SSO to PHP Web App

Similar Messages

• Integrating a PHP Web App with an Existing Azure Mobile Services and Mobile App

  I've got an existing mobile app that is integrated with Azure's mobile services. The mobile services are currently connected to Azure Active Directory with MFA enabled. I'd like to build a separate PHP-based web application (Azure VM) that uses this existing
  mobile service and authentication.
  I reviewed the Azure PHP SDK, but didn't see any tie-ins to the Mobile Service. Additionally, Azure has some great tutorials, but for mobile services they all seem to focus on iOS, Android, and Windows phone. Any insight into how to tie a PHP-app into this
  backend would be much appreciated!

  Although there isn't any client library for PHP, you can still access Mobile Service using the
  Azure Mobile Service REST API.
  Abdulwahab Suleiman

• SSO of custom web app and ALBPM

  Hi
  Recently we have to integrate a custom app and ALBPM on weblogic server,
  we want to implement Single Sign On between the custom app and ALBPM workspace,
  hopefully on application level
  (our custom application is using acegi security backed by LDAP right now)
  but seems the authentication of ALBPM is quite proprietary and tends to be container-managed.
  could anyone can kindly tell me how should we get start on this?
  Thanks

  Hello guys,
  someone knows how to implements "fuego.workspace.security.SSOWorkspaceLoginInterface" or find some API documentation, javadoc about this interface?
  for now, Im try to find some help or documentation about SSO in workspace, So when I did decompilation to find more answers.
  package fuego.workspace.security;
  import fuego.sso.SSOLoginException;
  import fuego.web.SSOUserLoginInterface;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  public interface SSOWorkspaceLoginInterface extends SSOUserLoginInterface {
       public abstract void setupAuthenticatedSession(
                 HttpServletRequest httpservletrequest,
                 HttpServletResponse httpservletresponse) throws SSOLoginException;
       public abstract void processRequest(HttpServletRequest httpservletrequest,
                 HttpServletResponse httpservletresponse) throws SSOLoginException;
  package fuego.web;
  public interface SSOUserLoginInterface extends fuego.sso.SSOUserLoginInterface {
  package fuego.sso;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  // Referenced classes of package fuego.sso:
  //            SSOLoginException
  public interface SSOUserLoginInterface {
       public abstract String getUser(HttpServletRequest httpservletrequest,
                 HttpServletResponse httpservletresponse) throws SSOLoginException;
       public abstract String getPassword(HttpServletRequest httpservletrequest,
                 HttpServletResponse httpservletresponse) throws SSOLoginException;
       public abstract boolean skipFDIAuthentication();
       public abstract String getLogoutURL();
       public abstract String getLogoutRelativePath();
  }And I decompile fuego.workspace.security.SSOWorkspaceLogin to see the logic inside this classe
  package fuego.workspace.security;
  import fuego.sso.SSOLoginException;
  import fuego.web.SSOUserLogin;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  // Referenced classes of package fuego.workspace.security:
  //            SSOWorkspaceLoginInterface
  public class SSOWorkspaceLogin extends SSOUserLogin implements
            SSOWorkspaceLoginInterface {
       public SSOWorkspaceLogin() {
       public void setupAuthenticatedSession(
                 HttpServletRequest httpservletrequest,
                 HttpServletResponse httpservletresponse) throws SSOLoginException {
       public void processRequest(HttpServletRequest httpservletrequest,
                 HttpServletResponse httpservletresponse) throws SSOLoginException {
  package fuego.web;
  // Referenced classes of package fuego.web:
  //            SSOUserLoginInterface
  public class SSOUserLogin extends fuego.sso.SSOUserLogin implements
            SSOUserLoginInterface {
       public SSOUserLogin() {
  }And here i think he uses some obfuscator, cause i cant decompile implementation method :(
  package fuego.sso;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  // Referenced classes of package fuego.sso:
  //            SSOUserLoginInterface, SSOLoginException
  public class SSOUserLogin implements SSOUserLoginInterface {
       public SSOUserLogin() {
       public String getUser(HttpServletRequest request,
                 HttpServletResponse response) throws SSOLoginException {
            /*  25*/return request.getRemoteUser();
       public String getPassword(HttpServletRequest request,
                 HttpServletResponse response) throws SSOLoginException {
            /*  31*/return null;
       public boolean skipFDIAuthentication() {
            /*  36*/return true;
       public String getLogoutURL() {
            /*  41*/return null;
       public String getLogoutRelativePath() {
            /*  46*/return null;
  }Thanks for any help or indication of source..
  regards.

