You are viewing limited content. For full access, please sign in.

Question

Question

Why does Forms use http:// for SOAP negotiations when https:// is selected in the config

Directory Server Forms
Updated December 23, 2020
asked on December 18, 2020 Show version history

I am reviewing a incomplete installation of DS and Forms. Looks like they were trying to host Forms on it's own operating system and contact Directory Server over the network, which is not a natively supported configuration.

They left it in this state with the usual SOAP negotiation errors that happen when you try to do this.

I will likely wipe this entire configuration, but before I do, I am wondering about the error they got stuck at again, since this scenario seems to come up more and more often.

Why does Forms use http:// when making SOAP negotiations if the configuration for contacting the directory server is configured to use https://

This is mixed content and likely the reason this whole thing never works.

 

0 0

Answer

SELECTED ANSWER
replied on December 21, 2020

If there are several configs that have been manually edited and you are not sure of the scope, it may be best to uninstall Forms and wipe out all of the configuration file backups in Program Files/ProgramData and start from scratch.

0 0

Replies

replied on December 18, 2020 Show version history

Hi Chad,

While the configuration UI has them next to each other, there are two entirely separate communications here.

The Directory Server STS URL is used for the sole purpose of specifying where to send end users authentication redirects. Specifically, it sets the issuer value in the wsFederation node of .\Forms\Web.config:

<wsFederation persistentCookiesOnPassiveRedirects="true" passiveRedirectEnabled="false" realm="https:/forms.example.com/Forms/" reply="https:/forms.example.com/Forms/" issuer="https://lfds.example.com/LFDSSTS/" homeRealm="urn:laserfiche:lfdsdb:LFDS" requireHttps="true" />

You can actually repurpose that value to effectively disable logins for a Forms Portal as I describe here. The important part is that it's purely about End Users->LFDSSTS and doesn't affect the backend Forms->LFDS communication in any way. The latter is what your error message is about.

For LFDS and Forms 10.4.2 and earlier

The Forms->LFDS backend communication uses WCF over HTTP messages sent to LFDS's 5048/5049 service ports. WCF can work with multiple transport protocols, and uses something called Message Security which is transport-agnostic. To quote Microsoft: "Message security uses the WS-Security specification to secure messages. The WS-Security specification describes enhancements to SOAP messaging to ensure confidentiality, integrity, and authentication at the SOAP message level (instead of the transport level [like HTTPS])." None of these calls happen through a browser so mixed-content doesn't come into play at all.

Within an Active Directory domain, Message Security essentially uses Windows Authentication to sign and validate messages. When one of the communicating parties is outside the domain (e.g. Forms DMZ), this AD authentication mechanism no longer works. 

What to do then? Use Certificate signing/authentication for the messages instead. This is exactly what the LFDS "Alternate Binding" is for. It provides an LFDS endpoint configured for certificate-based message security instead of AD-based security.

Configure LFDS to enable the Alternative Service using the XmlEndpointUtility, then configure Forms to use the Alternate Service with its own EndpointUtility (Under .\Forms\Forms\bin).

This changes the Forms Web.config endpoints to:

    <!-- WCF client configuration -->
    <client>
      <endpoint address="net.tcp://localhost:8168/lfrouting" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="Laserfiche.Forms.Routing.IRoutingEngineService" name="" />
      ...
      <endpoint address="net.tcp://localhost:8738/lflicensing" binding="netTcpBinding" bindingConfiguration="timeoutBinding" contract="FormsModel.SharedContracts.ILicensingService" name="" />
      <endpoint address="http://lfds.example.com:5048/LicenseManager/service2" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager" name="AltLicenseManagerService" behaviorConfiguration="AltServiceBehavior" />
      <endpoint address="http://lfds.example.com:5048/LicenseManager/service2" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager2" name="AltLicenseManagerService2" behaviorConfiguration="AltServiceBehavior" />
      <endpoint address="http://lfds.example.com:5048/LicenseManager/sts2" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILFSecurityTokenService" contract="LicenseManagerSTS.ILFSecurityTokenService" name="AltLicenseManagerSTS" behaviorConfiguration="AltServiceBehavior" />
    </client>
    <behaviors>
      <endpointBehaviors>
        <behavior name="AltServiceBehavior">
          <clientCredentials>
            <clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="788A44ED79A66Q5CE1D276A113B86836752FDF44" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>

For LFDS and Forms 10.4.3+

LFDS and STS 10.4.3 switched from WCF to HTTP(S). Note that not all other Laserfiche applications have yet, so the Alternate Service is still sometimes applicable. See HTTPS and WCF Configuration Information for Laserfiche Directory Server 10.4.3 and Certificate Requirements for Laserfiche Directory Server. You can still use the Alternate Service instead if desired.

