You are viewing limited content. For full access, please sign in.

Discussion

Discussion

WebSTS - Use SSL default setting causing 'An error has occurred'

Directory Server Web Client Forms
Updated May 3, 2021
posted on March 25, 2020

I have encountered this issue for at least 3 different Clients where when logging into Laserfiche with the Web Client & Forms, we encounter the error:

An error has occurred

This issue seems to occur if in the WebSTS endpoint configuration, the Use SSL check box is enabled. Removing this checkbox resolves the issue. Also seems that in LFDS 10.4.3, this option is enabled by default.

Any ideas on why this would cause issues?

0 0
replied on April 30, 2021

On Laserfiche Directory Server Version 10.4.4.444 and we tried all the suggestions and still seem to be hitting the An error occurred error message when the SSL is enabled. Having SSL disabled switches us from https to http when logging into Forms. Has anyone found a way to get it to work right?

0 0
replied on April 30, 2021

If you are getting the error in the STS when the Use SSL option is selected, you need to verify that the certificate is applied to the port correctly. You can verify this by opening the command line and running netsh HTTP show sslcert.

1 0
replied on May 3, 2021 Show version history

So when I had ran the netsh http show sslcert I see two different bindings. The first is for 443, so not of interest, but starts with ec6. The other is for port 5049, which is the binding that I think I need and starts with b9d. I see both certificates in the XML Endpoint configuration utility, make sure to select that certificate that starts with b9d, delete current binding, configure port binding, and click save. If the SSL is checked, it still gives the general error message that an error has occurred. Is there some place else that I need to apply this certificate?

Honestly, I think I probably am missing some other setting that will make the SSL work, but not sure which one or where it would be located at.

0 0
replied on May 3, 2021

I found out that the b9d was the wrong one and it should have been the ec6, which may have been part of the issue. And part of the issue was that I also needed to have a setting in the Forms configuration to perform HTTPS Redirection. Thanks.

2 0
replied on September 20, 2020

Arggg! This is the most annoying thing in the world. I always forget about this secret setting that causes everything to not work with no explanation and no errors in the event viewer.

Without this post there would be so many completely botched installations. Thanks again to OP.

0 0
replied on September 21, 2020

Hi Chad,

This setting is on by default because we always want LFDS to have secure communication with STS when possible. When LFDS and STS are on different machines this is very important; when they're on the same machine it is less important. The recent change is that LFDS 10.4.3+ does not use WCF anymore and uses HTTP instead (10.4.2 and older had encryption rolled into WCF). So proper HTTPS configuration is required to maintain the same level of security as before.

1 0
replied on September 21, 2020

There is not much to improperly configure though, I don't alter any configurations from the default, other than changing the directory server address from http://machinename to https://publicdomainname

0 0
replied on September 21, 2020

Are you putting "http(s)://" in front of the LFDS FQDN?

The input field asks for only "host.domain.com", not "http(s)://host.domain.com".

The STS endpoint config utility may have code that automatically strips the protocol handler off if you enter it anyway, but you should definitely avoid adding it in the first place.

 

0 0
replied on June 26, 2020

Wait, what is the error? I am getting this immediately after upgrading to DS 10.4.4 without any configuration changes. It just says an error has occurred, but I need more information about how the system came to the conclusion that an error has happened. There is no errors in the STS event log or the DS configuration page.

Did the upgrade change Use SSL from disabled to enabled without asking? That is really frustrating since it broke the ability to login and I almost rolled back before finding this post.

When it comes to web services, using SSL is a matter of a binding in IIS, if you are visiting the STS site with an https prefix, then you are are using a secure socket layer.

All connections from Forms to the STS service are entered as web URLs, so they are using SSL regardless of this configuration. Only if you were entering a machine name, to contact a Windows Service would you need special configurations to use SSL.

0 0
replied on June 26, 2020 Show version history

This has been in place since version 10.4.3 and is not new to 10.4.4. While you are correct that binding a certificate in IIS encrypts the communication between a browser and an IIS server, it does not take care of the encryption that is needed with STS instances and end applications.

Without using the Use SSL option in the STS, the communication between the STS and LFDS is being passed in plain text and a packet sniffer could grab credentials being used to log into the system. This may not be as big of a deal if LFDS and the STS sit on the same server, but if your LFDS server was compromised they would have free reign on usernames and passwords.

If you are getting an error when Use SSL is enabled it is more than likely caused by a certificate not being bound to the HTTPS port for LFDS (default 5049).

3 0
replied on June 26, 2020

In addition to Blake's information, I recommend you take a look at the following documentation on the matter:
 

Initial Configuration

Certificate Types & Requirements for Laserfiche Directory Server

HTTPS and WCF Configuration

1 0
replied on June 26, 2020

Oh this is for moving STS to a another IIS server. We have STS and DS on the same IIS server so no SSL is required.

We do have a binding in place for the DS website, but there is no network traffic to work with here.

It just seems the upgrade modified a config that caused a problem, but I could never find the error itself to troubleshoot.

0 0
replied on March 26, 2020

I'd be curious if Laserfiche can share screenshots of the configurations of LFDS and WebSTS endpoints with Use SSL checked that is working.

In the scenarios that I have seen so far, both LFDS & WebSTS are on the same box/server.

0 0
replied on March 26, 2020

Just to add to what Karim is saying, I have never been able to get the Use SSL option to work without getting an error message.

0 0
replied on June 26, 2020

I have been able to get this to work now. Every time it was failing was because a certificate was not bound to port 5049. By running netsh http show sslcert in a command prompt on the LFDS server it will show you if a certificate has been bound to which ports. In my case there was no Certificate Hash value. So I went back into the XMLEndPointUtility and deleted the binding and then rebound it, ran the netsh again, verified a Certificate Hash appeared for port 5049, enabled Use SSL in the STS again, and then I was able to successfully login.

2 0
replied on March 25, 2020

Hi Karim, in addition to Samuel's comment I'd like to stress that you should not disable SSL unless LFDS and STS are on the same machine (or unless this is a test environment with no sensitive user data). In previous versions of LFDS, message layer security was provided by WCF. We use raw HTTP now and transport layer security (HTTPS/SSL) is needed to maintain encryption.

2 0
replied on March 25, 2020

Hi Karim,

My guess is that HTTPS is not correctly configured on the LFDS side, so STS cannot reach LFDS over HTTPS.

Please see KB 1014134: HTTPS and WCF Configuration Information for Laserfiche Directory Server 10.4.3 HTTPS Configuration section steps 1 through 3.

Cheers,

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...