• SSO to Web App using Application Integrator - not working

  Hi,
  I've set up App Integrator for my web application, following the Yahoo example in the guide. My URL template is <System.protocol>://<System.server><System.uri>?<Authentication> and the fraction for user mapping is op=<MappedUser>&pwd=<MappedPassword>.
  It doesn't log me in. Even if I change the URL template to the actual address of my web app and use a real user & password (rather than <Mapped..>), it still doesn't work.
  I've got SSO to my web app working using a HTTP system and URL iview but I would really like to see the App Integrator working as well. Any ideas?
  Many thanks
  Jane

  Can anyone please help with this? I installed a http sniffer so maybe I could see what was going on. My HTTP System simply goes to the URL with the parameters added as expected, but the app integrator one is a bit more complex - I can see the URL & parameters in this function:
      function requestTargetURL() {
        var theURL = "<b>HTTPS://(myserver)/log-in.htm?op=(####)&pwd=(####)</b>";
        var dsmObj;
        if (hasNestedFrameStructure()) {
          location.replace(theURL);
          dsmObj = parent.EPCM.DSM;
        } else {
          document.body.scroll = "no"; // for IE only
          var theIframe = document.getElementById("iframe_GETRedirect_1593748234");
          theIframe.style.visibility = "visible";
          theIframe.src = theURL;
          dsmObj = EPCM.DSM;
          document.title = 'JDS';
      function onloadhandler(){
        setTimeout("requestTargetURL()",1);
  and the server/username/password are all correct but there's a lot of other stuff in there which I'm not sure how affects it. Anyone know have any ideas why this isn't working? Does it matter that my web app is https but the portal is http?
  Any help greatly appreciated!
  Thanks in advance
  Jane

• SSO with OID and WLS 8.1 Web App

  Hi,
  I have a web application deployed on WLS 8.1.
  I have set up Oracle Custom Authenticator.
  Some of my users are stored in Oracle LDAP. I want that if user logs in Web Application deployed on WLS 8.1 and clicks on one link (in my web app) which refers him to go to OID interface, in OID interface he should not be authenticated again (as he is already authenticated by WLS). Please let me know how to resolve this issue with Oracle SSO.
  Any help in this regard highly appreciated.
  Thanks
  -Deepak

  Did you find a solution for this problem?
  I have somthing very similar going on where I am currently working.
  Thanks!
  Andy.
  "Simple Guy" <[email protected]> wrote:
  >
  Hi,
  I've a setup with iplanet 6.x webserver using the wls 7.0 sp2 proxy plugin
  to
  route requests to the clustered app server instances (2 of them) that
  are in wls
  6.1 sp3.
  The issue is, I'm noticing that the session is not sticky and is getting
  routed
  onto the other app server instance. The error that I see in the wlproxy.log
  is
  as follows:
  *******Exception type [PROTOCOL_ERROR] raised
  at line 654 of URL.cpp
  Thu Nov 13 11:30:08 2003 failure on sendRequest() w/ recycled connection
  to Instance1:7001, numfailures=1
  Thu Nov 13 11:30:08 2003 Marking Instance1:7001 as bad
  Thu Nov 13 11:30:08 2003 got exception in sendRequest phase:
  PROTOCOL_ERROR [line 654 of URL.cpp]: unexpected EOF
  reading HTTP status at line 1010
  Thu Nov 13 11:30:08 2003 Failing over after sendRequest exception
  Thu Nov 13 11:30:08 2003 attempt #1 out of a max of 5
  Has anyone seen this issue? Can anyone explain why this issue is occuring.?
  Thanks.

• Is php security and secure connection are enough for securing big web app. like fb?

  i mean....using php security functions and using secure coneection .....are enough for protecting big web apps. like fb??

