I have a test environment set up using windows server 2012 R2, ADFS and sharepoint 2013. I can successfully login to Sharepoint 2013 using ADFS as the Claims Identity provider. Now I am trying to login to Sharepoint from my C# application.
I am able to request the saml assertion token from adfs using the following.
Now i would like help with posting the saml token to SharePoint and retrieve a FedAuth cookie so I can passively login to SharePoint 2013 and upload a document from a C# application.
When I call the last method PostSharePointSTS() No Cookies are set.
most of the code has been the help of Leandro Boffi
[TestMethod]
public void GetSamlTestMethod()
{
var client = new WebClient();
client.Headers.Add("Content-Type", "application/soap+xml; charset=utf-8");
string username = "Administrator#2012r2.local";
string password = "Password1";
string adfsServer = "https://logon.2012r2.local/adfs/services/trust/2005/UsernameMixed";
string sharepoint = "https://portal.2012r2.local/_trust/";
var samlRequest = GetSAML()
.Replace("[Username]", username)
.Replace("[Password]", password)
.Replace("[To]", adfsServer)
.Replace("[applyTo]", sharepoint);
var result = client.UploadString(
address: "https://logon.2012r2.local/adfs/services/trust/2005/UsernameMixed",
method: "POST",
data: samlRequest);
PostSharePointSTS( GetSAMLAssertion(result) );
}
private static string GetSAMLAssertion(string response)
{
XDocument samlResponse = XDocument.Parse( response);
// Check response xml for faults/errors
if(samlResponse.Root == null)
throw new ApplicationException("Invalid response received from authentication service.");
XNamespace s = "http://www.w3.org/2003/05/soap-envelope";
XNamespace psf = "http://schemas.microsoft.com/Passport/SoapServices/SOAPFault";
XNamespace wst = "http://schemas.xmlsoap.org/ws/2005/02/trust"; // "http://docs.oasis-open.org/ws-sx/ws-trust/200512";//
XNamespace wsp = "http://schemas.xmlsoap.org/ws/2004/09/policy";
XNamespace wsa = "http://www.w3.org/2005/08/addressing";
XNamespace wsse = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
const string saml = "urn:oasis:names:tc:SAML:1.0:assertion";
// the logon token is in the SAML assertion element of the message body
XDocument xDoc = XDocument.Parse(response, LoadOptions.PreserveWhitespace);
var assertion = from e in xDoc.Descendants()
where e.Name == XName.Get("Assertion", saml)
select e;
string samlAssertion = assertion.FirstOrDefault().ToString();
// for some reason the assertion string needs to be loaded into an XDocument
// and written out for for the XML to be valid. Otherwise we get an invalid
// XML error back from ADFSs
XDocument doc1 = XDocument.Parse(samlAssertion);
samlAssertion = doc1.ToString(SaveOptions.DisableFormatting);
return samlAssertion;
}
private static string GetSAML()
{
const string saml = #"<?xml version='1.0' encoding='utf-8' ?>
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:a='http://www.w3.org/2005/08/addressing' xmlns:u='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<s:Header>
<a:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand='1'>[To]</a:To>
<o:Security s:mustUnderstand='1' xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
<o:UsernameToken>
<o:Username>[Username]</o:Username>
<o:Password>[Password]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t='http://schemas.xmlsoap.org/ws/2005/02/trust'>
<wsp:AppliesTo xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
<a:EndpointReference>
<a:Address>[applyTo]</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>";
return saml;
}
private static void PostSharePointSTS(string assertion)
{
// Submit the BinarySecurityToken to SPO and retrieve response
var loginUri = new Uri("https://logon.2012r2.local/adfs/ls?wa=wsignin1.0&wtrealm=urn:sharepoint:portal");
var requestCookies = new CookieContainer();
var request = (HttpWebRequest)WebRequest.Create(loginUri);
request.AllowAutoRedirect = false;
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = assertion.Length;
request.CookieContainer = requestCookies;
request.Method = "POST";
request.UserAgent = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)";
using(var requestWriter = new StreamWriter(request.GetRequestStream()))
{
requestWriter.Write(assertion);
requestWriter.Close();
}
var response = (HttpWebResponse)request.GetResponse();
switch(response.StatusCode)
{
case HttpStatusCode.OK:
case HttpStatusCode.Found:
break;
// TODO: Log error?