I briefly tested the following configuration to have Forms use HTTPS for backend communication with LFDS and it seemed to work:

  1. Ensure LFDS 10.4.3 is configured with an HTTPS binding on port 5049 through its XmlEndpointUtility, with the certificate requirements linked above met.
  2. Open Forms Web.config and update the three LFDS LicenseManager endpoints to use HTTPS and port 5049 like so: 
    <endpoint address="https://lfds.example.com:5049/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager" name="LicenseManagerService" />
<endpoint address="https://lfds.example.com:5049/LicenseManager/service" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILicenseManager" contract="LicenseManagerService.ILicenseManager2" name="LicenseManagerService2" />
<endpoint address="https://lfds.example.com:5049/LicenseManager/sts" binding="ws2007HttpBinding" bindingConfiguration="WS2007HttpBinding_ILFSecurityTokenService" contract="LicenseManagerSTS.ILFSecurityTokenService" name="LicenseManagerSTS" />
  3. Make the exact same changes to the .\Forms\bin\RoutingEngineServiceHost.exe.config file.
     
  4. Restart the Forms Routing Service and see if FormsConfig shows a successful connection to LFDS.
1 0
replied on December 23, 2020

I am convinced that the endpoint address is not pulled from the web.config file. Here is how I found out.

I installed a fresh installation and looked at the endpoint address configurations that come out of the box for port 5048. They are all set to localhost:5048 yet after hooking up to an existing database (which updates the configuration fields) the endpoint error showed a custom address. So it must come from some field but I couldn't find it.

0 0
replied on December 18, 2020 Show version history

Hi Samual

I verified they did not turn on Alternate Service on the DS server using the XML Utility.

So I went into the web.config file and RoutingEngineServiceHost.exe.config file and updated the 3 references to http://LFDSDomain so that it is now https://

I then restarted the Routing Service and Recycled the Forms App Pool.

It still shows http://LFDSDomain in the error message on the config page.

Somehow the previous support company must be using a different web.config. I litterally have both config files open and it says https not http. How do I see exactly which file their forms config is hooked up to to get this text?

 

Update: Using Quick Access I could see they modified a config file under Program Files\Laserfiche Forms\Config\web.config

I tried this one too but to no avail. Need to know exactly where it is getting this http://  from, the file name and location.

0 0
View 1 previous reply
replied on December 21, 2020

Hi Chad,

I believe Forms specifies LFDS endpoints in 3 files:

  • C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config
  • C:\Program Files\Laserfiche\Laserfiche Forms\Forms\bin\RoutingEngineServiceHost.exe.config
  • C:\Program Files\Laserfiche\Laserfiche Forms\Config\Web.config

 

With this said, I would not recommend changing those endpoints to HTTPS and 5049 because Forms communicates with LFDS using WCF (which includes message layer security), and does not need to use transport layer security (HTTPS) to encrypt communication with LFDS.

What you should focus on instead is getting the inner exception of the error from the Forms event log end pasting it here if it does not give you enough information to solve the issue.

My guess: alternate service is turned on for Forms, not necessarily turned on for LFDS.

0 0
replied on December 21, 2020

*The word REDACTED is in place of a windows account name.

Here is the inner exception. I found they were specifying the REDACTED user as a 

Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'REDACTED'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

The services do not run as the REDACTED user mentioned, all services run as SYSTEM. Where is this reference coming from? We do not want anything that references a Windows User account when it comes to services. Windows Accounts are only for Humans.

I had found they were trying to modify the web.config files by adding an identity reference in the tag <identity />, however removing this in all config files did not help clear up the error referencing this user.

I do not see any reference in the Forms Configurator to this account, REDACTED.

 

0 0
SELECTED ANSWER
replied on December 21, 2020

If there are several configs that have been manually edited and you are not sure of the scope, it may be best to uninstall Forms and wipe out all of the configuration file backups in Program Files/ProgramData and start from scratch.

0 0
replied on December 21, 2020

That is exactly the plan. Was just trying to get some information for the customer on the current environment and why it was not working, but the program has been extensively modified using notepad to open the config and program data files, maybe even the registry for all I know.

This is the problem with not sticking to the features in the configurator. Seems everyone is trying to hack directory server these days, problem is I can only go through the configurator and look for missing configurations, I can't know of what has been done using notepad.

It is pretty clear they were trying to enable network communication to DS for DS/STS authentication, which is not supported using the configurator alone.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...