  With great difficulty and constant monitoring and tweaking.
  Gramps

• SSO to Web App using Application Integrator - not working (SP15)

  Hi,
  I have created a web app system and generic app integrator iview for my web application (and set up user mapping etc.), following the Application Integrator how-to guide but it does not log me into my web application. I have got the Yahoo example working, and if I use a HTTP System & URL iview for my web application, that also works. Can anyone tell me what the problem could be, or where I should start looking?
  If I use a http sniffer, I can see the correct URL and parameters in the following:
  function requestTargetURL() {
        var theURL = "<b>HTTPS://(myserver)/log-in.htm?op=(####)&pwd=(####)</b>";
        var dsmObj;
        if (hasNestedFrameStructure()) {
          location.replace(theURL);
          dsmObj = parent.EPCM.DSM;
        } else {
          document.body.scroll = "no"; // for IE only
          var theIframe = document.getElementById("iframe_GETRedirect_592312569");
          theIframe.style.visibility = "visible";
          theIframe.src = theURL;
          dsmObj = EPCM.DSM;
          document.title = 'JDS';
      function onloadhandler(){
        setTimeout("requestTargetURL()",1);
  but something else must be happening for it not to work. Can anyone give me any pointers?
  Many thanks
  Jane

  Bit of a weird one: I've found a way to make it work but I'm not sure exactly how... the problem was that the portal was opening my web app URL in an iFrame (which can be seen from the code above). I tested this by just creating a html page with the URL + parameters in an iframe, and it wouldn't log me in (and took over the whole browser). So I guess the problem is with my web app rather than the portal.
  However... I then discovered that if I add my web app address to the Local Intranet security zone in my browser (IE6) settings (before it was in the Trusted Sites zone), it no longer minded being in an iFrame, my test html page worked and so does the portal iview. I cannot find which security setting is causing this - I've tried changing the Trusted Sites to match the Intranet zone settings exactly, but it still doesn't work if my web app address is Trusted opposed to Intranet.
  If anyone has any idea what is causing this behaviour, I'd be very grateful - obviously it isn't a portal issue but I'd still like to find out the cause in case it comes up again in the future.
  Many thanks,
  Jane

• Need somone to code web app mysql-php

  the static pages are mostly done. was hoping to do the
  dynamic stuff myself, but just started learning web apps and we
  need it now. want to hire someone with experience doing web apps.
  its a professional directory with search results pages that work
  like (but dont look like) hamptoninn.com. we want to use sugarcrm
  to manage the accounts too. (moderator: sorry if this is not
  allowed, dont see it prohibited in terms).

  Hello 6fingers,
  1. When you say that you successfully migrated the application, how exactly did you do this, did you use the Web Apps migration assistant?
  The error message indicates to me that the issue is with the Access database. Even though your website has migrated successfully with the respect to the IIS server configuration.
  It is failing to connect to your Access database. Azure websites supports Access databases after converting it to Azure SQL DB.
  When you migrate your website, it would have created a database for your Access database under MYSQL Database, I suggest that you check if you have that linked to your web application.
  If you do not find any database under the linked resourses for the web application, you can create new azure SQL database.
  You can refer to the link below that will give you instructions on 'Migrating Access Databases to SQL Server/Azure SQL DB (AccessToSQL)':
  https://msdn.microsoft.com/en-us/library/hh313051(v=sql.110).aspx
  Thanks,
  Syed Irfan Hussain

• GetAccess SSO and WebLogic J2EE Web app

  I have a J2EE web app (servlets/JSPs) running in WLS5.1sp8. I want to use standard
  J2EE declarative security to protect the application and a WLS custom security
  realm to provide authorisation.
  However, I need to use the Entrust getAccess single sign-on infrastructure to
  do the initial user authentication. I was hoping there might be some way to propogate
  the user's getAccess security credentials into the web application so that when
  the user hits a protected web page, they are not prompted to login in again.
  However, Weblogic should call into my custom realm with the getAccess provided
  user name to check that the user has the correct role.
  Anyone have any ideas how/if this is possible?
  Thanks,
  Martin

  That was a good article on how to maintain access levels based on different user roles and i will need it down the lane. Probably, i used a wrong word when i meant 'unauthorized user'.
  Actually, let me rephrase it,
  Here is my issue rephrased,
  1.) My problem is during authentication phase, I want a functionality where a person is redirected to login page by default if he tries to paste URL of some intermediate page of application directly without logging in.
  2.) This would also pop up another question, which would be what is the best practice to maintain a user's info i.e. his login credentials throughout the application (I am just storing his user id along with a flag which says its true.) .
  Right now, the way i do is, in each action after the user logs in, I check for a session attribute which tells if he has logged. Based on this check, I forward to the next page. But, i think its quite redundant and probably not a best practice. Hence, I need some other elegant way of achieving this.