//default:
//return false;
}
}
When I try to Post the given SAML token to SharePOint I get the following. But no cookies are set.
HTTP/1.1 302 Found
Content-Length: 0
Content-Type: text/html; charset=utf-8
Location: https://logon.2012r2.local:443/adfs/ls/wia?wa=wsignin1.0&wtrealm=urn:sharepoint:portal
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 16 Aug 2014 10:55:51 GMT
This response did not set any cookies.
This response did not contain a P3P Header.
Validate P3P Policies at: http://www.w3.org/P3P/validator.html
Learn more at: http://fiddler2.com/r/?p3pinfo
Why don't you just use the standard SharePoint CSOM library to do whatever you want in SharePoint? CSOM does all the necessary ADFS interaction on behalf of the user on the SharePoint side automatically.
Related
I am new to the C# world, and can't for the life of me figure out how to get around this error. I am trying to make a simple get request using a platform API key. I have built out the API connection in Google App Script on the same laptop, and it works fine, but when trying to build out the same API in C#, it is returning:
{StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Date: Sun, 13 Mar 2022 02:41:29 GMT
Transfer-Encoding: chunked
Connection: close
CF-Chl-Bypass: 1
Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: SAMEORIGIN
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Strict-Transport-Security: max-age=2592000
Server: cloudflare
CF-RAY: 6eb1692f8bd776c3-LHR
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Jan 1970 00:00:01 GMT
}}
The API documentation says:
"To authenticate against the API, include your API key in the 'Authorization' header, prefixed with 'Key ', in every request. Example: 'Authorization: Key yourapikey'"
And so, I have tried adding this to
a) the HttpClient via HttpClient.DefaultRequestHeaders.Authorization
b) the HttpClient via HttpClient.DefaultHeaders.Add
c) the HttpRequestMessage via HttpRequestMessage.Headers.Add
In each instance, the request URI looks good, as well as the headers, but still returning 403.
My current structure is:
// services
builder.Services.AddHttpClient("myplatform", c =>
{
c.BaseAddress = new Uri("https://seller-api.myplatform.com/v2/");
c.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
});
// controller
// constructor uses IHttpClientFactory
this._httpClient = clientFactory.CreateClient("myplatform");
// service
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Key", platformKey);
string endPoint = "offers" + CreateQueryString(pageNumber, pageSize);
// example endPoint: offers?page_number=1&page_size=100
var requestMsg = new HttpRequestMessage()
{
Method = HttpMethod.Get,
RequestUri = new Uri(httpClient.BaseAddress + endPoint)
};
try
{
var result = await httpClient.SendAsync(requestMsg);
}
catch (Exception ex)
{
}
Again, the content of the call works when calling through GoogleAppScript. What am I doing wrong in C#, and how can I correct this?
Not sure if this is all the information needed - let me know otherwise! Important to note, the target framework is .NET 6.0.
EDIT
As suggested by a comment around duplicate clients, I have removed the client factory. I am now creating a new HttpClient in the controller constructor, and passing this client to my service to do the GET request.
this._httpClient = new HttpClient();
Again, the client and the request message look well formed at time of request but still returning 403 error. Is there an issue with my VS22 client, or web client etc.?
Also, the call I am making successfully via Google AppScript is using UrlFetchApp. Not sure what is the issue here with the C# side..
EDIT2
Adding current GAS code for reference:
var url = 'https://seller-api.platform.com/v2';
var end_point = '/offers?';
var header = {
'Authorization': api_key
}
var params = {
'method': 'GET',
'headers': header
}
// call API
var page_query = 'page_number=' + page + '&page_size=' + maxItemsPerPage;
var full_url = url + end_point + page_query;
var response = UrlFetchApp.fetch(full_url, params);
The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.
