Live Writer, GetServiceDoc, RoleMatrix

May 13, 2009 at 5:58 AM

I'm trying to use LiveWriter and my Trace.log is getting these entries when I try to get LiveWriter to connect and setup with my url:

The user "" is not authorized to peform the action "GetServiceDoc."

Now, in LiveWriter I am entering the admin credentials so I'm not sure why they are not being passed.  Anyone know what I might try?

Also on a potentially related issue, the roles documentation says:

The <app:service><app:workspace>, and <app:collection> elements in the service document allow a<svc:roleMatrix> extension element.  The following code shows an example of the above default roleMatrix element:

I can't find <app:service>etc. anywhere in the solution.  Is this out of date?  I looked at this because I thought I might need to edit this to grant myself access to GetServiceDoc but that doesn't yet appear to be my problem (based on the the Trace.log).  I just don't see a default Role Matrix getting populated when I run on my local machine and use the debugger.

I'd like to contribute but I still don't know what's what with this thing.

Thanks for any help,

Harpreet

Coordinator
May 13, 2009 at 3:31 PM

This is normal (but poor behavior) for LiveWriter as it does not automatically send the credentials with each request.  If you watch the Fiddler logs, it always has to make two requests.  I'm not sure why Live Writer was designed this way.

You should not have to change the roles to get around this weird design of Live Writer.

The <app:service> is the root node in the Service.config file.

There is no roleMatrix specified in the Service.config file by default.  Therefore, it uses the built-in roleMatrix.

 

May 14, 2009 at 12:07 AM

Thanks for the reply.  I do see two requests when I use Fiddler but it seems the second one is failing too.  I gota little more information by using Fiddler though.  This is part of what I get  back from my atomsite for the 401 error:


Most likely causes:

The username supplied to IIS is invalid.

The password supplied to IIS was not typed correctly.

Incorrect credentials were cached by the browser.

IIS could not verify the identity of the username and password provided.

The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.

The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.

Invalid Kerberos configuration may be the cause if all of the following are true:

Integrated authentication was used.

the application pool identity is a custom account.

the server is a member of a domain.

  Things you can try: ...

Now I understand that IIS doesn't recognize my credentials that were setup during the atomsite setup.  That makes sense.  But what might be the proper next step?  IIS can't use atomsite as an auth provider... What am I missing?
  I'm pretty sure during setup that the site was happy with it's jQuery tests to write, PUT, DELETE, etc.

Any further advice you can provide would be much appreciated,

Harpreet


Coordinator
May 14, 2009 at 5:50 AM
Have you tried logging into the website through the login form? /Account/Login  If that worked, your credentials are valid.  The credentials are stored in the Users.config file.

Can you paste your fiddler request headers?

I bet that Windows authentication is interfering, it needs to be disabled.




On Wed, May 13, 2009 at 7:07 PM, harpreet <notifications@codeplex.com> wrote:

From: harpreet

Thanks for the reply.  I do see two requests when I use Fiddler but it seems the second one is failing too.  I gota little more information by using Fiddler though.  This is part of what I get  back from my atomsite for the 401 error:


Most likely causes:

The username supplied to IIS is invalid.

The password supplied to IIS was not typed correctly.

Incorrect credentials were cached by the browser.

IIS could not verify the identity of the username and password provided.

The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.

The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.

Invalid Kerberos configuration may be the cause if all of the following are true:

Integrated authentication was used.

the application pool identity is a custom account.

the server is a member of a domain.

  Things you can try: ...

Now I understand that IIS doesn't recognize my credentials that were setup during the atomsite setup.  That makes sense.  But what might be the proper next step?  IIS can't use atomsite as an auth provider... What am I missing?
  I'm pretty sure during setup that the site was happy with it's jQuery tests to write, PUT, DELETE, etc.

Any further advice you can provide would be much appreciated,

Harpreet


Read the full discussion online.

To add a post to this discussion, reply to this email (blogsvc@discussions.codeplex.com)

To start a new discussion for this project, email blogsvc@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


May 15, 2009 at 6:11 AM

Thanks for your continuing help.  

As far as I can tell in the IIS 7 manager there is an Authentication section where I can have Anonymous, ASP.NET Impersonation, Basic, and Forms authentication.  I've tried having them all on, all of and some other combinations but nothing has worked.  I can log into the atomsite dashboard directly with no problem, though.