• How to send JSON data in HTTPService to PHP web service question

  I'm using Flex 4 and a mx:HTTPService to send a JSON request to a php web service. I'm not sure if I'm sending the request correctly. Could someone look at the code below to see what I'm doing wrong?
  thanks
  <?xml version="1.0" encoding="utf-8"?>
  <s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
                 xmlns:mx="library://ns.adobe.com/flex/mx"
                 xmlns:s="library://ns.adobe.com/flex/spark"
                 width="100%" height="100%">
      <fx:Declarations>
          <mx:HTTPService id="service" url="https://my web service url/"
                          method="POST" resultFormat="text" result="onResult(event)" fault="onFault(event)">
          </mx:HTTPService>
      </fx:Declarations>
      <fx:Script>
          <![CDATA[
              import com.adobe.serialization.json.JSON;
              import mx.collections.ArrayCollection;
              import mx.rpc.events.FaultEvent;
              import mx.rpc.events.ResultEvent;
              import mx.utils.Base64Encoder;
              [Bindable]private var username:String = "[email protected]";
              [Bindable]private var password:String = "the password";
              [Bindable]private var accountNumber:String = "49055";
              [Bindable]private var anticipatedDeliveryDate:Number = 20101115;
              [Bindable]private var purchaseOrder:String = "#123 for retailer";
              [Bindable]private var detailRecords:Array = new Array();
              [Bindable]private var key:String = "abc123";
              private function populateService():void {
                  populateProducts();   
                  setRequestHeader();
                  setRequestData();
                  service.send();   
              private function setRequestHeader():void {
                  var encoder:Base64Encoder = new Base64Encoder();
                  encoder.insertNewLines = false;
                  encoder.encode(key);               
                  service.headers["Authorization"] = "VIP " + key;
                  service.headers["Content-Type"] = "application/json";
              private function setRequestData():void {
                  service.request.username = username;
                  service.request.password = password;
                  service.request.accountNumber = accountNumber;
                  service.request.anticipatedDeliveryDate = anticipatedDeliveryDate;
                  service.request.purchaseOrder = purchaseOrder;
                  service.request.detailRecords = detailRecords;
                  // caching test
                  var rnd : Number = Math.round(Math.random()*1000);
                  service.request.cacheOff = rnd;
              private function populateProducts():void {
                  var prod1:Object = new Object();
                  prod1.itemCodeOrUPC = "00241";
                  prod1.itemDescription = "Budweiser Keg 1/2 BBL";
                  prod1.quantityOrdered = 2;
                  prod1.orderUOM = "Keg";
                  var prod2:Object = new Object();
                  prod2.itemCodeOrUPC = "00219";
                  prod2.itemDescription = "Budweiser 24/12 OZ CAN";
                  prod2.quantityOrdered = 4;
                  prod2.orderUOM = "Case";
                  detailRecords.push(prod1);
                  detailRecords.push(prod2);
              private function onResult(event:ResultEvent):void
                  var json:Object = JSON.decode(event.result as String);
              private function onFault(event:FaultEvent):void
                  trace("Fault: " + event.fault.faultString);
          ]]>
      </fx:Script>
      <mx:Panel width="95%" height="100%" color="#000000">
          <mx:HBox width="100%">
              <mx:Button label="Submit" click="{populateService()}"/>
          </mx:HBox>   
      </mx:Panel>
  </s:Application>

  Have you think abut using ActionScript in your Flex application? Or, you can write javascript to be proxy between your flash app and backend PHP web service?
  Also, it seems that you will allow every customer's flash player to have a copy of secret code. I think it is dangerous design because an flv file can be easity decompiled. Therefore, you secret code can be found if it is not input by your end user and it is populated on your serverside script.