There are two ways add request headers when using HttpClient:
Add headers for all requests using HttpClient.DefaultRequestHeaders.
HttpClient = new HttpClient();
HttpClient.DefaultRequestHeaders.Add("Key", platformKey);
var response = await HttpClient.GetAsync(GetRandomNumberUrl);
response.EnsureSuccessStatusCode();
await response.Content.ReadAsStringAsync();
Add headers per request using HttpRequestMessage.Headers.
HttpClient = new HttpClient();
using (var request = new HttpRequestMessage(HttpMethod.Get, randomNumberUrl))
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", platformKey);
var response = await HttpClient.SendAsync(request);
response.EnsureSuccessStatusCode();
await response.Content.ReadAsStringAsync();
}
Your problem is here in this line:
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Key", platformKey);
your _httpClient and Authorization httpClient is not same instance.
Try this way:
HttpClient HttpClient = new HttpClient();
string url = "https://seller-api.platform.com/v2";
string end_point = "/offers?";
string api_key = "key here";
string page_query = "page_number=" + 10 + "&page_size=" + 20;
string full_url = url + end_point + page_query;
using (var request = new HttpRequestMessage(HttpMethod.Get, url))
{
request.Headers.Add("Authorization", api_key);
var response = await HttpClient.SendAsync(request);
response.EnsureSuccessStatusCode();
var m = await response.Content.ReadAsStringAsync();
}
Solution 2:
Try calling it like a browser :
HttpClient httpClient = new HttpClient();
string url = "https://gatewayt.whatever.com/chkt/request/request.php";
string end_point = "/offers?";
string api_key = "key here";
string page_query = "page_number=" + 10 + "&page_size=" + 20;
string full_url = url + end_point + page_query;
httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Accept", "text/html,application/xhtml+xml,application/xml");
httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Accept-Encoding", "gzip, deflate");
httpClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent", "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0");
httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Accept-Charset", "ISO-8859-1");
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Key", api_key);
var response = await httpClient.GetAsync(url);
response.EnsureSuccessStatusCode();
await response.Content.ReadAsStringAsync();
source: Request like browser Link1 Link2 Link3
Somehow I Iam not able to download the html content of https://{YourName}.visualstudio.com/Defaultcollection/ via HttpWebRequest/WebRequest or WebClient.
It always results a HTML-Page with following error Message:
Microsoft Internet Explorer's Enhanced Security Configuration is currently enabled on your environment. This enhanced level of security prevents our web integration experiences from displaying or performing correctly. To continue with your operation please disable this configuration or contact your administrator.
I have tried alot of ways to get to my needed result. I tried using OAuth2 and also setup Alternate authentication credentials. I even disabled Microsoft Internet Explorer's Enhanced Security.
Here are 2 of my x methods which doesnt seem to work. Both give the same result (see error msg above):
private static void Test()
{
WebClient client = new WebClient();
client.UseDefaultCredentials = true;
client.Credentials = new NetworkCredential(UserName,Password);
//Pretend to be a browser
client.Headers.Add("user-agent", "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)");
var HTML = client.DownloadString("https://<YourName>.visualstudio.com/Defaultcollection/");
Console.WriteLine(HTML);
}
private static void Test2()
{
CookieContainer cookies = new CookieContainer();
HttpWebRequest authRequest = (HttpWebRequest)HttpWebRequest.Create("https://<YourName>.visualstudio.com/Defaultcollection/");
//Set Header
authRequest.UserAgent = "Mozilla/5.0 (Windows NT 5.1; rv:2.0b8) Gecko/20100101 Firefox/4.0b8";
authRequest.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
authRequest.Headers.Add("Accept-Encoding", "gzip, deflate");
authRequest.Headers.Add("Accept-Language", "de,en;q=0.5");
authRequest.Headers.Add("Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7");
//authRequest.Headers.Add("Keep-Alive", "30000");
authRequest.Headers.Add(HttpRequestHeader.Authorization, SetAuthHeaderValue());
//Something
authRequest.ContentLength = 0;
authRequest.ContentType = "application/soap+xml; charset=utf-8";
authRequest.Host = "<YourName>.visualstudio.com";
//Set Cookies
authRequest.CookieContainer = cookies;
HttpWebResponse response = (HttpWebResponse)authRequest.GetResponse();
StreamReader readStream = new StreamReader(response.GetResponseStream());
string HTML = readStream.ReadToEnd();
Console.WriteLine(HTML);
readStream.Close();
}
private static string SetAuthHeaderValue()
{
//string _auth = string.Format("{0}:{1}",UserName,Password);
//string _enc = Convert.ToBase64String(Encoding.ASCII.GetBytes(_auth));
String encoded = System.Convert.ToBase64String(System.Text.Encoding.GetEncoding("ISO-8859-1").GetBytes(UserName + ":" + Password));
string _cred = string.Format("{1}", "Basic", encoded);
return _cred;
}
I picked the Header-Values you see here, by tracing the connection with fiddler.
