You are viewing limited content. For full access, please sign in.

Question

Question

Single Sign On with Directory server 10.3 without TLS 1.0 and 1.1

Laserfiche Directory Server Administration
Updated April 13, 2022
asked on September 5, 2019

Hi All,

 

Any has tried Directory server 10.3 Single Sign feature with ADFS Successfully. We are in the process of trying SSO initially with Web Access. But still struggling to get over it. Both are in 2 different servers, and LFDS and LFDSSTS are in the same machine. 

 

Every time the Directory server login happens, the below error is noted in LFDS System event log:

A fatal error occurred while creating a TLS server credential. The internal error state is 10013.

Meantime the below error is seen in WebAccess server logs:

  Message: The token XML does not appear to be valid.
Parameter name: tokenXml
  Stack trace:    at Laserfiche.SecurityTokenService.Ticket..ctor(String tokenXml)
   at Laserfiche.WebAccess.Common.ConnectionManager.AuthenticateSessionWithClaims(Session sess, RepositoryRegistration repoReg, ClaimsIdentity claimsId)
   at Laserfiche.WebAccess.Common.ConnectionManager.AutoLogon(String repoName, HttpContext context, Boolean forceLogin, WARepository waRepo)
   at Laserfiche.WebAccess.Common.ConnectionManager.<>c__DisplayClass46_0.<CheckConnectedInternal>b__1()
 

Certificates are installed and access to certificates also provided. Any one has configured Directory Server SSO feature with LFDS 10.3 by allowing only TLS 1.2? (TLS 1.0 and 1.1 are disabled in our environment)

 

Regards

Kirubaa

 

 

 

0 0

Replies

replied on September 5, 2019

How did you enable TLS 1.2?  We have found that using IISCrypto works best to get the initial starting point, then follow instructions found at https://support.laserfiche.com/kb/1013919/configuration-information-for-tls-1-2

Make sure to set all Servers the same.  We usually start in IISCrypto by applying "Best Practices" and then disabling all protocols except TLS 1.2.  Then we create/set the 6 registry values as directed by the KB 1013919.  Finally, we reboot the server and test.

2 0
replied on September 10, 2019

Thanks Bert for your reply!

 

The TLS 1.2 settings already been made in the servers related to Laserfiche, but no success till now. But have you tried this option using TLS 1.2 with LFDS 10.3?  

0 0
replied on September 6, 2019

Hi Kirubaa,

If what Bert suggested doesn't work for you, temporarily enable TLS 1.0 and 1.1 on both servers and try again. That will help verify if the issue is actually related to the TLS version

You can also try upgrading to the latest version of LFDS 10.4.x, which targets .NET 4.7.2 and thus uses TLS 1.2 by default. LFDS 10.4 is backwards compatible with other Laserfiche 10.3 components.

0 0
replied on September 10, 2019

Hi Samuel,

Thank you for the reply!

TLS 1.2 option is ruled out, as we tried this earlier. Also the ADFS \Windows authentication button also having the same issue, when going through LFDS.

I'm checking the option of Temporarily enabling the TLS version. But last option would be upgrading then.

 

 

0 0
replied on October 12, 2019

Hi Samuel,

 

We have upgraded LFDS to 10.4, and tested with internal web access with ADFS authentication. The scenario tested success was :

1. LFDS 10.4 with LFSTS 10.4 in the same machine - No Certificate authentication

2. Laserfiche Web access 10.3 configured to authenticate through Directory server

 

But the below scenario still failing, can you please provide your input on this:

1. LFDS 10.4 is in Internal network

2. LFSTS 10.4 and LF Web client 10.3 in DMZ server - Configured with internal CA certificate

The ADFS page passing the credentials and it is getting into multiple loop of redirection at DMZ server web Access. Below is the error writing in the Web Server Eventlog in the DMZ server.