• SSO to a Web Service from Portal

  Hi All,
  I have EP deployed on machine A, and my web application deployed on machine B, and I need to get SSO enabled between EP and the web application. Machine B is a Windows 2003 Server, and has the ISAPI filter installed to get at the HTTP_REMOTE_USER from the server variables, when I come from the EP. The web application on machine B is able to get the HTTP_REMOTE_USER server variable. This web application is an ASP.Net application, which calls web services in order to do any processing, including logging in a user. The flow looks like this:
  EP -> web app page -> redirect to login page -> check if HTTP_REMOTE_USER is present, if so, call web service to login user.
  The problem is this: when in the login page, I get at the HTTP_REMOTE_USER, which only gives me a user name. In order to actually log the user in, I need to call a web method, passing in a user name and a password. However, I don't have a password, and if I put a web method to login the user without the password check, it becomes a security hole. I hence need to check for the HTTP_REMOTE_USER in my web service layer as well, but I don't seem to be able to get at the HTTP_REMOTE_USER in the web service. At present, both web service and web application are on the same machine, but I still don't get the server variable. Isn't the web service (yet another) HTTP-based application, which should be able to get at the server variables? How do I get at the server variables to flow to the web service as well?
  In addition, I need to also do the following: I need to create an iView, which will call web methods on the web service. The web service uses WSE 1.0, and validates to check that there is a UsernameToken present. So, I need something similar to the above, wherein the web service can "figure out" that it is being called from the iView, and can skip the validation.
  Regards,
  Vivek
  PS - Points will be definitely rewarded

  Hi,
  Can anyone pls help me with this.
  Any ideas are most welcome.
  Regards,
  Vivek

• SharePoint 2013 Anonymous (public) site and Office Web Apps Server 2013 issue with download.aspx

  Our organization has a public facing anonymous site in SharePoint 2013 which allows access to documents (docx) in a library.  ViewFormsLockdown is activated as we present the documents via CQWP / custom template.  We are combating the usual
  issue of multiple login prompts when using Internet Explorer when a user accesses said document.  We also have tried  using the Word Viewer (view only mode) from Office Web Apps Server 2013 which works well, but ...
  the problem stems from the fact that users can go the file menu from the word view and choose to download the document (which is what we want),  unfortunately it looks like the link redirects via /_layouts/15/download.aspx which also presents a login
  prompt. Much has been written out there about doing direct links for documents via /_layouts/download.aspx to address multiple login prompts when the document is opening in word (from IE).
  I've tried nearly every combination of recommendations (disabling client integration, browser file handling (permissive/strict), ViewFormsLockdown feature, web.config modifications with options and propfind verbs and more) all to varying levels of success,
  but never totally getting rid of the prompt.  It has been stated that because the downloads.aspx inherits from Microsoft.SharePoint.ApplicationPages.Download this will not allow anonymous access.  We really want to use the word view from the Office
  web app and have the file download functionality work from the menu there ... can anyone suggest an alternate fix?  I might be wishing but will appreciate any guidance offered ...
  cheers,
  Dean
  some reference links (but not all) for various things we've tried:
  http://mohitvash.wordpress.com/2013/06/18/sharepoint-download-a-file-programatically/
  http://blog.sharedove.com/adisjugo/index.php/2012/09/29/open-sharepoint-files-in-edit-mode-from-client-applications-and-not-read-only/
  http://stackoverflow.com/questions/375390/office-documents-prompt-for-login-in-anonymous-sharepoint-site
  http://yalla.itgroove.net/tag/anonymous-access/
  Glifnard

  I'm glad to here that the problem has been fixed. Thank you for sharing your experience here, it will be helpful to other community members who have similar questions.
  Cheers,
  Steve Fan
  TechNet Community Support

• Is it possible to leverage InDesign Server templates in a custom web app?

  Hi there,
  I am building a custom web app and was hoping to leverage our existing InDesign Server templates within our web app. What I would like to do, is based on user input, show my template with the user's input in the browser. I have looked through the API guides for InDesign Server CS6, but I haven't been able to conclusively find anything that will allow me to use the APIs to call the server, send the data points the template requires, and then get an image back from the server.
  I believe this is possible, I am just not sure how to achieve it! Any ideas or articles that help push me in the right direction would be extremely helpful!
  Thank you!
  Marshall