Is somebody able to authenticated,connect and download the html-content from https://{YourName}.visualstudio.com/Defaultcollection/?
Would be awesome, thanks :)!
I'm trying to get a SAML Assertion from ADFS using WIF 4.5, and WS-Trust, so that I can send that Assertion to a Service Provider and obtain an OAuth ticket.
In fact, I've been able to get the SAML Assertion, but it's not a valid one, because the Recipient attribute from SubjectConfirmationData is not received. And it is a mandatory datum.
I'm doing my test in a Console Application (so it's executing with my credentials, as I have checked using Fiddler, it performs a Kerberos negotiation before receiving the Assertion). I'm obtaining the token doing so (based on RequestSecurityToken using windows credentials and .net 4.5 WIF):
public static string GetStsToken()
{
try
{
EndpointReference appliesToEp = new EndpointReference(ENDPOINT_REFERENCE_URI);
EndpointAddress stsEp = new EndpointAddress(
new Uri("https://<ADFS-SERVER>/adfs/services/trust/2005/windowstransport"),
EndpointIdentity.CreateSpnIdentity(ADFS_SPN));
WS2007HttpBinding msgBinding = new WS2007HttpBinding(SecurityMode.Transport, false);
msgBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
msgBinding.Security.Message.EstablishSecurityContext = false;
msgBinding.Security.Message.NegotiateServiceCredential = false;
msgBinding.Security.Message.ClientCredentialType = MessageCredentialType.None;
using (WSTrustChannelFactory factory = new WSTrustChannelFactory(msgBinding, stsEp))
{
factory.Credentials.SupportInteractive = false;
factory.TrustVersion = TrustVersion.WSTrustFeb2005;
RequestSecurityToken myRst =
new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Bearer)
{
AppliesTo = appliesToEp,
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion"
};
IWSTrustChannelContract channel = factory.CreateChannel();
GenericXmlSecurityToken stsToken = channel.Issue(myRst) as GenericXmlSecurityToken;
if (stsToken != null)
{
return stsToken.TokenXml.OuterXml;
}
else
{
// SOME WARNING IS ISSUED
}
}
}
catch (Exception ex)
{
// THE EXCEPTION IS REGISTERED
}
return null;
}
With this code, the request sent is the following:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:MessageID>urn:uuid:8c221169-52b2-42bf-87f8-7089b6feb0a9</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://ADFS-SERVER/adfs/services/trust/2005/windowstransport</a:To>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>ENDPOINT_REFERENCE</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:KeySize>0</t:KeySize>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
The Assertion I receive seems a valid one, but the Recipient is missing from the SubjectConfirmationData, and so, when I send that Assertion to the Service Provider, the Authentication fails.
If I use the Web IdP Initiated Login, which sends a samlp:AuthnRequest to the server, and decode the obtained SAML Assertion that ADFS emits in that case (again, using Fiddler), the Recipient attribute is received, and the SSO works. I can see the method used to obtain the assertion is different (Web-SSO is used in this case), but in both cases the Relying Party is the same, and so the emitted Assertion should be similar.
Is there any way I can receive the proper Recipient when obtaining the Token using WS-Trust from ADFS?
