Sending Email from Windows Azure Through BPOS - windows

I'm trying to send an email via asp.net mvc2, and all works well on our companies mail server.
However, we're looking to switch to using our client's BPOS account. This works fine locally, but when deployed to azure, we're getting some timeout errors.
Can anybody confirm I have the following correct?
SmtpClient smtp = new SmtpClient("Smtp.mail.emea.microsoftonline.com");
smtp.Port = 587;
smtp.EnableSsl = true;
smtp.Credentials = new NetworkCredential("BPOS-EMAIL", "BPOS-PASSWORD");
In addition, does anyone know why it works when run locally, but not when run on azure?

Are you running the web role in Full Trust? By default, SmtpClient is going to execute under ASP Medium trust. Under that model, Smtp is only allowed to communicate over port 25 in Azure.
If you need to use the SmtpClient.Port property, you'll need to have the role run under full trust.
That's achieved by setting the enableNativeCodeExecution attribute on the Web Role in the Service Definition.
<WebRole name="WebRole1" enableNativeCodeExecution="true">
Thats the only thing I can think it might be. If that's not it and you can post error logs, that may show more details as to the problem.

Related

MS bot tested locally with postman

I was playing with Microsoft Bot Framework locally which works fine if I use MSFT bot emulator for testing (both in C# .Net Core and Node.js) but I cannot figure out how to test it using Postman api calls.
Do I really need to register bot first at MSFT even when it is run locally to be able to get authentication ?
Normally, there is a Connector Service between the client and a bot. It is possible to bypass the connector services, and post directly to the bot but there are a few things to keep in mind. One of the issues you will run into is the activity.ServiceUrl is expected to be the callback base url for return messages: ref BotFrameworkAdapter#L843 Without a valid ServiceUrl, bot replies will all end in exceptions, since there is no valid place to send the responses. You can setup a MockChannel to receive these bot replies. Once it is setup, just ensure your ServiceUrl of the message sent to the bot is pointing to that MockChannel.
Sometimes I use the Emulator's Connector Service with PostMan. This can be done without having a MicrosoftAppId and MicrosoftAppPassword. You'll see the endpoint the Emulator Connector Service is listening on within the Log when you open a Live Chat tab:
This would then be the baseurl to use for PostMan.
Create Conversation:
(note: the emulator expects an Authorization header with a Bearer token, but the value does not matter since we aren't using a MicrosoftAppId and MicrosoftAppPassword)
Post Message:
Get Messages:
A bot running on localhost should be testable via any HTTP client such as Postman as long as your forming the requests correctly which really only means you just need a payload that is a valid activity representation.
What you might need to check is whether or not you have any app credentials configured on your bot when you're running in localhost. If those are set then you would need to actually properly authenticate against your localhost instance as well, which the emulator will do, but you likely don't want to do when you're just trying to hit it with something like Postman. So, just make sure to clear out the app credentials when running in localhost mode to make your life easier.
If you're not running with any app credentials, then you'll need to update your question with more details about exactly what payload your sending, how your bot is configured, etc and I'll be happy to update my answer.