Log Name:      Laserfiche-WebClient-Server/Operational
Source:        Laserfiche-WebClient-Server
Date:          10/9/2019 12:36:23 PM
Event ID:      3
Task Category: ImportantError
Level:         Error
Keywords:      Session0,Session1,Session2,Session3
User:          IIS APPPOOL\WebAccessAppPool
Computer:      ENDMZEMLUAT1.enochodmz.com
Description:
The token XML does not appear to be valid.
Parameter name: tokenXml
Operation: /laserfiche/browse.aspx?repo=TESTDEV
  Message: Exception encountered, stack trace:
  Laserfiche.WebAccess.Common.Util.ErrorHandler.LogException
  Laserfiche.WebAccess.Common.Util.ErrorHandler.Standardize
  Laserfiche.WebAccess.Common.<>c__DisplayClass46_0.<CheckConnectedInternal>b__1
  Web.Util.SingleComputationLock.Synchronize
Exception details:
  Message: The token XML does not appear to be valid.
Parameter name: tokenXml
  Stack trace:    at Laserfiche.SecurityTokenService.Ticket..ctor(String tokenXml)
   at Laserfiche.WebAccess.Common.ConnectionManager.AuthenticateSessionWithClaims(Session sess, RepositoryRegistration repoReg, ClaimsIdentity claimsId)
   at Laserfiche.WebAccess.Common.ConnectionManager.AutoLogon(String repoName, HttpContext context, Boolean forceLogin, WARepository waRepo)
   at Laserfiche.WebAccess.Common.ConnectionManager.<>c__DisplayClass46_0.<CheckConnectedInternal>b__1()

  Session: ettcszcj

 

 

 

0 0
View 7 previous replies
replied on October 14, 2019 Show version history

Hi Kirubaa,

Thanks for replying back - I'm glad to hear the first scenario was successful.

For the second scenario, an infinite redirect between STS and Web Client usually means that Web Client is not accepting the STS auth token and kicking you back to STS. STS thinks you have a valid auth token and sends you back to Web Client. And so it repeats.

Can you verify that the DMZ STS instance is configured to meet all requirements specified here?:

https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/LFDS/Content/separate-sts.htm

Then, run the DMZ Web Client's endpoint utility to verify it is configured correctly as well.

 

Cheers,

Sam

DMZ-STS-WebClient-EndpointConfig.png
DMZ-STS-WebClient-EndpointConfig.png (84.31 KB)
Download
0 0
replied on April 7, 2022

Hey Sam,

I have a customer who is experiencing this issue logging into their DMZ Forms instance.

I have checked the STS Endpoints and the one on the DMZ Server settings match what is showing for the STS instance on the LFDS Server.

I went through all of the steps in the Configuring Forms in DMZ Whitepaper as well.

Not sure what else to check.

Appreciate the feedback,

Jeff Curtis

0 0
replied on April 7, 2022

Is there a separate STS instance in the DMZ as well?

0 0
replied on April 7, 2022

Hello Sam,

Yes there is.

Thanks,

Jeff

0 0
replied on April 8, 2022
  1. You're pointing the DMZ Forms instance at the DMZ STS instance for the auth redirect?
  2. The DMZ STS instance isn't throwing any errors in the event log?
  3. the DMZ Forms instance isn't throwing any errors in the event log?
0 0
replied on April 12, 2022

Hello Sam,

1. Correct DMZ WebSTS points to their FQDN of the LFDS Server, but they are using the Alternate Service token, pointing to a WC SSL Cert that is not being used on the LFDS Server.  I am wondering if that is the issue.

2. DMS WebSTS event log only throws the following (last date stamps is 2.24.22)Access to the path 'C:\ProgramData\Laserfiche\LFDS\STSConfig.config' is denied.

This customer has not tried to log into the External Forms site, since sometime in 2021, so this error could be relevant, if there was some permission change, I guess

3. Nothing showing in this log from the internal server.

Appreciate your feedback,

Jeff Curtis

0 0
replied on April 12, 2022

Hey Jeff,

  1. The DMZ WebSTS Alternative service is likely not configured in a working manner right now. That would be an issue.
  2. That likely implies that the DMZ WebSTS is running as a custom service account instead of the default Network Service account. Change the IIS LicenseManagerSTSAppPool identity back to Network Service. It definitely means the DMZ WebSTS isn't working right now.
  3. There wouldn't be any errors on the internal service side since the broken DMZ WebSTS likely isn't able to send messages to the internal server at all.

 

I'm going to be out of office until May starting tomorrow, so if you need further assistance please open a support case referencing this thread.

0 0
replied on April 12, 2022

Thanks Sam

I had their IT remove Alternate Token Service and same issue.

I am reaching out to them about the LicenseManagerSTSAppPool to check the account being used.

If we don't correspond before tomorrow, enjoy your time off.

Jeff

1 0
replied on April 13, 2022

Hey Sam,

Had the users IT switch the LicenseManagerSTSAppPool to use Network Service account, recycled the AppPool and same issue.

At this point, I am thinking is has to be the WebSTS on DMZ server (Alternate Service has been turned off)....

I am trying to see if I can schedule a session with the user's IT.  

Would you like me to open a Support Case to track this moving forward?

Thanks Again,

Jeff Curtis

0 0
replied on April 13, 2022

Yes, a support case would be better for troubleshooting the specific instance.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...