In the end, I've ended obtaining the SAML Assertion using the IdP Initiated Sign On page.
public static string GetStsToken(string relyingPartyUri)
{
string result = null;
string samlHttpPostUri = string.Format(
"https://<ADFS-SERVER>/adfs/ls/idpinitiatedsignon.aspx?loginToRp={0}",
relyingPartyUri
);
WebRequest req = WebRequest.Create(samlHttpPostUri);
req.Method = WebRequestMethods.Http.Get;
req.Credentials = CredentialCache.DefaultNetworkCredentials;
XDocument xDoc = null;
try
{
using (WebResponse resp = req.GetResponse())
{
using (StreamReader reader = new StreamReader(resp.GetResponseStream()))
{
string htmlResult = reader.ReadToEnd();
xDoc = XDocument.Parse(htmlResult);
string samlResponseBase64 = (from xElement in xDoc.Descendants()
where xElement.Name == "input" &&
xElement.Attribute("name").Value == "SAMLResponse"
select xElement.Attribute("value").Value).FirstOrDefault();
result = System.Text.Encoding.UTF8.GetString(
Convert.FromBase64String(samlResponseBase64)
);
}
}
}
catch (WebException webExc)
{
using (StreamReader reader = new StreamReader(webExc.Response.GetResponseStream()))
{
// THE EXCEPTION IS REGISTERED
}
}
return result;
}
The SAML Response is correct, and I can use it to obtain the OAuth Token from the Relying Party.
BUT, of course, I'm not using WS-Trust in this case. This is not a solution, but a Workaround.
I am attempting to web scrape date from my various remote transmitters. I have one brand of transmitter that I can log into with the following c# code:
public static string getSourceCode(string url, string user, string pass)
{
SecureString pw = new SecureString();
foreach (char c in pass.ToCharArray()) pw.AppendChar(c);
NetworkCredential credential = new NetworkCredential(user, pw, url);
CredentialCache cache = new CredentialCache();
cache.Add(new Uri(url), "Basic", credential);
Uri realLink = new Uri(url);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(realLink);
req.Credentials = CredentialCache.DefaultNetworkCredentials;
HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
StreamReader sr = new StreamReader(resp.GetResponseStream());
string sourceCode = sr.ReadToEnd();
sr.Close();
resp.Close();
return sourceCode;
}
The second brand of transmitter (I'm hesitant to put the url out in public) instead of returning a web page requesting username and password returns a box requesting username and password. using the above code just returns an unauthorized error.
Fiddler says the following is sent when I successfully login to the site:
GET http(colon slash slash)lasvegas3abn(*)dyndns(*)tv(PORT)125(slash)measurements(*)htm HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch)
Accept-Encoding: gzip, deflate
Host: lasvegas3abn.dyndns.tv:125
Authorization: Basic dXNlcjpsaW5lYXI=
Connection: Keep-Alive
DNT: 1
Any suggestions?
Instead of:
req.Credentials = CredentialCache.DefaultNetworkCredentials;
you can specify a credential that uses a specific username and password:
req.Credentials = new NetworkCredential("username", "password");
This should enable you to get through the login prompt (assuming that you specify the correct username and password).
When I call serever like this:
var client = new RestClient();
client.Authenticator = new NtlmAuthenticator();
var request = new RestRequest(uri);
request.Method = Method.POST;
request.RequestFormat = DataFormat.Xml;
request.AddParameter("application/atom+xml", doc /*some xml document*/, ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
Debug.WriteLine(response.Content);
if(response.StatusCode == HttpStatusCode.Created)
{
// always 401
}
I get next server responce:
<?xml version="1.0" encoding="UTF-8"?>
<SmoothStreaming xmlns="http://schemas.microsoft.com/iis/media/2011/03/streaming/management">
<Error>
<ErrorCode>0x80880022</ErrorCode>
<ErrorMessage>All requests to the management APIs must be authenticated. Please install and enable an appropriate IIS authentication module for this website.</ErrorMessage>
</Error>
</SmoothStreaming>
What and where should I change (install)?