  Yes it's completely possible. There are two parts to making something like this work:
  1. The scripts themselves. You can generally script InDesign Server and desktop InDesign exactly the way using ExtendScript. So that's the part of the process where your script receives variables and passes them into the template and replaces something you've identified as variable, whether text or an image or something else (perhaps a color theme, etc.). You should get your scripts running on desktop before playing around with server.
  2. The messaging between your web app and the server. Whatever language you are using (i.e. PHP, .Net, Java, Ruby…) there is a way to make a SOAP call to InDesign Server to tell it basically "run this script with these parameters". You should get the "hello world" script running from a SOAP call on the server before using your real variable-driven document.
  The documentation of these things is available here:
  http://www.adobe.com/devnet/indesign/sdk.html
  You need to download the InDesign Server SDK (don't worry if you're on CC and it says CS6, almost nothing changed) and the InDesign Scripting SDK. The Server SDK deals with part #2 above, the Scripting SDK with part #1.
  It really isn't that hard. I should warn you, though, that it is addictive and once you do your first one you will become all-powerful and want to do nothing else. :-)
  Good luck and don't hesitate to ask questions.
  Max
  http://blog.siliconpublishing.com

• Claims debacle (error) with Term Store: "Could not retrieve a valid windows identity" for all sites in a particular web app.

  When I pull up the Term store in CA or any MySite collection, it works.
  When I do so in any other site collection (HNSCs, incidentally), It doesn't return any term stores.
  My ULS log immediately before and after the "/_vti_bin/taxonomyinternalservice.json/CheckPermission" POST on termstore .aspx triggers the WCF call:
  Claims Authentication af30y Verbose Claims Windows Sign-In: Successfully signed-in the the user 'contoso\domainUser' for request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
  Claims Authentication af30q Verbose Updating header 'LOGON_USER' with value '0#.w|contoso\domainUser' for the request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
  Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|contoso\domainUser, ClaimsCount=77
  Logging Correlation Data xmnv Medium Site=/
  Topology e5mc Medium WcfSendRequest: RemoteAddress: 'http://CONTOSOFE3:32843/00e6d55691824965ac223f1d1cfae6d2/MetadataWebService.svc' Channel: 'Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/taxonomy/soap/IDataAccessReadOnly/GetChanges2' MessageId: 'urn:uuid:590e916c-c89a-4f89-9819-a82c97fabcaa'
  Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'contoso\domainUser' with UPN '[email protected]'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
  Claims Authentication g220 Unexpected No windows identity for contoso\domainUser.
  The "The caller is not authorized to access the service." message seems pertinent.
  Both web apps are using only NTLM auth.
  The url for both web apps ends in the same contoso.com domain. 
  I get the same errors no matter what account I use, including the install account.
  Things I've tried:
  Deleting and building a new HNSC root web app and site. Error happens in all sites in all web apps except the PBSC hosting MySites.
  Giving the root site app pool identity full control of the metadata service app (even though the MySite identitiy doesn't have it)
  Giving the root site app pool identity full permissions on the metadata service app.
  Comparing database and web app config permissions between dev (where everything works perfectly) and prod (where it does not).
  Made sure IIS auth settings on both sites are identical
  Both sites are using the same SSL certificate (though the call to the web service appears to be http)
  Reprovisioned the metadata service app with a new database and new app pool identity.
  Made sure C2WT is running. Tried it with the service stopped as well.
  Web.configs are identical between working and non-working apps.
  I'm stumped but still Googling. I'm hoping to avoid having to call Micrososft. Any help would be appreciated!
  UPDATE:
  Interestingly, when I restored the web application from backup (via CA), I ended up with 3 identical "Windows Authentication" authentication providers assigned to the problem web app. Since there was more than one, I was directed to the provider-chooser
  page when visiting the site. Upon choosing 1 of the 3, I was authenticated, and *poof*, no more authentication errors and the term store loaded term sets as expected.
  Of course, 3 providers was not an ideal state, so I grabbed the one that worked (#1) via get-spauthenticationprovider, and assigned it to the web app via set-spwebapplication, and my problem returned.
  I am currently updating the farm to SP1 from June 2013 CU. Fingers crossed.
  Update:
  The update to SP1 went smoothly, but did not resolve the issue. Also related (I believe) are the random authentication errors when trying to upload images to some libraries, and 401-errors on the accessdenied.aspx page itself.
  Update:
  The problem is resolved, seemingly after making 4 changes. I'm trying to narrow down which change was the cure, if any:
  I installed SP1 on all 6 servers, rebooted and upgraded. This appeared to have no effect.
  Removed an old login from SQL that no longer existed in AD because of this ULS error:
  System.Runtime.InteropServices.COMException: The user or group contoso\svc_xxxxxxxxx' is unknown., StackTrace:    at Microsoft.SharePoint.Utilities.SPUtility.GetFullNameFromLoginEx(String loginName, Boolean&
  bIsDL)
  This login was the identity of the application pool that used to run the web app in question.
  This login was the schema owner of a schema named after itself on every SharePoint database so I changed the schema owner to dbo but left the schema attached.
  The problem may have surfaced initially when the app pool identity was changed in CA, but went unnoticed?
  Note that the web app had been deleted and recreated many times with a new identity and pool to no avail, but the URL remained the same throughout each attempted fix. Relevant?
  Grasping at straws, I changed the app pool identity for this web app to the same one that runs the MySite web app pool as per this only slightly related problem: http://www.planetsharepoint.org/m/preview.php?id=372&rid=34764&author=Vlad+Catrinescu
  I changed the authentication method from NTLM to Negotiate.
  I am rolling back #3 and #4 to see if the issue resurfaces.
  Update:
  It doesn't appear to have been the NTLM/Negotiate setting. Web app is currently set to NTLM and all is well. No strange accessdenies, and term Store is still manageable from all sites.
  Update: Sorry for the delay. I am administering 6 farms these days. Will update as soon as the final phase of rollbacks happens.
  I think I can. I think I can.

