3D&openid.signed=claimed_id%2Cidentity%2Cassoc_handle%2Cop_endpoint%2Creturn_to%2Cresponse_nonce%2Cns.alias3%2Calias3.mode%2Calias3.type.alias1%2Calias3.value.alias1%2Calias3.type.alias2%2Calias3.value.alias2%2Calias3.type.alias3%2Calias3.value.alias3%2Calias3.type.alias4%2Calias3.value.alias4%2Calias3.type.alias5%2Calias3.value.alias5%2Calias3.type.alias6%2Calias3.value.alias6%2Calias3.type.alias7%2Calias3.value.alias7&openid.assoc_handle=woRX%21IAAAAI8Cn8mo2fHDzAFTyfYMZo7lsBbLcv5iKzliqwfmhxyjQQAAAAFNfXjeTdiwJif_mcgZSqkQOe1wQ79P1GaU1FZw1A4LonBK0rO2OjBpgr8uqCZ4VYYv2C9AJICbSDGN-z19OoqI&openid.op_endpoint=https%3A
%2F%2Fopenid.xyz.com%2Fserver.aspx&openid.return_to=http%3A%2F%2Flocalhost%3A50952%2FDefault.aspx%3Fdnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fopenid.xyz.com%252Fuser.aspx%user123&openid.response_nonce=2013-07-29T01%3A05%3A41ZNuPERYFm&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.alias3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.alias3.mode=fetch_response&openid.alias3.type.alias1=UserName&openid.alias3.value.alias1=user123&openid.alias3.type.alias2=FirstName&openid.alias3.value.alias2=N&openid.alias3.type.alias3=LastName&openid.alias3.value.alias3=Smith&openid.alias3.type.alias4=RemoteLogin&openid.alias3.value.alias4=1&openid.alias3.type.alias5=StaffType&openid.alias3.value.alias5=&openid.alias3.type.alias6=DEANumber&openid.alias3.value.alias6=&openid.alias3.type.alias7=StateNumber&openid.alias3.value.alias7=
WebDev.WebServer40.exe Information: 0 : Incoming request received: PositiveAssertionResponse
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
WebDev.WebServer40.exe Information: 0 : Verifying incoming PositiveAssertionResponse message signature of: narSsDwDWz69GrdFNuz/57Gy+OO4+FDdNTIWM5BpJBE=
WebDev.WebServer40.exe Information: 0 : Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySigningBindingElement applied to message.
A first chance exception of type 'DotNetOpenAuth.Messaging.ProtocolException' occurred in DotNetOpenAuth.DLL
The difference that I see is the line Received identity assertion which is not present for the server provider.