I have a .NET 3.5 desktop application that had been showing periodic slow downs in functionality whenever the test machine it was on was out of the office.
I managed to replicate the error on a machine in the office without an internet connection, but it was only when i used ANTS performance profiler that i got a clearer picture of what was going on.
In ANTS I saw a "Waiting for synchronization" taking up to 16 seconds that corresponded to the delay I could see in the application when NHibernate tried to load the System.Data.SqlServerCE.dll assembly.
If I tried the action again immediately it would work with no delay but if I left it for 5 minutes then it would be slow to load again the next time I tried it.
From my research so far it appears to be because the SqlServerCE dll is signed and so the system is trying to connect to get the certificate revocation lists and timing out.
Disabling the "Automatically detect settings" setting in the Internet Options LAN settings makes the problem go away, as does disabling the "Check for publishers certificate revocation".
But the admins where this application will be deployed are not going to be happy with the idea of disabling certificate checking on a per machine or per user basis so I really need to get the application level disabling of the CRL check working.
There is the well documented bug in .net 2.0 which describes this behaviour, and offers a possible fix with a config file element.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
</configuration>
This is NOT working for me however even though I am using .net 3.5.
The SQLServerCE dll is being loaded dynamically by NHibernate and I wonder if the fact that it's dynamic could somehow be why the setting isn't working, but I don't know how I could check that.
Can anyone offer suggestions as to why the config setting might not work?
Or is there another way I could disable the check at the application level, perhaps a CAS policy setting that I can use to set an exception for the application when it's installed?
Or is there something I can change in the application to up the trust level or something like that?
You can specify in code if you want to check the revocation list per application:
ServicePointManager.CheckCertificateRevocationList = false;
In this blog posting (which cites another source) you have two options: disable CRL checking system wide or per app:
Disable CRL Checking Machine-Wide Control Panel -> Internet Options ->
Advanced -> Under security, uncheck the Check for publisher's
certificate revocation option
Disable CRL Checking For a Specific .Net Application See this
Microsoft KB Article: http://support.microsoft.com/kb/936707
What solved the problem for me:
I (think I) had a problem with online revocation before, so I explicitly switched to offline. Due to to warning, I now had to change...
_ = builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(
options =>
{
options.AllowedCertificateTypes = CertificateTypes.All;
options.RevocationMode = X509RevocationMode.Offline;
}
);
... to ...
_ = builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(
options =>
{
options.AllowedCertificateTypes = CertificateTypes.All;
options.RevocationMode = X509RevocationMode.NoCheck;
}
);
Related
I am trying to customize my current CAS WAR Overlay. More specifically I need to get access to Dashboard (or something where I could do some changes, maybe change default user password atleast).
CAS documentation is a great source, but I found out that it's quite overwhelming for beginner, especially if you did not used spring boot before.
So far I made a fresh install of CAS version 5.2 with Gradle, and deployed .war file on Tomcat 9.0 localhost. SSL is enabled. Note: Part with Gradle and Maven dependencies is clear.
Currently I am only able to login with casuser//Mellon default credentials. And I can see the links to things like Dashboard and such... But when I try to navigate there, I am told that I need permission to view that page.
Bellow is content of cas.properties file located:[cas-overlay-root]/etc/cas/config/cas.properties So far that is the only thing that I edited.
# server.port = 8443
cas.server.name: https://localhost:8443
cas.server.prefix: https://localhost:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
# SSL
# server.ssl.enabled=false
server.ssl.enabled=true
server.ssl.keyStore=file:/etc/cas/thekeystore
server.ssl.keyStorePassword=changeit
server.ssl.keyPassword=changeit
server.port=8443
Any information on how to customize CAS Web Overlay, and enable links would be much appreciated.
maybe some other people will find this useful, so these are the settings which worked for me. They are very useful for testing local configuration because they are not secured so they should not be used in production.
endpoints.enabled = true
endpoints.sensitive = false
endpoints.actuator.enabled = true
management.security.enabled = false
cas.adminPagesSecurity.ip = 127\\.0\\.0\\.1
cas.adminPagesSecurity.actuatorEndpointsEnabled = true
cas.monitor.endpoints.enabled = true
cas.monitor.endpoints.sensitive = false
Please note that the ip property is a regular expression.
I am getting this exception :-
ErrorCode:SubStatus:There is a temporary failure. Please retry later. (One or more specified cache servers are
unavailable, which could be caused by busy network or servers. For
on-premises cache clusters, also verify the following conditions.
Ensure that security permission has been granted for this client
account, and check that the AppFabric Caching Service is allowed
through the firewall on all cache hosts. Also the MaxBufferSize on the
server must be greater than or equal to the serialized object size
sent from the client.). Additional Information : The client was trying
to communicate with the server: net.tcp://RoleName:24233.