Though they don't mean all that much to me, here are the request/response headers for the two exchanges that live writer has with the server (I have AtomSite installed in a subdirectory /blog/ on the domain):

GET /blog/service.atomsvc HTTP/1.1
Accept: */*
Accept-Language: en-US, en, *
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Windows Live Writer 1.0)
Pragma: no-cache
Host: www.perpetualapprentice.com
Connection: Keep-Alive

 

HTTP/1.1 401 Access Denied
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /blog/Account/Login?ReturnUrl=%2fblog%2fservice.atomsvc
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
WWW-Authenticate: WSSE realm="AtomPub", profile="UsernameToken"
WWW-Authenticate: Basic realm="www.perpetualapprentice.com"
X-Powered-By: ASP.NET
Date: Fri, 15 May 2009 05:54:01 GMT
Connection: close
Content-Length: 5153




GET /blog/service.atomsvc HTTP/1.1
Accept: */*
Accept-Language: en-US, en, *
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Windows Live Writer 1.0)
Pragma: no-cache
Authorization: Basic aGFycHJlZXQ6MW12eXVrMW12eXVr
Host: www.perpetualapprentice.com
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
WWW-Authenticate: WSSE realm="AtomPub", profile="UsernameToken"
WWW-Authenticate: Basic realm="www.perpetualapprentice.com"
X-Powered-By: ASP.NET
Date: Fri, 15 May 2009 05:54:01 GMT
Connection: close
Content-Length: 6547

 


 

Coordinator
May 15, 2009 at 12:45 PM
Edited May 15, 2009 at 12:48 PM

It looks like you have both basic authentication and wsse authentication enabled at the same time.  Only one of those should be used at a time.  Please make sure only one or the other is added in the httpModules sections of your web.config file.

<add name="WsseAuthenticationModule" type="AtomSite.WebCore.Modules.WsseAuthenticationModule, AtomSite.WebCore"/>
<!--add name="BasicAuthenticationModule" type="AtomSite.WebCore.Modules.BasicAuthenticationModule, AtomSite.WebCore" /-->

Notice that BasicAuthentication is commented out.

If after making the above change, you still see the WWW-Authenticate: Basic realm="www.perpetualapprentice.com" auth header, then you should disable basic authentication in IIS7 or you could try <remove name="BasicAuthenticationModue"/>

You should be making these changes to the <system.webServer> area for IIS7.

Basic auth is more secure only when you can use SSL.  Otherwise you should use WSSE.


On Fri, May 15, 2009 at 1:11 AM, harpreet <notifications@codeplex.com> wrote:

From: harpreet

Thanks for your continuing help.  

As far as I can tell in the IIS 7 manager there is an Authentication section where I can have Anonymous, ASP.NET Impersonation, Basic, and Forms authentication.  I've tried having them all on, all of and some other combinations but nothing has worked.  I can log into the atomsite dashboard directly with no problem, though.

Though they don't mean all that much to me, here are the request/response headers for the two exchanges that live writer has with the server (I have AtomSite installed in a subdirectory /blog/ on the domain):

GET /blog/service.atomsvc HTTP/1.1
Accept: */*
Accept-Language: en-US, en, *
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Windows Live Writer 1.0)
Pragma: no-cache
Connection: Keep-Alive

 

HTTP/1.1 401 Access Denied
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /blog/Account/Login?ReturnUrl=%2fblog%2fservice.atomsvc
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
WWW-Authenticate: WSSE realm="AtomPub", profile="UsernameToken"
WWW-Authenticate: Basic realm="www.perpetualapprentice.com"
X-Powered-By: ASP.NET
Date: Fri, 15 May 2009 05:54:01 GMT
Connection: close
Content-Length: 5153




GET /blog/service.atomsvc HTTP/1.1
Accept: */*
Accept-Language: en-US, en, *
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Windows Live Writer 1.0)
Pragma: no-cache
Authorization: Basic <SNIP>
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
WWW-Authenticate: WSSE realm="AtomPub", profile="UsernameToken"
WWW-Authenticate: Basic realm="www.perpetualapprentice.com"
X-Powered-By: ASP.NET
Date: Fri, 15 May 2009 05:54:01 GMT
Connection: close
Content-Length: 6547

 


 

Read the full discussion online.

To add a post to this discussion, reply to this email (blogsvc@discussions.codeplex.com)

To start a new discussion for this project, email blogsvc@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com