Using Windows Authentication to call a Web API from a Windows Store application

Here is the context of my issue: I am developing a Windows Store application that will be side-loaded on several tablets our client is planning to use. This tablet app will make calls into a Web API which in turn will do CRUD operations with a repository (SQL Server via EntityFramework). Everything has to use Windows Authentication. The tablets are Dell running Windows 10. Each user will log in with its own active domain credentials. The tablet will pass the credentials to the Web API which in turn will pass them to the repository (database). Based on the credentials, the repository will determine the group the user belongs to and based on that, it will give access to resources the user is allowed to access.
My Web API works fine. I tested it with Fiddler. For the HTTP GET request, I want to test, I checked the "Automatically Authenticate" checkbox and I can see the three successive messages, first two returning with 401 and the third returning HTTP Code 200, along with the data I requested.
However, when I try to call it from my Windows Store app, I only send one GET Request, the first one. My Web API is hosted in IIS Express. At the advice of a very distinct member of this group, I configured IIS Express to expose the Web API using the IP address of my development machine rather than "localhost". Before doing this I wouldn't see any GET Requests hitting the server, not even the first one.
I know that Windows Authentication uses the NTLM scheme and it requires a negotiation process, hence the 3 messages Fiddler sends initially to the server?
How do I need to write my Web API Client code to bypass this negotiation? I spent all morning and afternoon reading solutions to my problem, here on SO and many other websites, but somehow, I still did not get it to work. I must be missing something and I don't know what. Here is my code on the Web API Client side:
var authHandler = new HttpClientHandler()
{
Credentials = CredentialCache.DefaultNetworkCredentials,
ClientCertificateOptions = ClientCertificateOption.Automatic
};
var webApiClient = new HttpClient(authHandler)
{
BaseAddress = new Uri(_serviceUri), // _serviceUri is a string that looks like this "http://10.120.5.201:53045"
};
webApiClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage response = await webApiClient.GetAsync("api/user");
My call never returns from GetAsync, but in Fiddler, I can see only the first GET Requests being posted to the server. How can I get my client to follow up, behind the scenes, just like Fiddler does, and send the other two messages so that, eventually, the third one would return with a response HTTP 200 code and with the data I receive in Fiddler?
If anyone can point me in the right direction, I would be highly appreciative.
The problem was that the "Enterprise Authentication" setting was not set in the Capabilities tab of the Package.appxmanifest file of my app. It took me a while to figure out that that was the problem, but as soon as I checked it, my app started using Windows Authentication.

Impersonation in ASP.NET web application does not work when running on IIS

I am working on ASP.NET 4.0 MVC3 web application that works in intranet environment. The application makes use of Windows authentication. Its application pool is run by domain user that has spn set on a domain controller. Authentication works using Kerberos (on IE and Firefox after some additional configuration).
Now I want to upload files to sharepoint, but it's important for me to upload the file as the user currently logged in into the application (so the file is created on Sharepoint with his/her credentials).
I have the following code in ResourceExists(Uri uri) function:
'...
Dim identity As System.Security.Principal.WindowsIdentity = HttpContext.User.Identity
Dim impersonationContext = identity.Impersonate()
response = request.GetResponse()
impersonationContext.Undo()
'...
This works when running locally, but when I deploy to the server I get the exception:
System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n at WebDav.WebDavClient.ResourceExists(Uri uri)\r\n at Website.Website.WebdavController.Upload(HttpPostedFileBase file, UploadViewModel vm)
I read something about passing on the credentials, that is not possible with NTLM, but I am sure I am using Kerberos (I checked the headers with wireshark and fiddler) and I see the following:
Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgJDAiBgkqhkiC9x...
Any ideas why the impersonation does not work when running on the IIS server?
I found the answer here:
http://support.microsoft.com/kb/810572
"Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft"
And that was exactly the case. I tried now with another machine that is not load-balanced and it works.
The only thing that still surprises me is that ImpersonationLevel of the identity is still Impersonate not Delegate...
After setting <identity impersonate="true"/> in your web.config try the following:
using (((WindowsIdentity)User.Identity).Impersonate())
using (var client = new WebClient { Credentials = CredentialCache.DefaultNetworkCredentials })
{
string result = client.DownloadString("http://sharepoint");
}
you need to configure your site correctly in IIS for impersonation to work.
see Configure ASP.NET Impersonation Authentication (IIS 7)

