You are viewing limited content. For full access, please sign in.

Question

Question

LFDS-SOAP security negotiation error when launching LFDS page

Directory Server Administration
Updated November 8, 2022
asked on November 3, 2022

Hello,

Customer is getting below error message when they 1st launch the LFDS Application, on both their workstation and using the same URL on the server.  If they refresh the webpage, then it loads without throwing the error.

When we look in the Event Logs, we see the following critical error associated with the login attempt:

We checked the XML Endpoint Utility and it has the LFDS Server name listed correctly.

It is strange that it only happens for the initial connection.

Appreciate any feedback,

Jeff Curtis

0 0

Replies

replied on November 3, 2022

What does the inner exception say?

0 0
replied on November 4, 2022

Hello Sam,

Here is the inner exception:

System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.
   at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetNextOutgoingMessage(Message incomingMessage, T negotiationState)
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
Appreciate the feedback,

Jeff Curtis

 

0 0
View 2 previous replies
replied on November 4, 2022

Are you running the LFDS service and/or IIS AppPool under an identity other than Network Service?

0 0
replied on November 7, 2022

Hey Sam,

Both LFDS App Pools are running as "Network Service"

LFDS Server Service running as "Domain Service" account.

Thanks,

Jeff

0 0
replied on November 7, 2022

Are you running the LFDS service as a domain service account because you're using Windows Authentication to connect to SQL?

If not (meaning you're using SQL username/pw auth instead of Win Auth), can you try changing the LFDS service identity back to the default "Network Service", re-run the LFDS XMLEndpointUtility, blank out the service identity field, save, and then do the same for the STS EndpointUtility. Then restart the service and app pool and see if the issue persists.

0 0
replied on November 8, 2022

Thanks for the update Sam

I am trying to check and see how authentication to the SQL DB is set for the LFDS DB.

I am looking at my Varkit to check, looking in the Overview section, Licensing Site, but all I see is the "Modify Connection Strings" setting.

Is there an easy way to find out if Windows Auth or SQL account is being used?

Thanks Again,

Jeff

0 0
replied on November 8, 2022

Easiest way is to change the LFDS service identity to Network Service, restart the service, and see if it fails to connect to the database or not. If it fails, change it back.

"C:\ProgramData\Laserfiche\LFDS\connections.config" might show a plaintext connection string when WinAuth is used (because there's no password in the string), but it also might encrypt the whole connection string regardless.

Wish it were simpler to check, but it is not.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...