  maybe that web app was accidentally created with classic auth?
  here's an example of how to create claims based, with classic, and then "doing 2013" claims
  #Create the example web application, as mentioned above, either with gui, and pick later, or
  New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
  5050
  -databaseName$contentDB-securesocketslayer
  #If doing for 2013
  New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
  5050
  -AuthenticationProvider(new-spauthenticationprovider)
  -databaseName$contentDB-secureSocketsLayer

• Web App name tag capabilities and Upload response handling

  Hi Guys,
  Let me begin by apologising for how long-winded this is going to be. 
  I have set my products up in the ecommerce module utilising catalogues etc - I have removed the buy now and cart options, so the ecommerce module is operating essentially like a showroom.  What I want to do now is link the individual large products to a web app because my product range requires personalization and the customers need to give me information and assetts to get their finished product back - the key for me is getting reports from the system, the web apps are just a portal to those reports.  So the workflow would see them submit their text and assetts to be used in the final product and pay via the web app.  With the web app that takes payment and allows them to submit their personalization stuff I was going to make one per product, so if product a) requires them to submit one block of text and 2 photos, the web app would have corresponding fields.  Then I got thinking about using content holders, the one web app for all products that need one block of text and 2 photos, if I could get the name tag to populate with the product page that sends to it, or the page name the web app form is inserted on, because this will correspond to the large product.  This way when I do the reporting instead of having to report from heaps of web apps, I could just filter the reports by the product name.  It would mean I would only need a handful of web apps vs needing quite a lot, but if it is beyond me I am happy that I have a solution, even if it is a bloated one.
  The other part of this involves me needing to capture the uploaded file name in the web app form fields so I can report from them.  I have been looking around and came across the below code.  My web app will require 1-12 uploaded file names to be captured in 1-12 form fields i.e. img_1 - img_12 - I am not a coder but I wondered whether this had potential for what I need.  It comes from here http://www.openjs.com/articles/ajax/ajax_file_upload/response_data.php
  Thanks in advance for taking the time to digest all of this.
  Mandy
  A Sample Application
  For example, say you are building a photo gallery. When a user uploads an image(using the above mentioned ajax method), you want to get its name and file size from the server side. First, lets create the Javascript uploading script(for explanation on this part, see the Ajax File Upload article)...
  The Code
  <script type="text/javascript"> function init() { document.getElementById("file_upload_form").onsubmit=function() { document.getElementById("file_upload_form").target = "upload_target"; } } </script>  <form id="file_upload_form" method="post" enctype="multipart/form-data" action="upload.php"> <input name="file" id="file" size="27" type="file" /><br /> <input type="submit" name="action" value="Upload Image" /><br /> <iframe id="upload_target" name="upload_target" src="" style="width:100px;height:100px;border:1px solid #ccc;"></iframe> </form> <div id="image_details"></div>
  And the server side(PHP in this case) script will look something like this...
  <?php list($name,$result) = upload('file','image_uploads','jpg,jpeg,gif,png'); if($name) { // Upload Successful $details = stat("image_uploads/$name"); $size = $details['size'] / 1024; print json_encode(array( "success"     =>     $result, "failure"     =>     false, "file_name"     =>     $name,     // Name of the file - JS should get this value "size"          =>     $size     // Size of the file - JS should get this as well. )); } else { // Upload failed for some reason. print json_encode(array( "success"     =>     false, "failure"     =>     $result, )); }
  Here we are printing the data that should be given to JS directly into the iframe. Javascript can access this data by accessing the iframe's DOM. Lets add that part to the JS code...