ASP .NET Cross Site Forms Authentication works in Dev but not production

I have two MVC3 sites, both hosted on the same server that I've configured to use the same authentication cookies.
The first site is an intranet site using Windows authentication. This site has one simple Action that checks to see if the user was authenticated, if the user has been, it creates a FormsAuthentication cookie that it adds to the response. This cookie is created for a generic user that I determine from the User's AD groups. The response then redirects the user to a second site that uses Forms Authentication.
When I run this on my local machine, everything works as described above. When I deploy this to our local web server, it doesn't. I've tested to see if the user's group is correctly determined and that it creates a valid user for the cookie, and I have verified that this is correct on the web server.
Here is how I'm doing all of the above:
First, I made both sites use the same same Machine Key for encryption and decryption.
When I create the cookie in Site1, I ensure that it has the same name and Domain as the cookies created on Site2.
var cookie = FormsAuthentication.GetAuthCookie(userName, false);
cookie.Domain = FormsAuthentication.CookieDomain; //This is the Domain of my 2nd site as they are different
HttpContext.Response.Cookies.Add(cookie); //Add my cookie to the response
HttpContext.Response.RedirectPermanent(urlForSite2);
Again, when I run this on my local machine it works without a problem. But when deployed, it's either not passing the cookie in the request, or the response is ignoring it, but I'm not sure how to verify either of these cases.
Feel free to ask any question regarding more details as to how I'm doing this if it will help in getting an answer I need.
Cross domain cookies are not allowed. If you have two separate domains; one cannot access the others cookies. Two separate virtual directories/applications will work when using the same machine key. http://blogs.technet.com/b/sandy9182/archive/2007/05/07/sharing-forms-cookie-between-asp-net-web-application.aspx
If you want to share login cookies between sub-domains you need to edit the Domain property of the login cookie to the 2nd level domain "abc.com" so that "www.abc.com" and "ww2.abc.com" will have access to the cookie. http://forums.asp.net/t/1533660.aspx
String usrName = User.Identity.Name.ToString();
HttpCookie authCookie = Security.FormsAuthentication.GetAuthCookie(usrName, false);
authCookie.Domain = "abc.com";
Response.AppendCookie(authCookie);
Actually, it is possible, but isn't as simple as the domain/sub-domain cookie sharing.
http://www.codeproject.com/KB/aspnet/CrossDomainSSOModel.aspx
While the example given in this article didn't apply directly to what I was doing, I could use some of the ideas expressed there to get what I needed working. It ended up being my configuration settings in site2 web.config.
My URLs are as follows
Site1 = http://site.stage
Site2 = http://site.stage.MyCompanyName.com
Site 1 requires a host entry addressing it to a specific IP address of the hosting machine. It's also an entry in my IE Security settings - Local Intranet Sites.
I should note that these applications are both virtual directories running under the same default website.
I thought I had solved my problem but setting the Domain in the config file to and empty string, but this didn't work. I'm not sure what can be done now. This still works when I run it on my local machine, but not when I run it on my server. The only difference is the urls.
My dev machine is using the urls
Site 1: http://localhost/CompanyName.TVAP.IntranetSite
Site 2: http://localhost/TVAPDev/
I hope this adds some clarification. This Answer should really be posted as an edit to my question, but when I originally posted it, I thought I had it working.
UPDATE: I think my answer is in my URLs above. My dev machine URLS both are using the same domain name, which in this case is localhost. I think if I alter my deployed websites to use the same domain, I will be OK. I'll post an update when I get it worked out.

Why do I get 401 errors connecting to the Dynamics CRM Metadata service?

I am connecting to CRM with the intention of retrieving a list of picklist values. On my development machine I am working under my own login name and all works fine. On the test server, the code executes under the NETWORK SERVICE account. When it connects to the CRM web service everything is great. When it connects to the metadata service I get 401 Unauthorised messages.
This is the first time I have used the metadata service so I am hoping someone can tell me why I get the error. The connection is configured using the code below and the failure happens when you try to retrieve the picklist data.
CrmAuthenticationToken token = new CrmAuthenticationToken();
token.OrganizationName = config.AppSettings.Settings["CrmTargetOrganisation"].Value;
token.AuthenticationType = 0;
MetadataService service = new MetadataService();
service.Credentials = System.Net.CredentialCache.DefaultCredentials;
service.Url = config.AppSettings.Settings["CrmMetadataServiceUrl"].Value;
service.CrmAuthenticationTokenValue = token;
service.UnsafeAuthenticatedConnectionSharing = true;
I suspect it might be a Kerberos / delegation issue, to make sure it is try replacing DefaultCredentials with
new System.Security.Net.NetworkCredentials("username","password","domain");
See if that still gives you a 401.
This is the quick way I normally try to see if it is kerbos/security related.
I need a bit more information about your environment to make any other intelligent comments.
Hope it helps.
In my case (yes, we still use CRM 4), the website in IIS wasn't bound to the hostname being used to access the metadata service on port 5555.

Resources