I have followed this :- Documentation and there are lots of questions and article there but they are little bit old.
Client creation :-
var cacheFactory = new DataCacheFactory();
_cacheClient = (string.IsNullOrWhiteSpace(cacheName))
? cacheFactory.GetDefaultCache() : cacheFactory.GetCache(cacheName);
WebConfig :-
<dataCacheClients>
<dataCacheClient name="default" >
<autoDiscover isEnabled="true" identifier="RoleName" />
</dataCacheClient>
Retry Policy :- It is inbuild now DataCacheFactory with interval of 1 minute and 60 recount.
I have latest nuget packages like Windows.azure.caching with version 2.5. So does anybody has solved this problem recently. i am quite a stuck here. any help is appreciated.
After hit and trial we have found that you should have the latest versions of both Windows Azure Tools and Windows Azure Cache libraries. What you can do is just install the latest Windows.Azure.Cache and then go to you publish azure settings project. Right click go to Properties => Application tab then upgrade the Windows Azure tools to latest version. And now everything will work like a charm :)
Hope it will save someone else day :)
I am developing a c# application, and using Pinvoke to call the method WinVerifyTrust.
the pinvoke declaration is as defined in Pinvoke.net.
The RevocationChecks is set to none.
When trying to check my program on iExplorer, at first it worked ok and returned status ok for the file, but suddenly it started failing with CERT_E_REVOCATION_FAILURE, and then after a while it was ok again.
What might cause this weird behavior? does it mean that I am doing something wrong?
By default WinVerifyTrust tries to download any associated Certificate Revocation List (CRL) to verify that the certificate has not been explicitly revoked. If your connection to the Internet is not stable and the download fails, the CERT_E_REVOCATION_FAILURE is returned.
If you have some version of the Windows SDK installed, you can temporarily turn of the CRL download with the setreg tool. Keep in mind though that this should only be used temporarily to verify that the issues you are seeing are indeed related to CRL connectivity.
setreg.exe 3 FALSE
Documentation for the tool is available at MSDN.
When I access the page with the browser (ie9), the browser is rendering ok.
When I use the WebBrowser control I have JavaScript errors.
I know I can suppress the scripts errors, but I want them to run correctly, because they affect the rendering and the functionality of the page.
How can I solve this problem ? Can I integrate IE9 directly in the Windows Form and use similar methods like with the WebBrowser control (navigate,get id, invoke click) ?
Thanks.
What I would do is assign an object to webbrowser.ObjectForScripting and then inject a javascript function that assigns windown.onerror to a wrapper that calls the external script in the host app. Like:
window.onerror = function(message, url, lineNumber)
{
window.external.errorHandler(message, url, lineNumber);
}
Refere to:
http://notions.okuda.ca/2009/06/11/calling-javascript-in-a-webbrowser-control-from-c/
If you have IE9 installed, the WebBrowser will still use IE7 mode unless you override this behaviour with a registry setting - as described in this StackOverflow answer. This is the most likely cause of the JavaScript errors you're getting in the WebBrowser (because you're not seeing the same errors in IE9).
You can make the registry setting using the following c# code (which sets IE10 mode if Windows 8 is detected) and changing app-name.exe to match your own application. You should add an error handler for the case where there are insufficient privileges (admin privileges are required to write to this registry key).
string installkey = #"SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION";
string entryLabel = "app-name.exe";
System.OperatingSystem osInfo = System.Environment.OSVersion;
string version = osInfo.Version.Major.ToString() + '.' + osInfo.Version.Minor.ToString();
uint editFlag = (uint)((version == "6.2") ? 0x2710 : 0x2328); // 6.2 = Windows 8 and therefore IE10
RegistryKey existingSubKey = Registry.LocalMachine.OpenSubKey(installkey, false); // readonly key
if (existingSubKey.GetValue(entryLabel) == null)
{
existingSubKey = Registry.LocalMachine.OpenSubKey(installkey, true); // writable key
existingSubKey.SetValue(entryLabel, unchecked((int)editFlag), RegistryValueKind.DWord);
}
You can use the following code line to get rid of those types of errors:
webBrowser1.ScriptErrorsSuppressed = true;
It will prevent getting JavaScript errors.
