onsdag den 21. december 2011

ID3206: A SignInResponse message may only redirect within the current web application:

I got a question in a remark on ADFS 2.0 and ASP.NET and wanted to do a post about it instead of trying to fit in code inside a remark too.

Sometimes you might see the above error. And I can understand why it can be frustrating at times, so ill try and clarify what it means.

You create a sign message and redirect the user to the ADFS/STS. The user logs in successfully and gets send back with a token, and now WIF on the webserver say’s “go away, you are trying to login with a token issued for another domain/application than me.

The key here is your return URL. When you add a Relying Party on your ADFS server, you specify a WS-Federation Passive Endpoint. Your return URL need to be within same scope as your WS-Federation Endpoint URI.

image
I have added the code I’m using now, and added a few comments. Should clear things up a bit.

Code Snippet
  1. ' basicly this tell adfs, to redirect the user onward to some other STS. For most people this should not be specified.
  2. Dim HomeRealm As String = "urn:admin.wingu.dk"
  3.  
  4. 'What Identity did we specify in the "Relying Party Trusts" on the ADFS server
  5. 'This has to also be listed in web.config under <microsoft.identityModel><service><audienceUris>
  6. ' or you will get ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.
  7. ' This will most often be an URI, like https://admin.wingu.dk/SSI2 , but could also be an URN, like "urn:admin.website.ssi2"
  8. Dim Realm As String = ("https://admin.wingu.dk" & Request.ApplicationPath & "/").ToLower
  9.  
  10. ' Lets inspect and modify the Return URL
  11. ' If this falls out of scope from what you specefied under WS-Federation Passive Endpoint, when adding you
  12. ' Relying Party on the ADFS server, you will get
  13. ' ID3206: A SignInResponse message may only redirect within the current web application:
  14. '
  15. ' Basicly, if you want several endpoints for you website. Like www.1.com and www.2.com or
  16. ' www.1.com/app1 and www.1.com/app1, add more Relying Party's, one for each.
  17. ' There is another way, maybe ill do a blog about that someday
  18.  
  19. Dim ReturnURI As New UriBuilder(ReturnUrl.ToLower)
  20. ' We need to use HTTPS, no matter what, so
  21. ReturnURI.Scheme = "https"
  22. ReturnURI.Port = 443
  23. 'I dont want to redirect back to my self. This can be ok in some sceenarios
  24. If ReturnURI.Path.Contains("login.aspx") Then ReturnURI.Path = Request.ApplicationPath & "/"
  25. ' change localhost / computernamer or what ever, to the fqdn used on the ADFS to redirect back to
  26. ReturnURI.Host = "admin.wingu.dk"
  27. ReturnUrl = ReturnURI.ToString
  28.  
  29. Dim authModule As WSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule
  30. authModule.PassiveRedirectEnabled = True
  31. Dim mess As WSFederation.SignInRequestMessage = authModule.CreateSignInRequest("passive", ReturnUrl, False)
  32.  
  33. mess.HomeRealm = HomeRealm
  34. mess.Realm = Realm
  35. Dim redirURL As String = mess.WriteQueryString()
  36. Response.Redirect(redirURL)

onsdag den 14. december 2011

SQL user does not use default schema

So I was troubleshooting an installation of SuperOffice Customer Service. When running the installer it would fail with an ODBC driver error saying something down the line of “’config’ object not found” and you could see it was doing a “select count(*) from config”

I jumped over to the SQL server and saw that the SuperOffice SQL user did not have crm7 schema set as default schema and was not owner. So I chanced that, and tried again. I would still failed. So I open a new query in Management studio and did a “select * from config” .. that should work, but didn’t, I would still get no such object.

after goggling a while I decided to do a alter user, so opened the “help” page for “alter user” and voila, after reading the page I suddenly knew what was wrong.

The value of DEFAULT_SCHEMA is ignored if the user is a member of the sysadmin fixed server role. All members of the sysadmin fixed server role have a default schema of dbo.

The person who had installed superoffice had added the SQL user crm7 to the sysadmin role, and as you can see, that will break the schema role assignment. After removing the user from sysadmin, everything worked again.