Jim Rogers

Lives in Baton Rouge, LA, with two dogs, one cat, and one lovely wife. I'm a lead developer for GCR Incorporated.

Katrin and Jim

Month List

Troubleshooting Azure issues

by jim Dec 20, 2010 12:00 PM

This post is a bucket for various issues I’ve run across getting my Azure application working and authentication hooked up. With this new technology, solutions can sometimes be hard to come by.

CommunicationObjectFaultedException

I’ve gotten this exception trying to debug my web role, on more than one occasion.

There are a few causes of this exception documented online, but I’ve found that it can be caused by the general case of any failure to validate the web.config file. For instance, an invalid tag or attribute value can trigger this. 

<foo></foo>

or this empty path value in the location tag:

<location path="">
System.ServiceModel.CommunicationObjectFaultedException was unhandled
  Message=The communication object, System.ServiceModel.Channels.ServiceChannel, 
    cannot be used for communication because it is in the Faulted state.
  Source=mscorlib
  StackTrace:
    Server stack trace: 
       at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout)
       at System.ServiceModel.ClientBase`1.System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout)
       at Microsoft.WindowsAzure.Hosts.WaIISHost.Program.Main(String[] args)

AudienceUriValidationFailedException

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.

Audience: 'https://127.0.0.1:444/'

Exception Details: Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException: ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.

This means that the WIF configuration doesn’t list the return address as a valid ‘audience uri.’ In your web.config, add the desired address (the one in the message) to the list:

<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="https://127.0.0.1:8080/" />
      <add value="https://127.0.0.1:444/" />
      <add value="https://casestudy.cloudapp.net/" />
    </audienceUris>

You can have more than one value in here, but I suppose the most secure solution for a production deployment is to limit the list to the necessary value(s).

Another solution is to turn off the check altogether:

<audienceUris mode="Never">

But wait, what about a staging deployment? We don’t know the URL until we’ve deployed, and at that point we can't enter the value in our web.config!

Am I doing this wrong? Do the MS example and see if it works in staging with ACS and the guid address.

No response at all?

imageimageAre you using certificates? If the configuration of the cert or endpoint is set up wrong, you may get a generic “Internet Explorer cannot display the webpage” error.

  On the other hand, if there is no http endpoint configured and you try to access the site with http, you’ll get a “web server refused the connection, ” “10061: Connection refused.”

In the latter case, it’s probably best to configure the http endpoint and have a default, unencrypted landing page, if you’ve got a public site.

The certificate name doesn’t matter in the configuration files, as long as it’s the same in the various places where it’s referenced in configuration. In the service definition file, it should look like this:

<Certificates>
  <Certificate name="MySSLCert" storeLocation="LocalMachine" storeName="My" />
</Certificates>

The store location is important! However the cert is found not by name but by thumbprint; this is specified in the service configuration file:

<Certificates>
  <Certificate 
    name="MySSLCert" 
    thumbprint="4653AE813BA15DFFB027E3AC147004B2D24F472B" 
    thumbprintAlgorithm="sha1" />
</Certificates>

The certificate name is also referenced in the https endpoint configuration.

Issuer of the security token was not recognized

I got this error coming back from authentication, when the browser was redirected to my site.

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer

This means your application is checking the token to ensure that it came from a preconfigured provider, and it can’t find a match. Here’s the relevant section of the web.config file:

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuer…">
  <trustedIssuers>
    <add thumbprint="5F7F612950EB8F17FD102F8579EE409C1B81BC5B" 
         name="https://JimACS.accesscontrol.appfabriclabs.com/" />
  </trustedIssuers>
</issuerNameRegistry>

In my case, the AppFabric labs were updated and the certificate thumbprint changed. I couldn’t find a way to obtain the current thumbprint through the ACS management portal.

Warning: this is gonna reset other things in your web.config file, so make sure you’ve got a backup to compare to.

Go through the ‘Add STS Reference’ steps again, with whatever options you used before. This will add an additional trusted issuer to the list in the web.config file, with the correct thumbprint.

NullReferenceException

A common bit of code found in the Azure sample is this block, which switches the cookie encryption to a RSA for compatibility with a web farm (multiple IIS instances.)

List<CookieTransform> sessionTransforms = new
    List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(),
    new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate)
    });
var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());

e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);

There’s no check to see if the service certificate is configured, which can be done in the web.config file:

      <serviceCertificate>
        <certificateReference x509FindType="FindByThumbprint" findValue="4653AE813B..." />
      </serviceCertificate>

I’ve put the following block of code above the encryption code to give me a meaningful message if the certificate configuration is gone – for instance when rebuilding the ACS connection with the solution explorer’s ‘Add STS Reference’ wizard.

if (e.ServiceConfiguration.ServiceCertificate == null)
{
    throw new ApplicationException("No site certificate; is it set up in web.config?");
    // Make sure you've got the service certificate set up in the web.config:
    // <serviceCertificate>
    //   <certificateReference x509FindType="FindByThumbprint" findValue="4653AE813BA15DFFB027E3AC147004B2D24F472B" />
    // </serviceCertificate>
}

References

Common Windows Identity Foundation WS-Federation Exceptions Explained

Tags:

Code