  function init() { document.getElementById("file_upload_form").onsubmit=function() { document.getElementById("file_upload_form").target = "upload_target"; document.getElementById("upload_target").onload = uploadDone; //This function should be called when the iframe has compleated loading // That will happen when the file is completely uploaded and the server has returned the data we need. } }  function uploadDone() { //Function will be called when iframe is loaded var ret = frames['upload_target'].document.getElementsByTagName("body")[0].innerHTML; var data = eval("("+ret+")"); //Parse JSON // Read the below explanations before passing judgment on me  if(data.success) { //This part happens when the image gets uploaded. document.getElementById("image_details").innerHTML = "<img src='image_uploads/" + data.file_name + "' /><br />Size: " + data.size + " KB"; } else if(data.failure) { //Upload failed - show user the reason. alert("Upload Failed: " + data.failure); } }
  Explanation
  Lets see whats happening here - a play by play commentary...
  document.getElementById("upload_target").onload = uploadDone;
  Set an event handler that will be called when the iframe has compleated loading. That will happen when the file is completely uploaded and the server has returned the data we need. Now lets see the function uploadDone().
  var ret = frames['upload_target'].document.getElementsByTagName("body")[0].innerHTML; var data = eval("("+ret+")");
  These two lines are an eyesore. No - it goes beyond 'eyesore' - this is an abomination. If these lines causes you to gouge out your eyes and run for the hills, I can understand completely. I had to wash my hands after writing those lines. Twice.
  var ret = frames['upload_target'].document.getElementsByTagName("body")[0].innerHTML;
  This will get the data the server side script put in the iframe. This line cannot be avoided as far as I know. You can write it in different ways - but in the end, you will have to take the innerHTML or the nodeValue or something of the body element of the iframe. I used the smallest code in the sample. Even if you specify the Content type of the iframe page as text/plain, the browser will 'domify' it.
  One other thing - in frames['upload_target'] the 'upload_target' is the name of the iframe - not the ID. Its a gotcha you need to be aware of.
  var data = eval("("+ret+")");
  Thankfully, this line can be avoided - you can use some other format(in this particular case the best format might be plain HTML) so that you don't have to parse a string that comes out of innerHTML. Or you can use CSV. Or plain text. Or JSON as we are doing right now - just parse it without using eval(). Reason I choose it? Smallest code - and easier to understand.
  Now we have a working system. The files are uploaded and data reaches the client side. Everything works perfectly. Oh, how I wish I could say that. But nooo - the nightmare of every javascript developer rears its ugly head again...
  Internet Explorer
  Internet Explorer, also known as IE, also known as the Beast, again manages to mess things up. They don't support the onload event for iframe. So the code...
  document.getElementById("upload_target").onload = uploadDone;
  will not work. WILL. NOT. WORK. Thanks IE, thanks very much.
  So, what do we do? We use a small hack. We put a script tag inside the iframe with a onload event that calls the uploadDone() of the top frame. So now the server side script looks like this...
  <html> <head> <script type="text/javascript"> function init() { if(top.uploadDone) top.uploadDone(); //top means parent frame. } window.onload=init; </script> <body> <?php list($name,$result) = upload('file','image_uploads','jpg,jpeg,gif,png'); if($name) { // Upload Successful // Put the PHP content from the last code sample here here } ?> </body> </html>
  Okay - now we have a IE-proof working system. Upload an image using the below demo application to see it in action.
  If you have a better way of doing this, please, PLEASE let me know. I feel dirty doing it this way.
  See it in Action

  You also need to consider when someone removes a product and what happens in terms of the things uploaded.
  Not saying your way wont work but I have the structure for this basically very similar on sites already that covers all the basis of real world use and works well.
  Mine is future proof anyway. BC will never ( I have it in writing) replace the code because it will break implementations and sites directly. jquery version is on the cards but the way that will be implemented or any change will either be with notice and on new sites not old or like many features an option in the admin to change it.