You are viewing limited content. For full access, please sign in.

Question

Question

Receive 'Access to the path is denied' error when utilizing group security within the windows directory

SDK Workflow
Updated March 7, 2017
asked on March 6, 2017 Show version history

I have an issue where I am unable to export a PDF to a UNC path. I am using the Workflow "Script SDK" activity to perform the script below. I receive the error when the user is not explicitly assigned to the folder security. If I add a group that the service account is a member of, I receive the access denied error. If I explicitly add the service account to the folder, then I am able to export the PDF to a UNC path.

 

I opened a laserfiche support ticket and was told to open an answers forum as this may be related to the script. 

Here is my script below. 

Namespace WorkflowActivity.Scripting.ExportPDF
    '''<summary>
    '''Provides one or more methods that can be run when the workflow scripting activity is performed.
    '''</summary>
    Public Class Script1
        Inherits RAScriptClass91
        '''<summary>
        '''This method is run when the activity is performed.
        '''</summary>
        Protected Overrides Sub Execute()

            ' Globally used variables
            Dim docPath As String = me.BoundEntryInfo.Path
            Dim docname as String = ""
            Dim docInfo As DocumentInfo = Document.GetDocumentInfo(docPath, me.RAsession)

            ' Check to see if the parent folder exists
            Dim CheckOutputFolderPath As System.IO.DirectoryInfo = New System.IO.DirectoryInfo(TokenReplace("%(ExportPath)"))
           If not CheckOutputFolderPath.Exists Then
                CheckOutputFolderPath.Create()
            End If
            docname = TokenReplace("%(DocumentName)") & ".pdf"

            ' initialize an instance of DocumentExporter
            Dim exporter As New DocumentExporter()
            exporter.ExportElecDoc(docInfo.GetLatestVersion(), TokenReplace("%(ExportPath)") & docname)

        End Sub
    End Class
End Namespace

 

0 0

Answer

SELECTED ANSWER
replied on March 7, 2017

We were able to figure out that it was a Kerberos issue. 

It required the service account to be restarted.

The service account was added to the Active Directory Group and they did not bounce the server. After we bounced the server and logged in as the service account, the kerberos tokens were updated allowing the service account to authenticate through the new AD group.

 

1 0

Replies

replied on March 6, 2017

It may also depend on all of the ACLs (entry access rights) that are effective (accumulated) on the folder as well as the entry. Perhaps you can provide that information (as a screenshot), either on the support ticket, or as a reply to this post?

0 0
View 6 previous replies
replied on March 6, 2017

You are wanting me to display the folder security of the UNC path or the entry access rights of the folder the PDF resides in Laserfiche?

0 0
replied on March 6, 2017 Show version history

My original suggestion was to get a screenshot of the entry access rights for the Laserfiche folder and entry.

However, the correct answer to your question would depend on which issue (the UNC path versus the Laserfiche folder/entry) is causing the error you are seeing.

If you don't know which one is causing the error, that would be your first step to figure out.

You can also put an exception try-catch block around your code (inside the VB script; not in the workflow designer). Inside the catch block, you can print out information about the exception itself as well as the line where the error happens.

You can also print out the value of TokenReplace("%(ExportPath)") and see whether it is a valid UNC path.

You can also try to write a test file to the same UNC path, before you access the Laserfiche document entry. That way, you can verify whether the UNC path is writeable, in order to determine whether your error has anything to do with the UNC folder security.

General advice when dealing with scripting errors

If you have access to SDK and Visual Studio, it would be easier to debug your script by implementing a test version of it as a .NET console application first. The benefits are:

  • You can use Visual Studio debugging while it is executing,
  • You can see the line of code that throws the error,
  • You can inspect the local variables inside your script at the point where the error happens,
  • You can specify the credentials when connecting to Laserfiche repository, so that you can easily confirm or rule out login-related issues early in the troubleshooting process.

 

In general it is recommended to use exception handling and logging, whether within WF scripting or with standalone test application.

0 0
replied on March 6, 2017

The error is being thrown at the UNC path. I replaced the token with the UNC path and I get the same error. 

As I stated earlier, the script works when I explicitly add the windows account to the folder security at the UNC path or parent folder outside of Laserfiche. If I attempt to use AD group security instead of adding the user, I receive the error. 

I was able to log onto the server as the WF service account and add/delete documents in the UNC path. So I assume it isn't a windows issue.

1 0
replied on March 7, 2017

I wanted to see if Laserfiche had an answer as this doesn't seem to be an issue with the script. As I said earlier, it works when I explicitly add the WF Server Service account to the folder security of the UNC or ExportPath. However, if I remove the account and add the AD Group "SOBs and Certs" to the folder security, I receive an access denied error. 

The WF Server Service Account is a member of "SOBs and Certs". The group has Modify rights at the folder level of the ExportPath. When I log onto the server as the WF Server Service Account, I am able to import documents / PDFs into the ExportPath. 

Please let me know if Laserfiche or anyone has a response to this issue. 

0 0
replied on March 7, 2017

Unfortunately, this is a Windows error, not a Laserfiche one. The Workflow service does not calculate security on the target folder, it just attempts to write to it. You might be able to get a better answer on how Windows processes security for service accounts from a Microsoft forum.

0 0
replied on March 7, 2017

Ok. I believe the issue has to do with the Share Security settings for the UNC path I am writing to. I will let you guys know if this is the issue.

0 0
replied on March 7, 2017

Share Security settings was not the issue. We will speak with Microsoft and see how they handle security and service accounts.

0 0
replied on March 7, 2017

Have you been able to isolate which line in your code throws the error?

0 0
SELECTED ANSWER
replied on March 7, 2017

We were able to figure out that it was a Kerberos issue. 

It required the service account to be restarted.

The service account was added to the Active Directory Group and they did not bounce the server. After we bounced the server and logged in as the service account, the kerberos tokens were updated allowing the service account to authenticate through the new AD group.

 

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...