So i know the post is old, but it was a recent problem for me and i had to do some serious digging and thinking outside the box.
basically like most replies here - you cannot alter the webbrowser control to use the most recent IE engine. mine uses IE7 by default, i have seen some replies that basically changes/ adds stuff to registry, am always not comfy when it comes to the registry, a cleaner way to address this issue would be to append code on your website that forces it to use the most current IE engine on any pc and works like a charm.
if you have access to the web.config file of the page you intend to browse, simple append:
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name="X-UA-Compatible" value="IE=edge" />
</customHeaders>
</httpProtocol>
</system.webServer>
and your site would force webbrowser control to run the most current IE engine on your computer. Other options are found here:
https://www.leapinggorilla.com/Blog/Read/1016/ie-ate-my-css---disabling-compatability-mode
I should state that this would only work if you have access to the page / web.config of the website/ application you are trying to access- which was my case.
THe WebBrowser control uses IE7. So if there is a problem then your script does not work for IE7 and you will have to fix that.
You cannot integrate IE9 as it depends on it being installed on the computer and not everyone has IE9 installed.
As a help to whoever else may have this problem, I tried all these things and nothing worked for me. Here's what does work. I am not sure exactly what causes this error, but apparently when you just press "F5" in VS to debug your app, it runs YourProject.vshost.exe as the process name. If you run the same app from the command line, it will show up as YourProject.exe, and the javascript errors vanish. I think IE sees the app running visa via VSHOST and decides this is fishy and disables javascript from loading correctly.
So... go into your project setting for your executable.
Select "Debug" options.
Select "Start External Program".
Browse to and select Debug\YourProgram.exe (NOT YourProgram.vshost.exe).
Save, recompile, and hit F5.
Everything should work as per usual now, and Visual Studio even attaches to the process for you automatically.
Enjoy!
Grego
I am using WatiN (2.0.10.928) with C# and Visual Studio 2008 to test a SSL secured website that requires a certificate. When you navigate to the homepage a "Choose a digital certificate" dialog is displayed and requires that you select a valid certificate and click the 'OK' button.
I'm looking for a way to automate the certificate selection so that every time a new test or fixture is executed (and my browser restarts) I don't have to manually interfere with the automated test and select the certificate. I've tried using various WatiN Dialog Handler classes and even looked into using the Win32 API to automate this but haven't had much luck.
I finally found a solution but its adds another dependency to the solution (a third party library called AutoIT). Since this solution isn't ideal but does work and is the best I could find, I will post the solution and mark it as the answer but I am still looking for an 'out of the box' WatiN solution that is more consistent with the rest of my code and test fixtures.
Thanks for your responses!
In my situation I have exactly one certificate attached, so I have to pick up the one and only existing on the list, so I have really simple DialogHandler for this - it only clicks on the button if it cans handle the dialog:
public class CertificateChoosingHandler : BaseDialogHandler
{
public override bool HandleDialog(Window window)
{
new WinButton(1, window.Hwnd).Click();
return true;
}
public override bool CanHandleDialog(Window window)
{
return window.StyleInHex == "94C808CC";
}
}
AFAIR this solution won't work in Windows 7.
EDIT: I forgot about something useful. When I found that this solution is not working in Windows 7, I discovered very interesting option in IE Internet Options somewhere in "Custom Level": Don’t prompt for client certificate selection when no certificates or only one certificate exists. So I have added my site to trusted sites and edited settings, and there is no need now for me to use this DialogHandler, but it still can be used even if no dialog appears. If it is not clear, what I wrote, here is how to Enable Prompt for Certificate in Internet Explorer to show certificate dialog.
The best solution I could find so far was posted here:
http://andrey-zhukov.blogspot.com/2009/10/recently-i-wanted-to-choose-digital.html
As stated in the post, it requires a reference to the AutoIT library: http://www.autoitscript.com/autoit3/index.shtml
I've taken #prostynick's hint and automated it. Basically, if you ENABLE the setting "Don’t prompt for client certificate selection when no certificates or only one certificate exists" in the IE security settings, then the whole dialog doesn't appear (if you only have one or no certificate, that is).
So, we just have to make sure that the user has that setting enabled before we initialize your WebBrowser object. And since these settings are conveniently stored in the registry, we can do it ourselves, without bothering the user. Here's some code that does just that:
// What this does is changes this setting in Internet Explorer:
// Tools -> Internet Options -> Security -> Custom Level ->
// Don't prompt for client certificate selection when no certificates
// or only one certificate exists -> ENABLE
//
// If you're not convinced that we need this, please reset all the security
// levels in IE to the default settings, comment out this code, and try to fetch
// <your url>.
//
// If it finishes, great! Then leave it commented out. Otherwise, curse and accept
// that we need this ugly hack OR that we need to instruct people to find & change
// some unholy IE setting...
RegistryKey stupidBrokenDefaultSetting = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3", true);
stupidBrokenDefaultSetting.SetValue("1A04", "0", RegistryValueKind.DWord);
I'm not sure if this works for everyone, or that you need Administrator rights or something, but it works for me.