Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2866
Views
10
Helpful
8
Replies

TMS Login from remote application - log-web.txt question

marco_81
Level 1
Level 1

‎12-19-2017 01:52 AM - edited ‎03-18-2019 01:42 PM

Hi all,

we are trying to login to TMS from remote application by means of GET and then POST HTTPS. TMS is running over IIS web service provided by MS server 2012.

This is a view of log-web.txt :

---------------------------------------------------------------

TMS Version 15.3.0 (IIS APPPOOL\TMSNet40AppPool)
2017-12-18 11:47:06,579 [132] ERROR ASP.global_asax -
Idunno.AntiCsrf.PotentialCsrfException: The CSRF cookie value did not match the CSRF parameter value. (Url: 'https://tms_ip_address/tms/auth/login.aspx?ReturnUrl=/tms/' QueryString: 'ReturnUrl=%2ftms%2f')
at Idunno.AntiCsrf.AntiCsrfModule.RaiseError(Exception ex, HttpContext context)
at Idunno.AntiCsrf.AntiCsrfModule.ValidateAntiCsrfToken(HttpContext context)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
2017-12-18 11:47:06,595 [132] ERROR Tandberg.TMS.UI.MasterPages.TMSMaster -
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
at System.Collections.Generic.List`1.get_Item(Int32 index)
at Tandberg.TMS.Common.TMSMenu.SetActiveMenuItem(Int32 activeMenuItemId)
at Tandberg.TMS.Service.Navigation.NavigationService.BuildMenu()
at Tandberg.TMS.Service.Navigation.NavigationService.GetMenu()
at Tandberg.TMS.Service.Navigation.NavigationService.get_CurrentModuleId()
at Tandberg.TMS.UI.MasterPages.TMSMaster.IsTmsPePage()
2017-12-18 11:48:09,736 [139] ERROR ASP.global_asax -
Idunno.AntiCsrf.PotentialCsrfException: The CSRF cookie value did not match the CSRF parameter value. (Url: 'https://tms_ip_address/tms/auth/login.aspx?ReturnUrl=/tms/' QueryString: 'ReturnUrl=%2ftms%2f')
at Idunno.AntiCsrf.AntiCsrfModule.RaiseError(Exception ex, HttpContext context)
at Idunno.AntiCsrf.AntiCsrfModule.ValidateAntiCsrfToken(HttpContext context)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
2017-12-18 11:48:09,751 [139] ERROR Tandberg.TMS.UI.MasterPages.TMSMaster -
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
at System.Collections.Generic.List`1.get_Item(Int32 index)
at Tandberg.TMS.Common.TMSMenu.SetActiveMenuItem(Int32 activeMenuItemId)
at Tandberg.TMS.Service.Navigation.NavigationService.BuildMenu()
at Tandberg.TMS.Service.Navigation.NavigationService.GetMenu()
at Tandberg.TMS.Service.Navigation.NavigationService.get_CurrentModuleId()
at Tandberg.TMS.UI.MasterPages.TMSMaster.IsTmsPePage()

--------------------------------------------------------------------

Does anybody faced with this error before?

best regards

Marco

 

0 Helpful
8 Replies 8

Zac Colton
Cisco Employee
Cisco Employee

‎12-20-2017 09:54 AM

Please clarify what you are trying to accomplish. The TMS Portal is a web site, to be accessed from a web browser.

0 Helpful

marco_81
Level 1
Level 1
In response to Zac Colton

‎01-02-2018 02:09 AM

i hope my team will provide more information about this and then i would be able to reply.

0 Helpful

marco_81
Level 1
Level 1

‎01-11-2018 07:42 AM - edited ‎01-11-2018 07:46 AM

Hi,

i have collected information about it.

We need to perform web authentication against TMS, to accomplish this we deployed javascript code executed on an application machine (with IP address: "Application IP" as per print screen attached), this java code simulate an interactive login against a form (such as typing username e password). That code performs HTTP Get first, and it retrieves  the html form login from TMS web server, then perform HTTP Post with username and password. We have compared results by performing manual\standard login to TMS, and automated by code login to TMS. The first case is attached as "standard login", second one "automated_login".

The differences between them are Referer and Oring header.

TMS_IP: stands for TMS's IP address, CUCM_IP stands for CallManager IP.

 

 

 

 

 

Preview file
216 KB
Preview file
237 KB
0 Helpful

Zac Colton
Cisco Employee
Cisco Employee
In response to marco_81

‎01-11-2018 08:06 AM

I still do not understand what you are trying to accomplish as a whole. What is the purpose of the web authentication?

0 Helpful

marco_81
Level 1
Level 1
In response to Zac Colton

‎01-11-2018 08:38 AM

The purpose is to login to a set of Cisco applications from a web portal without filling username\password every time i would access to the target resource. We are able to perform successful automatic login to Cucm, VCS, Conductor by the customized application, the only application with problem is TMS. Make sense?

0 Helpful

Zac Colton
Cisco Employee
Cisco Employee
In response to marco_81

‎01-11-2018 09:11 AM

CUCM, VCS, and Conductor all used forms based authentication. TMS, by default, does not. Authentication is done through and handles by IIS and the underlying operating system. The use of Integrated Windows Authentication will allow a client to access the TMS Portal pages without having to provide credentials manually. I am not sure is there are any publish documentation regarding enabling forms based authentication for TMS web application.

 

marco_81
Level 1
Level 1
In response to Zac Colton

‎01-17-2018 12:47 AM

Thanks for reply, i will rate as helpful.

For our purposes we solved bypassing CSRF security check, i know it is a vulnerability but we needed to trigger a HTTP POST from another web site toward TMS, and as per CSRF security check, Origin header inside POST was the obstacle.

I suggest to not disable CSRF, but in our case we need it.

regards  

0 Helpful

marco_81
Level 1
Level 1
In response to marco_81

‎01-23-2018 01:17 AM

We finally found issue on CSRF tokens managed by the remote web application. When the remote web application performs HTTP methods toward TMS (that is the target origin) , it has to send CSRF token too.

So CSRF security checks these two conditions:

- what is the domain the request came from (if it is different than the target origin just consider CORS and set Access-Control-Allow-Origin in the response to be equal to the Origin header set in the initial request)

- remote web application has to send CSRF token matching those originated by TMS\IIS.

Then we were able to enable antiCSRF again (never disable it).

In brief: "The CSRF cookie value did not match the CSRF parameter value" was related to a wrong behaviour of our remote app sending wrong CSRF tokens.

regards

Customers Also Viewed These Support Documents